@trac3er/oh-my-god 2.0.2 → 2.0.4

package/.agents/skills/omg/AGENTS.fragment.md

@@ -0,0 +1,5 @@
+# OMG Codex Protection Rules
+
+- Channel: `public`
+- Protect `.omg/`, `.agents/`, `.codex/`, and `.claude/` from unreviewed mutation.
+- Require explicit invocation for production-control-plane skills.

package/.agents/skills/omg/codex-mcp.toml

@@ -0,0 +1,4 @@
+[mcp_servers.omg-control]
+command = "python3"
+args = ["-m", "runtime.omg_mcp_server"]
+

package/.agents/skills/omg/control-plane/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-control-plane
+description: "Canonical production control plane bundle for Claude and Codex."
+---
+
+# OMG Control Plane
+
+- Channel: `public`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control, omg-memory`
+- Evidence outputs: `.omg/evidence/control-plane-compile.json`

package/.agents/skills/omg/control-plane/openai.yaml

@@ -0,0 +1,14 @@
+name: omg-control-plane
+description: "Canonical production control plane bundle for Claude and Codex."
+allow_implicit_invocation: false
+metadata:
+  channel: public
+  bundle_id: control-plane
+  title: "OMG Control Plane"
+mcp_servers:
+  - omg-control
+  - omg-memory
+allowed_tools:
+  - "Read"
+  - "Grep"
+  - "Bash(python3:*)"

package/.agents/skills/omg/hook-governor/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-hook-governor
+description: "Canonical hook ordering, policy reinjection, and protected-path governance."
+---
+
+# OMG Hook Governor
+
+- Channel: `public`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/state/ledger/tool-ledger.jsonl`

package/.agents/skills/omg/hook-governor/openai.yaml

@@ -0,0 +1,11 @@
+name: omg-hook-governor
+description: "Canonical hook ordering, policy reinjection, and protected-path governance."
+allow_implicit_invocation: true
+metadata:
+  channel: public
+  bundle_id: hook-governor
+  title: "OMG Hook Governor"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"

package/.agents/skills/omg/lsp-pack/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-lsp-pack
+description: "Optional LSP-backed diagnostics and navigation bundle for production verification."
+---
+
+# OMG LSP Pack
+
+- Channel: `public`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/evidence/lsp-diagnostics.json`

package/.agents/skills/omg/lsp-pack/openai.yaml

@@ -0,0 +1,11 @@
+name: omg-lsp-pack
+description: "Optional LSP-backed diagnostics and navigation bundle for production verification."
+allow_implicit_invocation: false
+metadata:
+  channel: public
+  bundle_id: lsp-pack
+  title: "OMG LSP Pack"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"

package/.agents/skills/omg/mcp-fabric/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-mcp-fabric
+description: "Tools, prompts, resources, and server instructions for the OMG control plane."
+---
+
+# OMG MCP Fabric
+
+- Channel: `public`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control, omg-memory`
+- Evidence outputs: `.omg/evidence/mcp-fabric.json`

package/.agents/skills/omg/mcp-fabric/openai.yaml

@@ -0,0 +1,13 @@
+name: omg-mcp-fabric
+description: "Tools, prompts, resources, and server instructions for the OMG control plane."
+allow_implicit_invocation: false
+metadata:
+  channel: public
+  bundle_id: mcp-fabric
+  title: "OMG MCP Fabric"
+mcp_servers:
+  - omg-control
+  - omg-memory
+allowed_tools:
+  - "Read"
+  - "Bash(python3:*)"

package/.agents/skills/omg/secure-worktree-pipeline/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-secure-worktree-pipeline
+description: "Ephemeral worktree execution and supervisor-safe worker dispatch for production jobs."
+---
+
+# OMG Secure Worktree Pipeline
+
+- Channel: `public`
+- Execution modes: `automation, ephemeral_worktree, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/evidence/subagents/*.json`

