@trac3er/oh-my-god 2.0.2 → 2.0.4

package/runtime/team_router.py

@@ -26,11 +26,12 @@ _logger = logging.getLogger(__name__)
 try:
     import runtime.providers.codex_provider  # noqa: F401  # pyright: ignore[reportUnusedImport]
     import runtime.providers.gemini_provider  # noqa: F401  # pyright: ignore[reportUnusedImport]
-    import runtime.providers.opencode_provider  # noqa: F401  # pyright: ignore[reportUnusedImport]
     import runtime.providers.kimi_provider  # noqa: F401  # pyright: ignore[reportUnusedImport]
 except ImportError:
     pass
 
+from runtime.runtime_profile import resolve_parallel_workers
+
 @dataclass
 class TeamDispatchRequest:
     target: str  # codex | gemini | ccg | auto
@@ -550,7 +551,6 @@ def dispatch_to_model(agent_name: str, user_prompt: str, project_dir: str) -> di
         provider_name_map = {
             "codex-cli": "codex",
             "gemini-cli": "gemini",
-            "opencode-cli": "opencode",
             "kimi-cli": "kimi",
         }
         provider_name = provider_name_map.get(preferred)
@@ -661,7 +661,7 @@ def execute_agents_parallel(
     if not sorted_tasks:
         return []
 
-    max_workers = min(len(sorted_tasks), 5)
+    max_workers = resolve_parallel_workers(project_dir, requested_workers=min(len(sorted_tasks), 5))
     results_by_index: dict[int, dict[str, Any]] = {}
 
     with ThreadPoolExecutor(max_workers=max_workers) as pool:

package/runtime/untrusted_content.py

@@ -0,0 +1,102 @@
+"""State and provenance tracking for untrusted external content."""
+from __future__ import annotations
+
+import json
+from pathlib import Path
+import re
+from typing import Any
+
+
+STATE_REL_PATH = Path(".omg") / "state" / "untrusted-content.json"
+_INSTRUCTION_PATTERNS: tuple[re.Pattern[str], ...] = (
+    re.compile(r"ignore\s+previous\s+instructions", re.IGNORECASE),
+    re.compile(r"\b(system|assistant|developer)\s*:", re.IGNORECASE),
+    re.compile(r"\b(run|execute|commit|push|apply_patch|edit)\b", re.IGNORECASE),
+)
+
+
+def mark_untrusted_content(
+    project_dir: str,
+    *,
+    source_type: str,
+    content: str,
+    source_ref: str = "",
+) -> dict[str, Any]:
+    state_path = _state_path(project_dir)
+    state = get_untrusted_content_state(project_dir)
+    sanitized, quarantined = quarantine_instruction_like_text(content)
+    entry = {
+        "source_type": source_type,
+        "source_ref": source_ref,
+        "quarantined_fragments": quarantined,
+        "trust_score": 0.0,
+    }
+    provenance = list(state.get("provenance", []))
+    provenance.append(entry)
+    next_state = {
+        "active": True,
+        "last_source_type": source_type,
+        "last_source_ref": source_ref,
+        "sanitized_content": sanitized,
+        "quarantined_fragments": quarantined,
+        "provenance": provenance[-20:],
+        "trust_scores": {"external_content": 0.0},
+    }
+    _write_state(state_path, next_state)
+    return next_state
+
+
+def clear_untrusted_content(project_dir: str, *, reason: str) -> dict[str, Any]:
+    state_path = _state_path(project_dir)
+    existing = get_untrusted_content_state(project_dir)
+    next_state = {
+        **existing,
+        "active": False,
+        "cleared_reason": reason,
+    }
+    _write_state(state_path, next_state)
+    return next_state
+
+
+def get_untrusted_content_state(project_dir: str) -> dict[str, Any]:
+    state_path = _state_path(project_dir)
+    if not state_path.exists():
+        return {
+            "active": False,
+            "provenance": [],
+            "trust_scores": {},
+        }
+    try:
+        payload = json.loads(state_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return {
+            "active": False,
+            "provenance": [],
+            "trust_scores": {},
+        }
+    return payload if isinstance(payload, dict) else {"active": False, "provenance": [], "trust_scores": {}}
+
+
+def is_untrusted_content_mode_active(project_dir: str) -> bool:
+    return bool(get_untrusted_content_state(project_dir).get("active", False))
+
+
+def quarantine_instruction_like_text(content: str) -> tuple[str, list[str]]:
+    sanitized_lines: list[str] = []
+    quarantined: list[str] = []
+    for raw_line in content.splitlines():
+        line = raw_line.strip()
+        if any(pattern.search(line) for pattern in _INSTRUCTION_PATTERNS):
+            quarantined.append(raw_line)
+            continue
+        sanitized_lines.append(raw_line)
+    return "\n".join(sanitized_lines).strip(), quarantined
+
+
+def _state_path(project_dir: str) -> Path:
+    return Path(project_dir) / STATE_REL_PATH
+
+
+def _write_state(path: Path, payload: dict[str, Any]) -> None:
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")

