@trac3er/oh-my-god 2.0.3 → 2.0.4

package/runtime/providers/gemini_provider.py

@@ -2,7 +2,6 @@
 
 from __future__ import annotations
 
-import json
 import logging
 import os
 import shlex
@@ -12,6 +11,7 @@ import uuid
 from typing import Any
 
 from runtime.cli_provider import CLIProvider, register_provider
+from runtime.mcp_config_writers import write_gemini_mcp_config
 from runtime.tmux_session_manager import TmuxSessionManager
 
 _logger = logging.getLogger(__name__)
@@ -102,26 +102,7 @@ class GeminiProvider(CLIProvider):
         Uses JSON format with ``mcpServers`` key and ``httpUrl`` field,
         merging into any existing configuration.
         """
-        config_path = self.get_config_path()
-        os.makedirs(os.path.dirname(config_path), exist_ok=True)
-
-        # Load existing config or start fresh
-        existing: dict[str, Any] = {}  # pyright: ignore[reportExplicitAny]
-        if os.path.exists(config_path):
-            with open(config_path) as fh:
-                try:
-                    existing = json.load(fh)
-                except (json.JSONDecodeError, ValueError):
-                    existing = {}
-
-        # Ensure mcpServers dict exists
-        if "mcpServers" not in existing:
-            existing["mcpServers"] = {}
-
-        existing["mcpServers"][server_name] = {"httpUrl": server_url}
-
-        with open(config_path, "w") as fh:
-            json.dump(existing, fh, indent=2)
+        write_gemini_mcp_config(server_url, server_name, config_path=self.get_config_path())
 
 
 # -- auto-register on import -----------------------------------------------

package/runtime/providers/kimi_provider.py

@@ -2,7 +2,6 @@
 
 from __future__ import annotations
 
-import json
 import logging
 import os
 import shlex
@@ -12,6 +11,7 @@ import uuid
 from typing import Any
 
 from runtime.cli_provider import CLIProvider, register_provider
+from runtime.mcp_config_writers import write_kimi_mcp_config
 from runtime.tmux_session_manager import TmuxSessionManager
 
 _logger = logging.getLogger(__name__)
@@ -125,26 +125,7 @@ class KimiCodeProvider(CLIProvider):
         Uses standard ``mcpServers`` JSON format with ``type: "http"`` and ``url`` field,
         merging into any existing configuration.
         """
-        config_path = self.get_config_path()
-        os.makedirs(os.path.dirname(config_path), exist_ok=True)
-
-        # Load existing config or start fresh
-        existing: dict[str, Any] = {}  # pyright: ignore[reportExplicitAny]
-        if os.path.exists(config_path):
-            with open(config_path) as fh:
-                try:
-                    existing = json.load(fh)
-                except (json.JSONDecodeError, ValueError):
-                    existing = {}
-
-        # Ensure mcpServers dict exists
-        if "mcpServers" not in existing:
-            existing["mcpServers"] = {}
-
-        existing["mcpServers"][server_name] = {"type": "http", "url": server_url}
-
-        with open(config_path, "w") as fh:
-            json.dump(existing, fh, indent=2)
+        write_kimi_mcp_config(server_url, server_name, config_path=self.get_config_path())
 
 
 # -- auto-register on import -----------------------------------------------

package/runtime/runtime_profile.py

@@ -0,0 +1,61 @@
+"""Runtime profile loading and parallelism budgets."""
+from __future__ import annotations
+
+from pathlib import Path
+from typing import Any
+
+import yaml
+
+
+PROFILE_PRESETS: dict[str, dict[str, Any]] = {
+    "eco": {"profile": "eco", "max_workers": 2, "background_polling": False},
+    "balanced": {"profile": "balanced", "max_workers": 3, "background_polling": False},
+    "turbo": {"profile": "turbo", "max_workers": 5, "background_polling": True},
+}
+
+
+def load_runtime_profile(project_dir: str) -> dict[str, Any]:
+    runtime_path = Path(project_dir) / ".omg" / "runtime.yaml"
+    profile_name = "balanced"
+    if runtime_path.exists():
+        try:
+            payload = yaml.safe_load(runtime_path.read_text(encoding="utf-8")) or {}
+        except Exception:
+            payload = {}
+        if isinstance(payload, dict):
+            candidate = str(payload.get("profile", profile_name)).strip()
+            if candidate in PROFILE_PRESETS:
+                profile_name = candidate
+    return dict(PROFILE_PRESETS[profile_name])
+
+
+def resolve_parallel_workers(project_dir: str, *, requested_workers: int) -> int:
+    profile = load_runtime_profile(project_dir)
+    max_workers = int(profile["max_workers"])
+    cli_cap = _load_cli_parallel_cap(project_dir)
+    if cli_cap is not None:
+        max_workers = min(max_workers, cli_cap)
+    return max(1, min(requested_workers, max_workers))
+
+
+def _load_cli_parallel_cap(project_dir: str) -> int | None:
+    config_path = Path(project_dir) / ".omg" / "state" / "cli-config.yaml"
+    if not config_path.exists():
+        return None
+    try:
+        payload = yaml.safe_load(config_path.read_text(encoding="utf-8")) or {}
+    except Exception:
+        return None
+    if not isinstance(payload, dict):
+        return None
+    cli_configs = payload.get("cli_configs", {})
+    if not isinstance(cli_configs, dict):
+        return None
+    caps = []
+    for config in cli_configs.values():
+        if not isinstance(config, dict):
+            continue
+        value = config.get("max_parallel_agents")
+        if isinstance(value, int) and value > 0:
+            caps.append(value)
+    return min(caps) if caps else None

