@trac3er/oh-my-god 2.0.2 → 2.0.4

package/runtime/domain_packs.py

@@ -0,0 +1,34 @@
+"""Optional domain pack contracts for high-risk verticals."""
+from __future__ import annotations
+
+from typing import Any
+
+
+DOMAIN_PACKS: dict[str, dict[str, Any]] = {
+    "robotics": {
+        "name": "robotics",
+        "required_approvals": ["actuation-approval"],
+        "required_evidence": ["simulator-replay", "kill-switch-check"],
+    },
+    "vision": {
+        "name": "vision",
+        "required_approvals": [],
+        "required_evidence": ["dataset-provenance", "drift-check"],
+    },
+    "algorithms": {
+        "name": "algorithms",
+        "required_approvals": [],
+        "required_evidence": ["benchmark-harness", "determinism-check"],
+    },
+    "health": {
+        "name": "health",
+        "required_approvals": ["human-review"],
+        "required_evidence": ["audit-trail", "restricted-tools", "provenance"],
+    },
+}
+
+
+def get_domain_pack_contract(name: str) -> dict[str, Any]:
+    if name not in DOMAIN_PACKS:
+        raise KeyError(name)
+    return dict(DOMAIN_PACKS[name])

package/runtime/guide_assert.py

@@ -0,0 +1,45 @@
+"""Rule-based output assertions for OMG guide checks."""
+from __future__ import annotations
+
+from typing import Any
+
+
+def guide_assert(candidate: str, rules: dict[str, Any]) -> dict[str, Any]:
+    text = candidate or ""
+    lowered = text.lower()
+    violations: list[dict[str, str]] = []
+
+    for goal in _as_list(rules.get("goals")):
+        if "todo" in goal.lower() and "todo" in lowered:
+            violations.append({"rule_type": "goal", "rule": goal, "reason": "candidate still includes TODO markers"})
+
+    for non_goal in _as_list(rules.get("non_goals")):
+        if _mentions(lowered, non_goal):
+            violations.append({"rule_type": "non_goal", "rule": non_goal, "reason": "candidate mentions an explicit non-goal"})
+
+    for criterion in _as_list(rules.get("acceptance_criteria")):
+        if "production-ready" in criterion.lower() and any(token in lowered for token in ("todo", "insecure", "placeholder")):
+            violations.append({"rule_type": "acceptance_criteria", "rule": criterion, "reason": "candidate contains non-production wording"})
+
+    return {
+        "schema": "GuideAssertionResult",
+        "verdict": "fail" if violations else "pass",
+        "violations": violations,
+        "summary": {
+            "rule_count": sum(len(_as_list(rules.get(key))) for key in ("goals", "non_goals", "acceptance_criteria", "architecture_constraints", "style_rules", "risk_appetite")),
+            "violation_count": len(violations),
+        },
+    }
+
+
+def _as_list(value: Any) -> list[str]:
+    if not isinstance(value, list):
+        return []
+    return [str(item) for item in value if str(item).strip()]
+
+
+def _mentions(lowered_candidate: str, rule: str) -> bool:
+    tokens = [token.lower() for token in rule.split() if len(token) >= 4]
+    if not tokens:
+        return False
+    return all(token in lowered_candidate for token in tokens)

package/runtime/mcp_config_writers.py

@@ -5,6 +5,12 @@ import os
 from pathlib import Path
 from typing import cast
 
+from hooks.security_validators import (
+    toml_quote_string,
+    validate_server_name,
+    validate_server_url,
+)
+
 
 def _atomic_write_text(path: Path, content: str) -> None:
     path.parent.mkdir(parents=True, exist_ok=True)
@@ -29,22 +35,61 @@ def _write_json(path: Path, data: dict[str, object]) -> None:
     _atomic_write_text(path, json.dumps(data, indent=2) + "\n")
 