package/scripts/omg.py

@@ -1,10 +1,11 @@
 #!/usr/bin/env python3
-"""OMG 2.0.2 CLI entrypoint.
+"""OMG 2.0.4 CLI entrypoint.
 
 Implements practical command-line flows for:
 - omg ship
 - omg fix --issue
 - omg secure
+- omg security check
 - omg maintainer
 - omg trust review
 - omg runtime dispatch
@@ -31,6 +32,15 @@ from hooks.shadow_manager import create_evidence_pack
 from hooks.trust_review import review_config_change, write_trust_manifest
 from lab.pipeline import publish_artifact, run_pipeline
 from runtime.dispatcher import dispatch_runtime
+from runtime.api_twin import ingest_contract, record_fixture, serve_fixture, verify_fixture
+from runtime.domain_packs import get_domain_pack_contract
+from runtime.preflight import run_preflight
+from runtime.security_check import run_security_check
+from runtime.contract_compiler import (
+    build_release_readiness,
+    compile_contract_outputs,
+    validate_contract_registry,
+)
 from runtime.compat import (
     DEFAULT_CONTRACT_SNAPSHOT_PATH,
     DEFAULT_GAP_REPORT_PATH,
@@ -155,6 +165,68 @@ def cmd_secure(args: argparse.Namespace) -> int:
     return 0 if decision.action != "deny" else 3
 
 
+def cmd_security_check(args: argparse.Namespace) -> int:
+    result = run_security_check(
+        project_dir=_ensure_project_dir(),
+        scope=args.scope,
+        include_live_enrichment=bool(args.live_enrichment),
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+
+
+def cmd_api_twin_ingest(args: argparse.Namespace) -> int:
+    result = ingest_contract(_ensure_project_dir(), name=args.name, source_path=args.source)
+    print(json.dumps(result, indent=2))
+    return 0
+
+
+def cmd_api_twin_record(args: argparse.Namespace) -> int:
+    result = record_fixture(
+        _ensure_project_dir(),
+        name=args.name,
+        request=json.loads(args.request_json),
+        response=json.loads(args.response_json),
+        validated=bool(args.validated),
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+
+
+def cmd_api_twin_serve(args: argparse.Namespace) -> int:
+    result = serve_fixture(
+        _ensure_project_dir(),
+        name=args.name,
+        latency_ms=int(args.latency_ms),
+        failure_mode=args.failure_mode,
+        schema_drift=bool(args.schema_drift),
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+
+
+def cmd_api_twin_verify(args: argparse.Namespace) -> int:
+    result = verify_fixture(
+        _ensure_project_dir(),
+        name=args.name,
+        live_response=json.loads(args.live_response_json),
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+
+
+def cmd_preflight(args: argparse.Namespace) -> int:
+    result = run_preflight(_ensure_project_dir(), goal=args.goal)
+    print(json.dumps(result, indent=2))
+    return 0
+
+
+def cmd_domain_pack(args: argparse.Namespace) -> int:
+    result = get_domain_pack_contract(args.name)
+    print(json.dumps(result, indent=2))
+    return 0
+
+
 def cmd_maintainer(args: argparse.Namespace) -> int:
     project_dir = _ensure_project_dir()
     out_dir = Path(project_dir) / ".omg" / "evidence"
@@ -357,6 +429,34 @@ def cmd_ecosystem_sync(args: argparse.Namespace) -> int:
     return 0 if not errors else 2
 