package/.agents/skills/omg/secure-worktree-pipeline/openai.yaml

@@ -0,0 +1,12 @@
+name: omg-secure-worktree-pipeline
+description: "Ephemeral worktree execution and supervisor-safe worker dispatch for production jobs."
+allow_implicit_invocation: false
+metadata:
+  channel: public
+  bundle_id: secure-worktree-pipeline
+  title: "OMG Secure Worktree Pipeline"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"
+  - "Bash(git:*)"

package/.claude-plugin/marketplace.json

@@ -6,7 +6,7 @@
   },
   "metadata": {
     "description": "OMG - Oh-My-God for Claude Code",
-    "version": "2.0.2",
+    "version": "2.0.4",
     "homepage": "https://github.com/trac3er00/OMG",
     "repository": "https://github.com/trac3er00/OMG"
   },
@@ -14,7 +14,7 @@
     {
       "name": "omg",
       "description": "OMG plugin layer for Claude Code with native setup, orchestration, and interop.",
-      "version": "2.0.2",
+      "version": "2.0.4",
       "source": "./",
       "author": {
         "name": "trac3er00"
@@ -32,5 +32,5 @@
       ]
     }
   ],
-  "version": "2.0.2"
+  "version": "2.0.4"
 }

package/.claude-plugin/plugin.json

@@ -1,6 +1,6 @@
 {
   "name": "omg",
-  "version": "2.0.2",
+  "version": "2.0.4",
   "description": "OMG plugin layer for Claude Code with native setup, orchestration, and interop.",
   "author": {
     "name": "trac3er00"

package/.mcp.json

@@ -2,23 +2,39 @@
   "mcpServers": {
     "context7": {
       "command": "npx",
-      "args": ["@upstash/context7-mcp@2.1.3"]
+      "args": [
+        "@upstash/context7-mcp@2.1.3"
+      ]
     },
     "filesystem": {
       "command": "npx",
-      "args": ["@modelcontextprotocol/server-filesystem@2026.1.14", "."]
+      "args": [
+        "@modelcontextprotocol/server-filesystem@2026.1.14",
+        "."
+      ]
     },
     "websearch": {
       "command": "npx",
-      "args": ["@zhafron/mcp-web-search@1.2.2"]
+      "args": [
+        "@zhafron/mcp-web-search@1.2.2"
+      ]
     },
     "chrome-devtools": {
       "command": "npx",
-      "args": ["chrome-devtools-mcp@0.19.0"]
+      "args": [
+        "chrome-devtools-mcp@0.19.0"
+      ]
     },
     "omg-memory": {
       "type": "http",
       "url": "http://127.0.0.1:8765/mcp"
+    },
+    "omg-control": {
+      "command": "python3",
+      "args": [
+        "-m",
+        "runtime.omg_mcp_server"
+      ]
     }
   }
 }

package/CHANGELOG.md

@@ -1,5 +1,21 @@
 # Changelog
 
+## Unreleased
+
+## 2.0.4 - 2026-03-07
+
+- shipped the OMG production control plane contract, executable bundle registry, host compiler, and dual-channel public and enterprise release bundles
+- generated Codex skill packs and Claude release artifacts from the canonical contract, and added CI release-readiness coverage for validation, compile, standalone, and public-readiness gates
+- extended the stdio `omg-control` MCP with prompts, resources, and server instructions, and upgraded subagent execution to record real worker evidence with secure worktree handling
+- hardened the shipped `safe` preset so `firewall.py` runs before Bash tools, `secret-guard.py` runs before file mutations, and raw env or interpreter surfaces require approval
+- fixed portable runtime provisioning to include `plugins/`, prevented worker command prompt placeholders from breaking argv boundaries, and corrected `omg_natives` import-path shadowing of stdlib modules
+
+## 2.0.3 - 2026-03-06
+
+- removed OpenCode runtime, setup wiring, docs, and tests from the supported OMG host surface
+- merged the remaining security and trust-review hardening work into `main` and cleaned up the finished `codex/*` branches
+- published the post-merge patch release after the `v2.0.2` release target became immutable
+
 ## 2.0.2 - 2026-03-06
 