 
-def write_claude_mcp_config(project_dir: str, server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path(project_dir) / ".mcp.json"
-    config = _load_json(config_path)
+def _validated_server_input(server_url: str, server_name: str) -> tuple[str, str]:
+    return validate_server_url(server_url), validate_server_name(server_name)
+
+
+def _validated_stdio_input(command: str, args: list[str], server_name: str) -> tuple[str, list[str], str]:
+    normalized_name = validate_server_name(server_name)
+    normalized_command = str(command).strip()
+    if not normalized_command or "\n" in normalized_command or "\r" in normalized_command:
+        raise ValueError("Invalid command: newline characters are not allowed")
+    normalized_args = [str(arg) for arg in args]
+    for arg in normalized_args:
+        if "\n" in arg or "\r" in arg:
+            raise ValueError("Invalid args: newline characters are not allowed")
+    return normalized_command, normalized_args, normalized_name
+
+
+def _write_json_mcp_server(path: Path, server_name: str, payload: dict[str, object]) -> None:
+    config = _load_json(path)
     mcp_servers = config.get("mcpServers")
     if not isinstance(mcp_servers, dict):
         mcp_servers = {}
         config["mcpServers"] = mcp_servers
-    mcp_servers[server_name] = {"type": "http", "url": server_url}
-    _write_json(config_path, config)
+    mcp_servers[server_name] = payload
+    _write_json(path, config)
+
+
+def write_claude_mcp_config(project_dir: str, server_url: str, server_name: str = "memory-server") -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    config_path = Path(project_dir) / ".mcp.json"
+    _write_json_mcp_server(config_path, server_name, {"type": "http", "url": server_url})
+
+
+def write_claude_mcp_stdio_config(
+    project_dir: str,
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    config_path = Path(project_dir) / ".mcp.json"
+    _write_json_mcp_server(config_path, server_name, {"command": command, "args": args})
 
 
-def write_codex_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".codex" / "config.toml"
-    config_path.parent.mkdir(parents=True, exist_ok=True)
+def write_codex_mcp_config(
+    server_url: str,
+    server_name: str = "memory-server",
+    *,
+    config_path: str | Path | None = None,
+) -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".codex" / "config.toml"
+    target_path.parent.mkdir(parents=True, exist_ok=True)
 
-    existing = config_path.read_text() if config_path.exists() else ""
+    existing = target_path.read_text() if target_path.exists() else ""
     lines = existing.splitlines(keepends=True)
 
     header_unquoted = f"[mcp_servers.{server_name}]"
@@ -60,7 +105,7 @@ def write_codex_mcp_config(server_url: str, server_name: str = "memory-server")
     block = [
         f"{header_unquoted}\n",
         'type = "http"\n',
-        f'url = "{server_url}"\n',
+        f'url = "{toml_quote_string(server_url)}"\n',
         "\n",
     ]
 
@@ -68,7 +113,7 @@ def write_codex_mcp_config(server_url: str, server_name: str = "memory-server")
         if existing and not existing.endswith("\n"):
             existing += "\n"
         content = existing + "".join(block)
-        _atomic_write_text(config_path, content)
+        _atomic_write_text(target_path, content)
         return
 
     end_idx = len(lines)
@@ -79,37 +124,98 @@ def write_codex_mcp_config(server_url: str, server_name: str = "memory-server")
             break
 
     updated_lines = lines[:start_idx] + block + lines[end_idx:]
-    _atomic_write_text(config_path, "".join(updated_lines))
+    _atomic_write_text(target_path, "".join(updated_lines))
 
 
-def write_gemini_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".gemini" / "settings.json"
-    config = _load_json(config_path)
-    mcp_servers = config.get("mcpServers")
-    if not isinstance(mcp_servers, dict):
-        mcp_servers = {}
-        config["mcpServers"] = mcp_servers
-    mcp_servers[server_name] = {"httpUrl": server_url}
-    _write_json(config_path, config)
+def write_codex_mcp_stdio_config(
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+    config_path: str | Path | None = None,
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".codex" / "config.toml"
+    target_path.parent.mkdir(parents=True, exist_ok=True)
+
+    existing = target_path.read_text() if target_path.exists() else ""
+    lines = existing.splitlines(keepends=True)
+    header_unquoted = f"[mcp_servers.{server_name}]"
+    header_quoted = f"[mcp_servers.\"{server_name}\"]"
+    headers = {header_unquoted, header_quoted}
+
+    start_idx: int | None = None
+    for idx, line in enumerate(lines):
+        if line.strip() in headers:
+            start_idx = idx
+            break
 
+    args_text = ", ".join(f'"{toml_quote_string(arg)}"' for arg in args)
+    block = [
+        f"{header_unquoted}\n",
+        f'command = "{toml_quote_string(command)}"\n',
+        f"args = [{args_text}]\n",
+        "\n",
+    ]
 
-def write_opencode_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".config" / "opencode" / "opencode.json"
-    config = _load_json(config_path)
-    mcp = config.get("mcp")
-    if not isinstance(mcp, dict):
-        mcp = {}
-        config["mcp"] = mcp
-    mcp[server_name] = {"type": "remote", "url": server_url}
-    _write_json(config_path, config)
+    if start_idx is None:
+        if existing and not existing.endswith("\n"):
+            existing += "\n"
+        _atomic_write_text(target_path, existing + "".join(block))
+        return
 