 
+def cmd_contract_validate(args: argparse.Namespace) -> int:
+    result = validate_contract_registry(ROOT_DIR)
+    print(json.dumps(result, indent=2))
+    return 0 if result.get("status") == "ok" else 2
+
+
+def cmd_contract_compile(args: argparse.Namespace) -> int:
+    hosts = args.hosts or []
+    result = compile_contract_outputs(
+        root_dir=ROOT_DIR,
+        output_root=args.output_root,
+        hosts=hosts,
+        channel=args.channel,
+    )
+    print(json.dumps(result, indent=2))
+    return 0 if result.get("status") == "ok" else 2
+
+
+def cmd_release_readiness(args: argparse.Namespace) -> int:
+    result = build_release_readiness(
+        root_dir=ROOT_DIR,
+        output_root=args.output_root,
+        channel=args.channel,
+    )
+    print(json.dumps(result, indent=2))
+    return 0 if result.get("status") == "ok" else 2
+
+
 def _add_compat_subcommands(parent: argparse.ArgumentParser, *, dest: str) -> None:
     compat_sub = parent.add_subparsers(dest=dest, required=True)
     compat_list = compat_sub.add_parser("list", help="List supported legacy skill names")
@@ -399,6 +499,35 @@ def _add_ecosystem_subcommands(parent: argparse.ArgumentParser, *, dest: str) ->
     ecosystem_sync.set_defaults(func=cmd_ecosystem_sync)
 
 
+def _add_contract_subcommands(parent: argparse.ArgumentParser, *, dest: str) -> None:
+    contract_sub = parent.add_subparsers(dest=dest, required=True)
+
+    contract_validate = contract_sub.add_parser("validate", help="Validate contract doc, schema, and bundle registry")
+    contract_validate.set_defaults(func=cmd_contract_validate)
+
+    contract_compile = contract_sub.add_parser("compile", help="Compile Claude/Codex artifacts from the canonical contract")
+    contract_compile.add_argument(
+        "--host",
+        dest="hosts",
+        action="append",
+        choices=["claude", "codex"],
+        required=True,
+        help="Host to compile (repeat for multiple hosts)",
+    )
+    contract_compile.add_argument("--channel", default="public", choices=["public", "enterprise"])
+    contract_compile.add_argument("--output-root", default="", help="Write outputs to this root instead of the repo root")
+    contract_compile.set_defaults(func=cmd_contract_compile)
+
+
+def _add_release_subcommands(parent: argparse.ArgumentParser, *, dest: str) -> None:
+    release_sub = parent.add_subparsers(dest=dest, required=True)
+
+    release_readiness = release_sub.add_parser("readiness", help="Check production release readiness for compiled artifacts")
+    release_readiness.add_argument("--channel", default="dual", choices=["public", "enterprise", "dual"])
+    release_readiness.add_argument("--output-root", default="", help="Check compiled outputs from this root instead of the repo root")
+    release_readiness.set_defaults(func=cmd_release_readiness)
+
+
 def build_parser() -> argparse.ArgumentParser:
     parser = argparse.ArgumentParser(prog="omg", description=f"OMG {CANONICAL_VERSION} CLI")
     sub = parser.add_subparsers(dest="command", required=True)
@@ -418,6 +547,44 @@ def build_parser() -> argparse.ArgumentParser:
     secure.add_argument("--command", required=True)
     secure.set_defaults(func=cmd_secure)
 