 - cleaned the repo for public launch by removing internal planning docs and stale private references

package/OMG-setup.sh

@@ -5,7 +5,7 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 CLAUDE_DIR="${CLAUDE_CONFIG_DIR:-$HOME/.claude}"
 BACKUP_TS="$(date +%Y%m%d_%H%M%S)"
 BACKUP_DIR="$CLAUDE_DIR/.omg-backup-$BACKUP_TS"
-VERSION="2.0.2"
+VERSION="2.0.4"
 
 PLUGIN_NAME="omg"
 PLUGIN_MARKETPLACE="omg"
@@ -1190,11 +1190,15 @@ run_install_like() {
             [[ "$CLAUDE_DIR/omg-runtime/runtime" == "$CLAUDE_DIR"* ]] || { echo "ERROR: symlink target outside expected directory: $CLAUDE_DIR/omg-runtime/runtime" >&2; exit 1; }
             [[ "$CLAUDE_DIR/omg-runtime/hooks" == "$CLAUDE_DIR"* ]] || { echo "ERROR: symlink target outside expected directory: $CLAUDE_DIR/omg-runtime/hooks" >&2; exit 1; }
             [[ "$CLAUDE_DIR/omg-runtime/lab" == "$CLAUDE_DIR"* ]] || { echo "ERROR: symlink target outside expected directory: $CLAUDE_DIR/omg-runtime/lab" >&2; exit 1; }
+            [[ "$CLAUDE_DIR/omg-runtime/plugins" == "$CLAUDE_DIR"* ]] || { echo "ERROR: symlink target outside expected directory: $CLAUDE_DIR/omg-runtime/plugins" >&2; exit 1; }
+            [[ "$CLAUDE_DIR/omg-runtime/yaml.py" == "$CLAUDE_DIR"* ]] || { echo "ERROR: symlink target outside expected directory: $CLAUDE_DIR/omg-runtime/yaml.py" >&2; exit 1; }
             
-            rm -rf "$CLAUDE_DIR/omg-runtime/runtime" "$CLAUDE_DIR/omg-runtime/hooks" "$CLAUDE_DIR/omg-runtime/lab"
+            rm -rf "$CLAUDE_DIR/omg-runtime/runtime" "$CLAUDE_DIR/omg-runtime/hooks" "$CLAUDE_DIR/omg-runtime/lab" "$CLAUDE_DIR/omg-runtime/plugins" "$CLAUDE_DIR/omg-runtime/yaml.py"
             ln -s "$SCRIPT_DIR/runtime" "$CLAUDE_DIR/omg-runtime/runtime"
             ln -s "$SCRIPT_DIR/hooks" "$CLAUDE_DIR/omg-runtime/hooks"
             ln -s "$SCRIPT_DIR/lab" "$CLAUDE_DIR/omg-runtime/lab"
+            ln -s "$SCRIPT_DIR/plugins" "$CLAUDE_DIR/omg-runtime/plugins"
+            ln -s "$SCRIPT_DIR/yaml.py" "$CLAUDE_DIR/omg-runtime/yaml.py"
             