+    end_idx = len(lines)
+    for idx in range(start_idx + 1, len(lines)):
+        stripped = lines[idx].strip()
+        if stripped.startswith("[") and stripped.endswith("]"):
+            end_idx = idx
+            break
 
-def write_kimi_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".kimi" / "mcp.json"
-    config = _load_json(config_path)
-    mcp_servers = config.get("mcpServers")
-    if not isinstance(mcp_servers, dict):
-        mcp_servers = {}
-        config["mcpServers"] = mcp_servers
-    mcp_servers[server_name] = {"type": "http", "url": server_url}
-    _write_json(config_path, config)
+    updated_lines = lines[:start_idx] + block + lines[end_idx:]
+    _atomic_write_text(target_path, "".join(updated_lines))
+
+
+def write_gemini_mcp_config(
+    server_url: str,
+    server_name: str = "memory-server",
+    *,
+    config_path: str | Path | None = None,
+) -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".gemini" / "settings.json"
+    _write_json_mcp_server(target_path, server_name, {"httpUrl": server_url})
+
+
+def write_gemini_mcp_stdio_config(
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+    config_path: str | Path | None = None,
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".gemini" / "settings.json"
+    _write_json_mcp_server(target_path, server_name, {"command": command, "args": args})
+
+
+def write_kimi_mcp_config(
+    server_url: str,
+    server_name: str = "memory-server",
+    *,
+    config_path: str | Path | None = None,
+) -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".kimi" / "mcp.json"
+    _write_json_mcp_server(target_path, server_name, {"type": "http", "url": server_url})
+
+
+def write_kimi_mcp_stdio_config(
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+    config_path: str | Path | None = None,
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".kimi" / "mcp.json"
+    _write_json_mcp_server(target_path, server_name, {"command": command, "args": args})

package/runtime/omg_compat_contract_snapshot.json

@@ -736,19 +736,19 @@
     },
     {
       "skill": "security-review",
-      "route": "secure",
+      "route": "security_check",
       "maturity": "native",
       "inputs": {
-        "required": [
+        "required": [],
+        "optional": [
           "problem"
-        ],
-        "optional": []
+        ]
       },
       "outputs": {
-        "schema": "PolicyDecision"
+        "schema": "SecurityCheckResult"
       },
       "side_effects": [],
-      "notes": ""
+      "notes": "Deprecated alias to the canonical OMG security-check engine."
     },
     {
       "skill": "skill",
@@ -911,5 +911,6 @@
       ],
       "notes": "Writes long-form memory artifact for writing workflows."
     }
-  ]
+  ],
+  "generated_at": "2026-03-07T04:51:08.940394+00:00"
 }

package/runtime/omg_contract_snapshot.json

@@ -736,19 +736,19 @@
     },
     {
       "skill": "security-review",
-      "route": "secure",
+      "route": "security_check",
       "maturity": "native",
       "inputs": {
-        "required": [
+        "required": [],
+        "optional": [
           "problem"
-        ],
-        "optional": []
+        ]
       },
       "outputs": {
-        "schema": "PolicyDecision"
+        "schema": "SecurityCheckResult"
       },
       "side_effects": [],
-      "notes": ""
+      "notes": "Deprecated alias to the canonical OMG security-check engine."
     },
     {
       "skill": "skill",
@@ -911,5 +911,6 @@
       ],
       "notes": "Writes long-form memory artifact for writing workflows."
     }
-  ]
+  ],
+  "generated_at": "2026-03-07T04:51:08.940453+00:00"
 }