package/runtime/security_check.py

@@ -0,0 +1,347 @@
+"""Canonical OMG security check engine."""
+from __future__ import annotations
+
+import ast
+from collections import Counter
+from pathlib import Path
+import subprocess
+from typing import Any
+
+from hooks.security_validators import ensure_path_within_dir
+from plugins.dephealth.cve_scanner import scan_for_cves
+from plugins.dephealth.manifest_detector import detect_manifests
+from plugins.dephealth.vuln_analyzer import analyze_reachability
+
+
+SEVERITY_ORDER = {
+    "critical": 0,
+    "high": 1,
+    "medium": 2,
+    "low": 3,
+}
+
+_PYTHON_AST_RULES: tuple[tuple[str, str, str, str], ...] = (
+    ("B602", "subprocess-shell-true", "high", "Avoid shell=True in subprocess calls."),
+    ("B307", "eval-use", "high", "Replace eval with explicit parsing."),
+    ("B102", "exec-use", "high", "Replace exec with explicit control flow."),
+    ("B301", "pickle-load", "high", "Avoid unsafe deserialization of pickle payloads."),
+)
+
+
+def run_security_check(
+    *,
+    project_dir: str,
+    scope: str = ".",
+    include_live_enrichment: bool = False,
+) -> dict[str, Any]:
+    scope_path = _resolve_scope(project_dir, scope)
+    findings: list[dict[str, Any]] = []
+
+    findings.extend(_scan_python_ast(scope_path))
+    findings.extend(_scan_dependency_health(scope_path, include_live_enrichment))
+    findings.sort(key=lambda finding: (SEVERITY_ORDER.get(finding["severity"], 99), finding["id"]))
+
+    severity_counts = Counter(finding["severity"] for finding in findings)
+    source_counts = Counter(finding["source"] for finding in findings)
+    relative_scope = _display_scope(project_dir, scope_path)
+    return {
+        "schema": "SecurityCheckResult",
+        "status": "ok",
+        "scope": relative_scope,
+        "findings": findings,
+        "summary": {
+            "finding_count": len(findings),
+            "by_severity": dict(sorted(severity_counts.items())),
+            "by_source": dict(sorted(source_counts.items())),
+            "live_enrichment": include_live_enrichment,
+        },
+        "provenance": [],
+        "trust_scores": {},
+    }
+
+
+def _resolve_scope(project_dir: str, scope: str) -> Path:
+    if not scope:
+        return Path(project_dir).resolve()
+    candidate = Path(scope)
+    if candidate.is_absolute():
+        return candidate.resolve()
+    base = Path(project_dir).resolve()
+    resolved = Path(ensure_path_within_dir(base, base / candidate))
+    return resolved
+
+
+def _display_scope(project_dir: str, scope_path: Path) -> str:
+    base = Path(project_dir).resolve()
+    try:
+        return scope_path.relative_to(base).as_posix() or "."
+    except ValueError:
+        return str(scope_path)
+
+
+def _scan_python_ast(scope_path: Path) -> list[dict[str, Any]]:
+    findings: list[dict[str, Any]] = []
+    for py_file in _iter_python_files(scope_path):
+        try:
+            source = py_file.read_text(encoding="utf-8")
+        except OSError:
+            continue
+        findings.extend(_scan_python_file(py_file, source))
+    findings.extend(_run_bandit_if_available(scope_path))
+    return findings
+
+
+def _iter_python_files(scope_path: Path) -> list[Path]:
+    if scope_path.is_file():
+        return [scope_path] if scope_path.suffix == ".py" else []
+    if not scope_path.exists():
+        return []
+    return sorted(path for path in scope_path.rglob("*.py") if path.is_file())
+
+
+def _scan_python_file(path: Path, source: str) -> list[dict[str, Any]]:
+    try:
+        tree = ast.parse(source)
+    except SyntaxError:
+        return []
+
+    findings: list[dict[str, Any]] = []
+    for node in ast.walk(tree):
+        if isinstance(node, ast.Call):
+            findings.extend(_call_findings(path, node, source))
+    return findings
+
+
+def _call_findings(path: Path, node: ast.Call, source: str) -> list[dict[str, Any]]:
+    findings: list[dict[str, Any]] = []
+    callee = _call_name(node.func)
+    if callee in {"subprocess.run", "subprocess.Popen", "os.system"}:
+        if any(keyword.arg == "shell" and isinstance(keyword.value, ast.Constant) and keyword.value.value is True for keyword in node.keywords):
+            findings.append(
+                _finding(
+                    rule_id="B602",
+                    source_name="bandit-lite",
+                    category="python_ast",
+                    severity="high",
+                    path=path,
+                    line=getattr(node, "lineno", 1),
+                    message="subprocess call uses shell=True",
+                    recommendation="Avoid shell=True in subprocess calls.",
+                    snippet=_source_line(source, getattr(node, "lineno", 1)),
+                )
+            )
+    if callee == "eval":
+        findings.append(
+            _finding(
+                rule_id="B307",
+                source_name="bandit-lite",
+                category="python_ast",
+                severity="high",
+                path=path,
+                line=getattr(node, "lineno", 1),
+                message="eval() detected",
+                recommendation="Replace eval with explicit parsing.",
+                snippet=_source_line(source, getattr(node, "lineno", 1)),
+            )
+        )
+    if callee == "exec":
+        findings.append(
+            _finding(
+                rule_id="B102",
+                source_name="bandit-lite",
+                category="python_ast",
+                severity="high",
+                path=path,
+                line=getattr(node, "lineno", 1),
+                message="exec() detected",
+                recommendation="Replace exec with explicit control flow.",
+                snippet=_source_line(source, getattr(node, "lineno", 1)),
+            )
+        )
+    if callee in {"pickle.load", "pickle.loads"}:
+        findings.append(
+            _finding(
+                rule_id="B301",
+                source_name="bandit-lite",
+                category="python_ast",
+                severity="high",
+                path=path,
+                line=getattr(node, "lineno", 1),
+                message="pickle deserialization detected",
+                recommendation="Avoid unsafe deserialization of pickle payloads.",
+                snippet=_source_line(source, getattr(node, "lineno", 1)),
+            )
+        )
+    return findings
+
+
+def _call_name(func: ast.AST) -> str:
+    if isinstance(func, ast.Name):
+        return func.id
+    if isinstance(func, ast.Attribute):
+        prefix = _call_name(func.value)
+        return f"{prefix}.{func.attr}" if prefix else func.attr
+    return ""
+
+
+def _source_line(source: str, line: int) -> str:
+    lines = source.splitlines()
+    if 1 <= line <= len(lines):
+        return lines[line - 1].strip()
+    return ""
+
+
+def _run_bandit_if_available(scope_path: Path) -> list[dict[str, Any]]:
+    if not _command_exists("bandit"):
+        return []
+
+    cmd = ["bandit", "-r", str(scope_path), "-f", "json"]
+    proc = subprocess.run(cmd, capture_output=True, text=True, check=False, timeout=30)
+    if proc.returncode not in {0, 1}:
+        return []
+    try:
+        import json
+
+        payload = json.loads(proc.stdout or "{}")
+    except Exception:
+        return []
+
+    findings: list[dict[str, Any]] = []
+    for item in payload.get("results", []):
+        issue_severity = str(item.get("issue_severity", "LOW")).lower()
+        findings.append(
+            {
+                "id": str(item.get("test_id", "bandit")),
+                "source": "bandit",
+                "category": "python_ast",
+                "severity": "medium" if issue_severity == "medium" else ("critical" if issue_severity == "critical" else issue_severity),
+                "exploitability": "unknown",
+                "reachability": "unknown",
+                "evidence": {
+                    "path": str(item.get("filename", "")),
+                    "line": int(item.get("line_number", 1)),
+                    "snippet": str(item.get("code", "")).strip(),
+                },