             [[ "$CLAUDE_DIR/omg-runtime" == "$CLAUDE_DIR"* ]] || { echo "ERROR: rm -rf target outside expected directory: $CLAUDE_DIR/omg-runtime" >&2; exit 1; }
             find "$CLAUDE_DIR/omg-runtime" -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true
@@ -1204,10 +1208,12 @@ run_install_like() {
             mkdir -p "$CLAUDE_DIR/omg-runtime/scripts"
             cp "$SCRIPT_DIR/scripts/omg.py" "$CLAUDE_DIR/omg-runtime/scripts/omg.py"
             [[ "$CLAUDE_DIR/omg-runtime/runtime" == "$CLAUDE_DIR"* ]] || { echo "ERROR: rm -rf target outside expected directory: $CLAUDE_DIR/omg-runtime/runtime" >&2; exit 1; }
-            rm -rf "$CLAUDE_DIR/omg-runtime/runtime" "$CLAUDE_DIR/omg-runtime/hooks" "$CLAUDE_DIR/omg-runtime/lab"
+            rm -rf "$CLAUDE_DIR/omg-runtime/runtime" "$CLAUDE_DIR/omg-runtime/hooks" "$CLAUDE_DIR/omg-runtime/lab" "$CLAUDE_DIR/omg-runtime/plugins" "$CLAUDE_DIR/omg-runtime/yaml.py"
             cp -R "$SCRIPT_DIR/runtime" "$CLAUDE_DIR/omg-runtime/"
             cp -R "$SCRIPT_DIR/hooks" "$CLAUDE_DIR/omg-runtime/"
             cp -R "$SCRIPT_DIR/lab" "$CLAUDE_DIR/omg-runtime/"
+            cp -R "$SCRIPT_DIR/plugins" "$CLAUDE_DIR/omg-runtime/"
+            cp "$SCRIPT_DIR/yaml.py" "$CLAUDE_DIR/omg-runtime/yaml.py"
             [[ "$CLAUDE_DIR/omg-runtime" == "$CLAUDE_DIR"* ]] || { echo "ERROR: rm -rf target outside expected directory: $CLAUDE_DIR/omg-runtime" >&2; exit 1; }
             find "$CLAUDE_DIR/omg-runtime" -name "__pycache__" -type d -exec rm -rf {} + 2>/dev/null || true
             find "$CLAUDE_DIR/omg-runtime" -name "*.pyc" -delete 2>/dev/null || true

package/OMG_COMPAT_CONTRACT.md

@@ -0,0 +1,92 @@
+---
+title: OMG Production Control Plane
+version: 2.0.4
+canonical_hosts:
+  - claude
+  - codex
+status: active
+---
+
+# OMG Production Control Plane
+
+`OMG_COMPAT_CONTRACT.md` is the normative human-readable contract for OMG capability bundles. Machine-readable manifests in `registry/bundles/` are executable inputs and must remain version-locked to this document.
+
+## metadata
+
+Every bundle must declare `id`, `kind`, `version`, `title`, `description`, `hosts`, and `assets`.
+
+## invocation_policy
+
+Every bundle must declare whether it is user invocable, model invocable, and whether implicit invocation is allowed. Production bundles default to explicit invocation only.
+
+## tool_policy
+
+Every bundle must declare `side_effect_level` and host-specific allowed tools. Production policy protects `.omg/`, `.agents/`, `.codex/`, and `.claude/` as control-plane state.
+
+## lifecycle_hooks
+
+Canonical OMG events:
+
+- `SessionStart`
+- `SessionEnd`
+- `PreToolUse`
+- `PostToolUse`
+- `PostToolUseFailure`
+- `Stop`
+- `PreCompact`
+- `ConfigChange`
+- `WorktreeCreate`
+- `WorktreeRemove`
+- `SubagentStart`
+- `SubagentStop`
+- `TaskCompleted`
+
+Hosts compile native events where available and emulate the rest with OMG runtime wrappers.
+
+## mcp_contract
+
+Bundles may declare MCP servers, prompts, resources, and server instructions. `omg-control` is the primary stdio server. HTTP control-plane exposure is loopback-only and not a production launch dependency.
+
+## lsp_contract
+
+LSP packs declare supported languages, diagnostics expectations, and evidence outputs for post-edit checks.
+
+## evidence_outputs
+
+Bundles declare reproducible evidence artifacts under `.omg/evidence/` or `.omg/state/`. Release-ready bundles must emit deterministic outputs suitable for CI drift checks.
+
+## execution_contract
+
+Supported execution modes:
+
+- `embedded`
+- `local_supervisor`
+- `automation`
+- `ephemeral_worktree`
+
+`local_supervisor` means a same-machine orchestrator driving Claude and Codex workers through local CLI or stdio MCP integration. Remote multi-tenant control planes are out of scope for this version.
+
+## host_compilation_rules
+
+Claude outputs compile to:
+
+- `.claude-plugin/plugin.json`
+- `.claude-plugin/marketplace.json`
+- `.mcp.json`
+- generated hook configuration consumed by `settings.json`
+
+Codex outputs compile to:
+
+- `.agents/skills/omg/<bundle>/SKILL.md`
+- `.agents/skills/omg/<bundle>/openai.yaml`
+- generated Codex MCP and rule fragments under `.agents/skills/omg/`
+
+## roadmap_extensions
+
+The contract reserves compilation anchors for:
+
+- `omg.skill-compiler`
+- `omg.hook-governor`
+- `omg.mcp-fabric`
+- `omg.lsp-pack`
+- `omg.secure-worktree-pipeline`