package/runtime/omg_mcp_server.py

@@ -0,0 +1,205 @@
+from __future__ import annotations
+
+import os
+from collections.abc import AsyncIterator
+from contextlib import asynccontextmanager
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any
+
+_MCP_IMPORT_ERROR: ModuleNotFoundError | None = None
+
+try:
+    from fastmcp import FastMCP
+except ModuleNotFoundError as exc:
+    _MCP_IMPORT_ERROR = exc
+
+    def _passthrough_decorator(*_args: Any, **_kwargs: Any):
+        def decorator(func: Any) -> Any:
+            return func
+
+        return decorator
+
+    @dataclass
+    class _StubPrompt:
+        name: str
+        description: str
+        handler: Any
+
+    @dataclass
+    class _StubResource:
+        uri: str
+        name: str
+        description: str
+        mime_type: str
+        handler: Any
+
+    class FastMCP:  # type: ignore[override]
+        def __init__(self, *_args: Any, **_kwargs: Any) -> None:
+            self._import_error = _MCP_IMPORT_ERROR
+            self.instructions = str(_kwargs.get("instructions", ""))
+            self._prompts: list[_StubPrompt] = []
+            self._resources: dict[str, _StubResource] = {}
+
+        def tool(self, *_args: Any, **_kwargs: Any):
+            return _passthrough_decorator(*_args, **_kwargs)
+
+        def prompt(self, *, name: str, description: str = ""):
+            def decorator(func: Any) -> Any:
+                self._prompts.append(_StubPrompt(name=name, description=description, handler=func))
+                return func
+
+            return decorator
+
+        def resource(
+            self,
+            uri: str,
+            *,
+            name: str = "",
+            description: str = "",
+            mime_type: str = "text/plain",
+        ):
+            def decorator(func: Any) -> Any:
+                self._resources[uri] = _StubResource(
+                    uri=uri,
+                    name=name,
+                    description=description,
+                    mime_type=mime_type,
+                    handler=func,
+                )
+                return func
+
+            return decorator
+
+        async def list_prompts(self) -> list[_StubPrompt]:
+            return list(self._prompts)
+
+        async def list_resources(self) -> list[_StubResource]:
+            return list(self._resources.values())
+
+        async def read_resource(self, uri: str) -> Any:
+            resource = self._resources[str(uri)]
+            return resource.handler()
+
+        def run(self, *_args: Any, **_kwargs: Any) -> None:
+            raise RuntimeError("fastmcp is required to run the OMG MCP server") from self._import_error
+
+    FastMCP.__module__ = "fastmcp"
+
+from control_plane.service import ControlPlaneService
+
+
+MCP_INSTRUCTIONS = (
+    "OMG production control plane MCP. Prefer omg-control prompts and resources for "
+    "contract, release-readiness, and governance context before using direct tools."
+)
+
+
+def _root_dir() -> Path:
+    return Path(__file__).resolve().parents[1]
+
+
+@asynccontextmanager
+async def lifespan(_: object) -> AsyncIterator[None]:
+    yield
+
+
+mcp = FastMCP("OMG Control MCP", lifespan=lifespan, instructions=MCP_INSTRUCTIONS)
+
+
+def _service() -> ControlPlaneService:
+    return ControlPlaneService(project_dir=os.environ.get("CLAUDE_PROJECT_DIR", os.getcwd()))
+
+
+def _read_repo_text(rel_path: str) -> str:
+    return (_root_dir() / rel_path).read_text(encoding="utf-8")
+
+
+@mcp.tool()
+def omg_policy_evaluate(tool: str, input: dict[str, Any]) -> dict[str, Any]:
+    _status, payload = _service().policy_evaluate({"tool": tool, "input": input})
+    return payload
+
+
+@mcp.tool()
+def omg_trust_review(file_path: str, old_config: dict[str, Any], new_config: dict[str, Any]) -> dict[str, Any]:
+    _status, payload = _service().trust_review({"file_path": file_path, "old_config": old_config, "new_config": new_config})
+    return payload
+
+
+@mcp.tool()
+def omg_evidence_ingest(
+    run_id: str,
+    tests: list[dict[str, Any]],
+    security_scans: list[dict[str, Any]],
+    diff_summary: dict[str, Any],
+    reproducibility: dict[str, Any],
+    unresolved_risks: list[str],
+    provenance: list[dict[str, Any]] | None = None,
+    trust_scores: dict[str, Any] | None = None,
+    api_twin: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    _status, payload = _service().evidence_ingest(
+        {
+            "run_id": run_id,
+            "tests": tests,
+            "security_scans": security_scans,
+            "diff_summary": diff_summary,
+            "reproducibility": reproducibility,
+            "unresolved_risks": unresolved_risks,
+            "provenance": provenance or [],
+            "trust_scores": trust_scores or {},
+            "api_twin": api_twin or {},
+        }
+    )
+    return payload
+
+
+@mcp.tool()
+def omg_runtime_dispatch(runtime: str, idea: dict[str, Any]) -> dict[str, Any]:
+    _status, payload = _service().runtime_dispatch({"runtime": runtime, "idea": idea})
+    return payload
+
+
+@mcp.tool()
+def omg_security_check(scope: str = ".", include_live_enrichment: bool = False) -> dict[str, Any]:
+    _status, payload = _service().security_check({"scope": scope, "include_live_enrichment": include_live_enrichment})
+    return payload
+
+
+@mcp.tool()
+def omg_guide_assert(candidate: str, rules: dict[str, Any]) -> dict[str, Any]:
+    _status, payload = _service().guide_assert({"candidate": candidate, "rules": rules})
+    return payload
+
+
+@mcp.prompt(name="omg_contract_summary", description="Summarize the OMG production contract and generated host outputs")
+def omg_contract_summary(channel: str = "public") -> str:
+    return (
+        "Summarize the OMG production control plane contract for channel "
+        f"`{channel}`. Include execution_contract, host_compilation_rules, "
+        "MCP resources, prompts, and release-readiness expectations."
+    )
+
+
+@mcp.resource("resource://omg/contract", name="omg_contract", description="Canonical OMG production contract document", mime_type="text/markdown")
+def omg_contract_resource() -> str:
+    return _read_repo_text("OMG_COMPAT_CONTRACT.md")
+
+
+@mcp.resource(
+    "resource://omg/release-checklist",
+    name="omg_release_checklist",
+    description="Public release checklist for OMG",
+    mime_type="text/markdown",
+)
+def omg_release_checklist_resource() -> str:
+    return _read_repo_text("docs/release-checklist.md")
+
+
+def run_server() -> None:
+    mcp.run(transport="stdio")
+
+
+if __name__ == "__main__":
+    run_server()