+                "recommendation": str(item.get("more_info", "")) or "Review Bandit finding and remediate.",
+                "message": str(item.get("issue_text", "Bandit finding")),
+            }
+        )
+    return findings
+
+
+def _command_exists(command: str) -> bool:
+    from shutil import which
+
+    return which(command) is not None
+
+
+def _scan_dependency_health(scope_path: Path, include_live_enrichment: bool) -> list[dict[str, Any]]:
+    manifests = detect_manifests(str(scope_path))
+    dependencies = [
+        {
+            "name": package.name,
+            "version": _normalize_version(package.version),
+            "ecosystem": _ecosystem_from_manifest(package.source_manifest),
+        }
+        for package in manifests.packages
+        if package.name
+    ]
+    if not dependencies or not include_live_enrichment:
+        return []
+
+    osv_result = scan_for_cves(dependencies, str(scope_path))
+    raw_results = osv_result.get("results", {})
+    findings: list[dict[str, Any]] = []
+    for dependency in dependencies:
+        package_name = dependency["name"]
+        for vuln in raw_results.get(package_name, []):
+            reachability = analyze_reachability(
+                {
+                    "package": package_name,
+                    "id": vuln.get("id", ""),
+                    "summary": vuln.get("summary", ""),
+                    "fixed_version": vuln.get("fixed_version", ""),
+                },
+                str(scope_path),
+            )
+            findings.append(
+                {
+                    "id": str(vuln.get("id", "")),
+                    "source": "osv",
+                    "category": "dependency",
+                    "severity": _normalize_severity(str(vuln.get("severity", "unknown"))),
+                    "exploitability": "unknown",
+                    "reachability": str(reachability.get("reachability", "unknown")).lower(),
+                    "evidence": {
+                        "package": package_name,
+                        "version": dependency["version"],
+                        "fixed_version": str(vuln.get("fixed_version", "")),
+                        "summary": str(vuln.get("summary", "")),
+                    },
+                    "recommendation": reachability.get("recommendation", "Upgrade the dependency to a fixed version."),
+                    "message": str(vuln.get("summary", "")) or f"Known vulnerability in {package_name}",
+                }
+            )
+    return findings
+
+
+def _normalize_version(version: str) -> str:
+    normalized = (version or "").strip()
+    for prefix in ("==", ">=", "<=", "~=", "^", ">"):
+        if normalized.startswith(prefix):
+            return normalized[len(prefix):].strip()
+    return normalized
+
+
+def _ecosystem_from_manifest(manifest_path: str) -> str:
+    suffix = Path(manifest_path).name
+    return {
+        "package.json": "npm",
+        "requirements.txt": "PyPI",
+        "pyproject.toml": "PyPI",
+        "Cargo.toml": "crates.io",
+        "go.mod": "Go",
+        "Gemfile": "RubyGems",
+    }.get(suffix, "npm")
+
+
+def _normalize_severity(raw: str) -> str:
+    lowered = raw.lower()
+    if "critical" in lowered:
+        return "critical"
+    if "high" in lowered:
+        return "high"
+    if "medium" in lowered or "moderate" in lowered:
+        return "medium"
+    if "low" in lowered:
+        return "low"
+    return "medium"
+
+
+def _finding(
+    *,
+    rule_id: str,
+    source_name: str,
+    category: str,
+    severity: str,
+    path: Path,
+    line: int,
+    message: str,
+    recommendation: str,
+    snippet: str,
+) -> dict[str, Any]:
+    return {
+        "id": rule_id,
+        "source": source_name,
+        "category": category,
+        "severity": severity,
+        "exploitability": "unknown",
+        "reachability": "reachable",
+        "evidence": {
+            "path": str(path),
+            "line": line,
+            "snippet": snippet,
+        },
+        "recommendation": recommendation,
+        "message": message,
+    }