+    security = sub.add_parser("security", help="Canonical OMG security workflows")
+    security_sub = security.add_subparsers(dest="security_command", required=True)
+    security_check = security_sub.add_parser("check", help="Run canonical OMG security check")
+    security_check.add_argument("--scope", default=".")
+    security_check.add_argument("--live-enrichment", action="store_true")
+    security_check.set_defaults(func=cmd_security_check)
+
+    api_twin = sub.add_parser("api-twin", help="Contract replay and fixture-based API simulation")
+    api_twin_sub = api_twin.add_subparsers(dest="api_twin_command", required=True)
+    api_twin_ingest = api_twin_sub.add_parser("ingest", help="Ingest OpenAPI/Postman/example contract input")
+    api_twin_ingest.add_argument("--name", required=True)
+    api_twin_ingest.add_argument("--source", required=True)
+    api_twin_ingest.set_defaults(func=cmd_api_twin_ingest)
+    api_twin_record = api_twin_sub.add_parser("record", help="Record approved fixture response")
+    api_twin_record.add_argument("--name", required=True)
+    api_twin_record.add_argument("--request-json", required=True)
+    api_twin_record.add_argument("--response-json", required=True)
+    api_twin_record.add_argument("--validated", action="store_true")
+    api_twin_record.set_defaults(func=cmd_api_twin_record)
+    api_twin_serve = api_twin_sub.add_parser("serve", help="Replay a fixture with optional drift/failure injection")
+    api_twin_serve.add_argument("--name", required=True)
+    api_twin_serve.add_argument("--latency-ms", type=int, default=0)
+    api_twin_serve.add_argument("--failure-mode", default="")
+    api_twin_serve.add_argument("--schema-drift", action="store_true")
+    api_twin_serve.set_defaults(func=cmd_api_twin_serve)
+    api_twin_verify = api_twin_sub.add_parser("verify", help="Validate a fixture against a live response")
+    api_twin_verify.add_argument("--name", required=True)
+    api_twin_verify.add_argument("--live-response-json", required=True)
+    api_twin_verify.set_defaults(func=cmd_api_twin_verify)
+
+    preflight = sub.add_parser("preflight", help="Structured OMG preflight routing")
+    preflight.add_argument("--goal", required=True)
+    preflight.set_defaults(func=cmd_preflight)
+
+    domain_pack = sub.add_parser("domain-pack", help="Inspect optional domain pack contracts")
+    domain_pack.add_argument("--name", required=True, choices=["robotics", "vision", "algorithms", "health"])
+    domain_pack.set_defaults(func=cmd_domain_pack)
+
     maintainer = sub.add_parser("maintainer", help="OSS maintainer evidence helper")
     maintainer.add_argument("--mode", default="impact", choices=["triage", "release", "review", "impact"])
     maintainer.set_defaults(func=cmd_maintainer)
@@ -479,6 +646,12 @@ def build_parser() -> argparse.ArgumentParser:
     ecosystem = sub.add_parser("ecosystem", help="Upstream ecosystem sync and status")
     _add_ecosystem_subcommands(ecosystem, dest="ecosystem_command")
 
+    contract = sub.add_parser("contract", help="Canonical OMG contract validation and compilation")
+    _add_contract_subcommands(contract, dest="contract_command")
+
+    release = sub.add_parser("release", help="OMG release-readiness checks")
+    _add_release_subcommands(release, dest="release_command")
+
     return parser
 