package/runtime/preflight.py

@@ -0,0 +1,52 @@
+"""Structured preflight routing for OMG."""
+from __future__ import annotations
+
+from typing import Any
+
+
+def run_preflight(project_dir: str, *, goal: str) -> dict[str, Any]:
+    lowered = goal.lower()
+    task_class = "implementation"
+    risk_class = "medium"
+    route = "teams"
+
+    if any(token in lowered for token in ("openapi", "swagger", "postman", "contract", "fixture", "replay")):
+        task_class = "contract"
+        route = "api-twin"
+    elif any(token in lowered for token in ("auth", "secret", "security", "token", "injection")):
+        task_class = "security"
+        risk_class = "high"
+        route = "security-check"
+    elif any(token in lowered for token in ("full stack", "frontend and backend", "dashboard", "orchestrate")):
+        task_class = "orchestration"
+        risk_class = "high"
+        route = "crazy"
+
+    return {
+        "schema": "PreflightResult",
+        "project_dir": project_dir,
+        "goal": goal,
+        "task_class": task_class,
+        "risk_class": risk_class,
+        "route": route,
+        "required_tools": _required_tools(route),
+        "required_mcps": ["omg-control"] if route in {"security-check", "api-twin", "crazy"} else [],
+        "missing_constraints": [],
+        "evidence_plan": _evidence_plan(route),
+    }
+
+
+def _required_tools(route: str) -> list[str]:
+    return {
+        "security-check": ["security"],
+        "api-twin": ["api-twin"],
+        "crazy": ["teams", "ccg"],
+    }.get(route, ["teams"])
+
+
+def _evidence_plan(route: str) -> list[str]:
+    return {
+        "security-check": ["security findings", "provenance"],
+        "api-twin": ["fixture fidelity", "live verification"],
+        "crazy": ["verification output", "evidence pack"],
+    }.get(route, ["verification output"])

package/runtime/providers/codex_provider.py

@@ -11,6 +11,7 @@ import uuid
 from typing import Any
 
 from runtime.cli_provider import CLIProvider, register_provider
+from runtime.mcp_config_writers import write_codex_mcp_config
 from runtime.tmux_session_manager import TmuxSessionManager
 
 _logger = logging.getLogger(__name__)
@@ -94,18 +95,7 @@ class CodexProvider(CLIProvider):
 
     def write_mcp_config(self, server_url: str, server_name: str = "memory-server") -> None:
         """Write an MCP server entry to ``~/.codex/config.toml``."""
-        config_path = self.get_config_path()
-        os.makedirs(os.path.dirname(config_path), exist_ok=True)
-
-        entry = (
-            f'[mcp_servers."{server_name}"]\n'
-            f'url = "{server_url}"\n'
-        )
-
-        # Append or create
-        mode = "a" if os.path.exists(config_path) else "w"
-        with open(config_path, mode) as fh:
-            fh.write(entry)
+        write_codex_mcp_config(server_url, server_name, config_path=self.get_config_path())
 
 
 # -- auto-register on import -----------------------------------------------