package/README.md

@@ -1,25 +1,36 @@
-# OMG 2.0.2
+# OMG 2.0.4
 
 [![Compat Gate](https://github.com/trac3er00/OMG/actions/workflows/omg-compat-gate.yml/badge.svg)](https://github.com/trac3er00/OMG/actions/workflows/omg-compat-gate.yml)
 [![npm version](https://img.shields.io/npm/v/%40trac3er%2Foh-my-god)](https://www.npmjs.com/package/@trac3er/oh-my-god)
 [![License](https://img.shields.io/github/license/trac3er00/OMG)](LICENSE)
 
-OMG upgrades your agent host instead of replacing it. It gives Claude Code, Codex, OpenCode, and other supported CLIs a tighter setup flow, stronger orchestration, native adoption from older plugin stacks, and proof-backed verification.
+OMG upgrades your agent host instead of replacing it. It gives Claude Code, Codex, and other supported CLIs a tighter setup flow, stronger orchestration, native adoption from older plugin stacks, and proof-backed verification.
 
 - Brand: `OMG`
 - Repo: `https://github.com/trac3er00/OMG`
 - npm: `@trac3er/oh-my-god`
 - Plugin id: `omg`
 - Marketplace id: `omg`
-- Version: `2.0.2`
+- Version: `2.0.4`
 
 ## Why OMG
 
 - Small front door: install, run `/OMG:setup`, then `/OMG:crazy <goal>`.
-- Multi-host support: Claude Code, Codex, OpenCode, Gemini CLI, and Kimi CLI.
+- Multi-host support: Claude Code, Codex, Gemini CLI, and Kimi CLI.
 - Native adoption: setup detects OMC, OMX, and Superpowers-style environments without exposing copycat public migration commands.
 - Proof-first delivery: verification, provider coverage, HUD artifacts, and transcripts are published instead of implied.
 
+## Canonical Contract
+
+OMG now ships a production control-plane contract and generated host artifacts.
+
+- Normative spec: `OMG_COMPAT_CONTRACT.md`
+- Executable registry: `registry/omg-capability.schema.json` and `registry/bundles/*.yaml`
+- Generated Codex pack: `.agents/skills/omg/`
+- Validation: `python3 scripts/omg.py contract validate`
+- Compilation: `python3 scripts/omg.py contract compile --host claude --host codex --channel public`
+- Release gate: `python3 scripts/omg.py release readiness --channel dual`
+
 ![OMG HUD](docs/assets/omg-hud.svg)
 
 ## Quickstart
@@ -50,6 +61,7 @@ Success looks like:
 
 - supported hosts are detected
 - `.mcp.json` is configured
+- `.mcp.json` includes both `omg-memory` and stdio `omg-control`
 - `.omg/state/adoption-report.json` is written when another ecosystem is present
 - OMG reports the selected preset and next step
 
@@ -57,8 +69,6 @@ Success looks like:
 
 - Claude Code: [docs/install/claude-code.md](docs/install/claude-code.md)
 - Codex: [docs/install/codex.md](docs/install/codex.md)
-- OpenCode: [docs/install/opencode.md](docs/install/opencode.md)
-
 ## Native Adoption
 
 OMG uses native setup language instead of public migration commands.
@@ -67,11 +77,17 @@ OMG uses native setup language instead of public migration commands.
 - `coexist`: advanced. OMG preserves non-conflicting third-party surfaces and records overlap instead of overwriting it.
 - Presets: `safe`, `balanced`, `interop`, `labs`.
 