 

package/settings.json

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json.schemastore.org/claude-code-settings.json",
-  "_comment": "OMG 2.0.2 - project-level config with hook registrations, presets, and feature flags.",
+  "_comment": "OMG 2.0.4 - project-level config with hook registrations, presets, and feature flags.",
   "permissions": {
     "allow": [
       "Agent",
@@ -42,7 +42,6 @@
       "Bash(tree *)",
       "Bash(du *)",
       "Bash(df *)",
-      "Bash(env *)",
       "Bash(type *)",
       "Bash(command *)",
       "Bash(test *)",
@@ -52,17 +51,12 @@
       "Bash(ln *)",
       "Bash(cp *)",
       "Bash(mv *)",
-      "Bash(chmod *)",
-      "Bash(chown *)",
       "Bash(git *)",
       "Bash(npm *)",
       "Bash(npx *)",
       "Bash(yarn *)",
       "Bash(pnpm *)",
       "Bash(bun *)",
-      "Bash(node *)",
-      "Bash(python *)",
-      "Bash(python3 *)",
       "Bash(pip *)",
       "Bash(pip3 *)",
       "Bash(uv *)",
@@ -115,6 +109,12 @@
       "Bash(terraform apply *)",
       "Bash(terraform destroy *)",
       "Bash(terraform import *)",
+      "Bash(env *)",
+      "Bash(node *)",
+      "Bash(python *)",
+      "Bash(python3 *)",
+      "Bash(chmod *)",
+      "Bash(chown *)",
       "Bash(docker *)",
       "Bash(docker-compose *)",
       "Bash(kubectl get *)",
@@ -188,45 +188,66 @@
       }
     ],
     "PreToolUse": [
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "python3 \"$HOME/.claude/hooks/firewall.py\"",
+            "timeout": 10
+          }
+        ],
+        "matcher": "Bash"
+      },
+      {
+        "hooks": [
+          {
+            "type": "command",
+            "command": "python3 \"$HOME/.claude/hooks/secret-guard.py\"",
+            "timeout": 10
+          }
+        ],
+        "matcher": "Read|Write|Edit|MultiEdit"
+      },
       {
         "hooks": [
           {
             "type": "command",
             "command": "python3 \"$HOME/.claude/hooks/pre-tool-inject.py\""
           }
-        ]
+        ],
+        "matcher": ""
       }
     ],
     "PostToolUse": [
       {
-        "matcher": "Bash",
         "hooks": [
           {
             "type": "command",
             "command": "python3 \"$HOME/.claude/hooks/circuit-breaker.py\"",
             "timeout": 10
           }
-        ]
+        ],
+        "matcher": "Bash"
       },
       {
-        "matcher": "Write|Edit|MultiEdit",
         "hooks": [
           {
             "type": "command",
             "command": "python3 \"$HOME/.claude/hooks/tool-ledger.py\"",
             "timeout": 10
           }
-        ]
+        ],
+        "matcher": "Write|Edit|MultiEdit"
       },
       {
-        "matcher": "Write|Edit|MultiEdit",
         "hooks": [
           {
             "type": "command",
             "command": "python3 \"$HOME/.claude/hooks/test_generator_hook.py\"",
             "timeout": 10
           }
-        ]
+        ],
+        "matcher": "Write|Edit|MultiEdit"
       },
       {
         "hooks": [
@@ -235,7 +256,8 @@
             "command": "python3 \"$HOME/.claude/hooks/budget_governor.py\"",
             "timeout": 10
           }
-        ]
+        ],
+        "matcher": ""
       }
     ],
     "PostToolUseFailure": [
@@ -250,19 +272,19 @@
     ],
     "Stop": [
       {
-        "matcher": "",
         "hooks": [
           {
             "type": "command",
             "command": "python3 \"$HOME/.claude/hooks/stop_dispatcher.py\"",
             "timeout": 90
           }
-        ]
+        ],
+        "matcher": ""
       }
     ]
   },
   "_omg": {
-    "_version": "2.0.2",
+    "_version": "2.0.4",
     "preset": "safe",
     "default_mode": "ulw+ralph",
     "vision_auto": true,
@@ -313,6 +335,32 @@
       "DEP_HEALTH": false,
       "CODEBASE_VIZ": false,
       "CONTEXT_MANAGER": false
+    },
+    "generated": {
+      "contract_version": "2.0.4",
+      "channel": "public",
+      "required_bundles": [
+        "control-plane",
+        "hook-governor",
+        "mcp-fabric",
+        "lsp-pack",
+        "secure-worktree-pipeline"
+      ],
+      "protected_paths": [
+        ".omg/**",
+        ".agents/**",
+        ".codex/**",
+        ".claude/**"
+      ],
+      "emulated_events": [
+        "PreCompact",
+        "ConfigChange",
+        "WorktreeCreate",
+        "WorktreeRemove",
+        "SubagentStart",
+        "SubagentStop",
+        "TaskCompleted"
+      ]
     }
   }
 }