+## Security Notes
+
+- The shipped `safe` preset now registers pre-tool security hooks before the planning helper.
+- `Bash` requests are screened by `firewall.py`, and file reads or edits are screened by `secret-guard.py`.
+- Raw environment dumps, interpreters, and permission-changing commands such as `env`, `node`, `python`, `python3`, `chmod`, and `chown` now require approval instead of being silently allowed.
+
 Compatibility references to OMC, OMX, and Superpowers are documented here: [docs/migration/native-adoption.md](docs/migration/native-adoption.md)
 
 ## Proof
 
-Current local verification for this release: `2452 passed, 2 skipped` on March 6, 2026.
+Current local verification for this release: `2466 passed, 2 skipped` on March 7, 2026.
 
 - Verification and provider matrix: [docs/proof.md](docs/proof.md)
 - Sample setup transcript: [docs/transcripts/setup.md](docs/transcripts/setup.md)
@@ -87,11 +103,13 @@ Primary entry points:
 
 Advanced surfaces stay available for deeper workflows:
 
+- `/OMG:security-check`
+- `/OMG:api-twin`
+- `/OMG:preflight`
 - `/OMG:teams`
 - `/OMG:ccg`
 - `/OMG:compat`
 - `/OMG:ship`
-- `/OMG:security-review`
 
 ## Contributing
 

package/SECURITY.md

@@ -23,3 +23,9 @@ Include:
 ## Supported Versions
 
 Security fixes are prioritized for the latest released version.
+
+## Maintainer Notes
+
+- The shipped `safe` preset is expected to enforce pre-tool security hooks before helper hooks run.
+- `firewall.py` should screen `Bash` usage and `secret-guard.py` should screen `Read`, `Write`, `Edit`, and `MultiEdit`.
+- Sensitive shell commands such as raw `env` dumps, interpreter entry points, and direct permission changes should require approval in the `safe` preset rather than being silently allowed.

package/commands/OMG:api-twin.md

@@ -0,0 +1,22 @@
+---
+description: "Contract replay and fixture-based API simulation with fidelity tracking and live verification requirements."
+allowed-tools: Read, Write, Edit, MultiEdit, Grep, Glob, Bash(python3:*), Bash(rg:*)
+argument-hint: "[ingest|record|serve|verify]"
+---
+
+# /OMG:api-twin — Contract Replay
+
+Build a local API twin from contracts and recorded fixtures without treating simulation as final proof.
+
+## Verbs
+
+- `ingest`: load OpenAPI, Swagger, Postman, or example JSON into OMG state
+- `record`: store approved request/response fixtures and tag fidelity
+- `serve`: replay a fixture locally with optional latency, failure, or schema drift
+- `verify`: compare a twin fixture against a live response before release proof
+
+## Rules
+
+- every fixture carries a fidelity tag such as `schema-only`, `recorded`, `recorded-validated`, or `stale`
+- simulated endpoints are useful for development, not release signoff
+- release proof still requires a final live verification pass

package/commands/OMG:preflight.md

@@ -0,0 +1,26 @@
+---
+description: "Structured OMG router that classifies risk, selects the right route, and emits an execution/evidence plan."
+allowed-tools: Read, Grep, Glob, Bash(python3:*), Bash(rg:*)
+argument-hint: "\"<goal>\""
+---
+
+# /OMG:preflight — Structured Router
+
+Use `preflight` when the goal is clear but the safest execution route is not.
+
+## Output Contract
+
+- restated goal
+- task class
+- risk class
+- recommended route
+- required tools and MCPs
+- missing constraints
+- evidence requirements
+
+## Typical Routes
+
+- `security-check` for security-sensitive or trust-bound work
+- `api-twin` for contract replay and offline integration work
+- `crazy` for parallel execution
+- `teams` for targeted model routing

package/commands/OMG:security-check.md

@@ -0,0 +1,28 @@
+---
+description: "Canonical OMG security pipeline with normalized findings, dependency enrichment, and untrusted-content evidence."
+allowed-tools: Read, Grep, Glob, Bash(python3:*), Bash(pytest:*), Bash(rg:*)
+argument-hint: "[path or '.' for the current project]"
+---
+
+# /OMG:security-check — Canonical Security Pipeline
+
+Run OMG's canonical security pipeline against the current project or a scoped path.
+
+## Usage
+
+```text
+/OMG:security-check
+/OMG:security-check .
+/OMG:security-check app/
+```
+
+## What It Produces
+
+- normalized findings across policy, Python AST checks, and dependency health
+- evidence-ready provenance and trust scores
+- a structured result that can be reused by `ship`, the control plane, and the OMG MCP
+
+## Notes
+
+- Use this for auth, secrets, untrusted-content, or dependency-risk work.
+- `omg secure --command ...` remains the low-level command-risk primitive, not the full audit surface.

package/commands/OMG:setup.md

@@ -10,7 +10,7 @@ Feature-gated: requires `OMG_SETUP_ENABLED=1` or `settings.json._omg.features.SE
 
 ## Overview
 
-Native OMG setup for Claude Code, Codex, OpenCode, and other supported CLIs.
+Native OMG setup for Claude Code, Codex, and other supported CLIs.
 The command keeps migration logic internal and focuses the user on a small adoption flow:
 
 1. Detect supported CLIs.
@@ -25,7 +25,6 @@ The command keeps migration logic internal and focuses the user on a small adopt
 Step 1: Detect CLIs
   - codex
   - gemini
-  - opencode
   - kimi
 
 Step 2: Detect adoption context

package/dist/enterprise/bundle/.agents/skills/omg/AGENTS.fragment.md

@@ -0,0 +1,5 @@
+# OMG Codex Protection Rules
+
+- Channel: `enterprise`
+- Protect `.omg/`, `.agents/`, `.codex/`, and `.claude/` from unreviewed mutation.
+- Require explicit invocation for production-control-plane skills.

package/dist/enterprise/bundle/.agents/skills/omg/codex-mcp.toml

@@ -0,0 +1,4 @@
+[mcp_servers.omg-control]
+command = "python3"
+args = ["-m", "runtime.omg_mcp_server"]
+

package/dist/enterprise/bundle/.agents/skills/omg/control-plane/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-control-plane
+description: "Canonical production control plane bundle for Claude and Codex."
+---
+
+# OMG Control Plane
+
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control, omg-memory`
+- Evidence outputs: `.omg/evidence/control-plane-compile.json`

package/dist/enterprise/bundle/.agents/skills/omg/control-plane/openai.yaml

@@ -0,0 +1,14 @@
+name: omg-control-plane
+description: "Canonical production control plane bundle for Claude and Codex."
+allow_implicit_invocation: false
+metadata:
+  channel: enterprise
+  bundle_id: control-plane
+  title: "OMG Control Plane"
+mcp_servers:
+  - omg-control
+  - omg-memory
+allowed_tools:
+  - "Read"
+  - "Grep"
+  - "Bash(python3:*)"

package/dist/enterprise/bundle/.agents/skills/omg/hook-governor/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-hook-governor
+description: "Canonical hook ordering, policy reinjection, and protected-path governance."
+---
+
+# OMG Hook Governor
+
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/state/ledger/tool-ledger.jsonl`

package/dist/enterprise/bundle/.agents/skills/omg/hook-governor/openai.yaml

@@ -0,0 +1,11 @@
+name: omg-hook-governor
+description: "Canonical hook ordering, policy reinjection, and protected-path governance."
+allow_implicit_invocation: true
+metadata:
+  channel: enterprise
+  bundle_id: hook-governor
+  title: "OMG Hook Governor"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"

package/dist/enterprise/bundle/.agents/skills/omg/lsp-pack/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-lsp-pack
+description: "Optional LSP-backed diagnostics and navigation bundle for production verification."
+---
+
+# OMG LSP Pack
+
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/evidence/lsp-diagnostics.json`