package/tools/python_repl.py

@@ -25,11 +25,13 @@ from typing import Any, Dict, Generator, List, Optional, Union
 
 _get_feature_flag = None
 _atomic_json_write = None
+_validate_opaque_identifier = None
+_ensure_path_within_dir = None
 
 
 def _ensure_imports():
     """Lazy import feature flag and atomic write from hooks/_common.py."""
-    global _get_feature_flag, _atomic_json_write
+    global _get_feature_flag, _atomic_json_write, _validate_opaque_identifier, _ensure_path_within_dir
     if _get_feature_flag is not None:
         return
     repo_root = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -38,8 +40,12 @@ def _ensure_imports():
     try:
         from hooks._common import get_feature_flag as _gff
         from hooks._common import atomic_json_write as _ajw
+        from hooks.security_validators import ensure_path_within_dir as _epwd
+        from hooks.security_validators import validate_opaque_identifier as _voi
         _get_feature_flag = _gff
         _atomic_json_write = _ajw
+        _validate_opaque_identifier = _voi
+        _ensure_path_within_dir = _epwd
     except ImportError:
         pass
 
@@ -217,6 +223,23 @@ def _now_iso() -> str:
     return datetime.now(timezone.utc).isoformat()
 
 
+def _validate_session_id(session_id: str) -> str:
+    """Validate a caller-supplied session identifier."""
+    _ensure_imports()
+    if _validate_opaque_identifier is None:
+        raise ValueError("Invalid session_id: validator unavailable")
+    return _validate_opaque_identifier(session_id, "session_id")
+
+
+def _resolve_session_path(session_id: str) -> str:
+    """Resolve the on-disk session path and reject directory escapes."""
+    _ensure_imports()
+    if _ensure_path_within_dir is None:
+        raise ValueError("Invalid session_id: path validator unavailable")
+    state_dir = os.path.abspath(_STATE_DIR)
+    return _ensure_path_within_dir(state_dir, os.path.join(state_dir, f"{session_id}.json"))
+
+
 def _persist_session(session_id: str) -> None:
     """Persist session metadata to disk (best-effort)."""
     if session_id not in _sessions:
@@ -232,10 +255,11 @@ def _persist_session(session_id: str) -> None:
         "exec_count": session["exec_count"],
         "backend": session.get("backend", "stdlib"),
     }
-    path = os.path.join(_STATE_DIR, f"{session_id}.json")
     try:
+        safe_session_id = _validate_session_id(session_id)
+        path = _resolve_session_path(safe_session_id)
         _atomic_json_write(path, meta)
-    except Exception:
+    except (OSError, ValueError):
         pass  # best-effort
 
 
@@ -411,6 +435,12 @@ def start_repl_session(session_id: Optional[str] = None) -> Dict[str, Any]:
     if not _is_enabled():
         return {"error": _DISABLED_MSG}
 
+    if session_id is not None:
+        try:
+            session_id = _validate_session_id(session_id)
+        except ValueError as exc:
+            return {"error": str(exc)}
+
     # Resume existing session
     if session_id and session_id in _sessions:
         session = _sessions[session_id]