package/runtime/subagent_dispatcher.py

@@ -8,8 +8,10 @@ Feature flag: OMG_PARALLEL_SUBAGENTS_ENABLED (default: False)
 from __future__ import annotations
 
 import os
+import json
+import shlex
+import subprocess
 import sys
-import time
 import uuid
 import threading
 from concurrent.futures import ThreadPoolExecutor
@@ -100,7 +102,6 @@ def _load_job_from_disk(job_id: str) -> dict[str, Any] | None:
     if not os.path.exists(path):
         return None
     try:
-        import json
         with open(path, "r", encoding="utf-8") as f:
             return json.load(f)
     except (OSError, ValueError):
@@ -175,6 +176,97 @@ def _check_git_available() -> bool:
     return shutil.which("git") is not None
 
 
+def _write_job_evidence(job_id: str, payload: dict[str, Any], *, project_dir: str) -> str:
+    evidence_dir = os.path.join(project_dir, ".omg", "evidence", "subagents")
+    os.makedirs(evidence_dir, exist_ok=True)
+    out_path = os.path.join(evidence_dir, f"{job_id}.json")
+    with open(out_path, "w", encoding="utf-8") as f:
+        json.dump(payload, f, indent=2, ensure_ascii=True)
+    return out_path
+
+
+def _run_configured_worker(command_text: str, prompt: str, *, project_dir: str, worker: str) -> dict[str, Any]:
+    command_text = command_text.strip()
+    if not command_text:
+        return {"status": "error", "worker": worker, "message": "worker command not configured"}
+
+    if "{prompt}" in command_text or "{project_dir}" in command_text:
+        try:
+            cmd = [
+                token.format(prompt=prompt, project_dir=project_dir)
+                for token in shlex.split(command_text)
+            ]
+        except (ValueError, KeyError) as exc:
+            return {"status": "error", "worker": worker, "message": f"invalid worker command template: {exc}"}
+    else:
+        cmd = shlex.split(command_text) + [prompt]
+    try:
+        result = subprocess.run(
+            cmd,
+            cwd=project_dir,
+            capture_output=True,
+            text=True,
+            check=False,
+            timeout=120,
+        )
+        return {
+            "status": "ok" if result.returncode == 0 else "error",
+            "worker": worker,
+            "output": result.stdout,
+            "stderr": result.stderr,
+            "exit_code": result.returncode,
+        }
+    except subprocess.TimeoutExpired:
+        return {"status": "error", "worker": worker, "message": f"{worker} worker timed out"}
+    except OSError as exc:
+        return {"status": "error", "worker": worker, "message": str(exc)}
+
+
+def _dispatch_job_task(record: dict[str, Any], *, project_dir: str) -> dict[str, Any]:
+    runner_mode = os.environ.get("OMG_SUBAGENT_RUNNER", "").strip().lower()
+    if runner_mode == "stub":
+        return {
+            "status": "ok",
+            "worker": os.environ.get("OMG_SUBAGENT_STUB_WORKER", "stub"),
+            "output": os.environ.get("OMG_SUBAGENT_STUB_OUTPUT", record["task_text"]),
+            "exit_code": 0,
+        }
+
+    if runner_mode == "claude":
+        return _run_configured_worker(
+            os.environ.get("OMG_CLAUDE_WORKER_CMD", ""),
+            record["task_text"],
+            project_dir=project_dir,
+            worker="claude",
+        )
+
+    from runtime.team_router import dispatch_to_model
+
+    dispatched = dispatch_to_model(str(record["agent_name"]), str(record["task_text"]), project_dir)
+    if "output" in dispatched or "exit_code" in dispatched:
+        worker = str(dispatched.get("model", "unknown")).replace("-cli", "")
+        return {
+            "status": "ok" if int(dispatched.get("exit_code", 0) or 0) == 0 else "error",
+            "worker": worker,
+            "output": str(dispatched.get("output", "")),
+            "exit_code": int(dispatched.get("exit_code", 0) or 0),
+        }
+
+    if dispatched.get("fallback") == "claude":
+        return _run_configured_worker(
+            os.environ.get("OMG_CLAUDE_WORKER_CMD", ""),
+            record["task_text"],
+            project_dir=project_dir,
+            worker="claude",
+        )
+
+    return {
+        "status": "error",
+        "worker": str(dispatched.get("fallback", "unknown")),
+        "message": str(dispatched.get("error", "worker unavailable")),
+    }
+
+
 def _setup_worktree(job_id: str) -> str | None:
     """Attempt to create a git worktree for job isolation.
 
@@ -232,8 +324,7 @@ def _cleanup_worktree(worktree_dir: str) -> None:
 def _run_job(job_id: str) -> None:
     """Execute a subagent job in the thread pool.
 
-    Updates job status and persists artifacts as they are produced.
-    NOTE: Does NOT actually spawn Claude — simulates execution for now.
+    Updates job status, dispatches to a local worker, and persists artifacts/evidence.
     """
     with _lock:
         record = _jobs.get(job_id)
@@ -247,6 +338,7 @@ def _run_job(job_id: str) -> None:
     _persist_job(job_id, record)
 
     worktree_dir: str | None = None
+    project_dir = _get_project_dir()
     try:
         # Setup isolation if requested
         if record.get("isolation") == "worktree":
@@ -256,17 +348,32 @@ def _run_job(job_id: str) -> None:
                     record["worktree"] = worktree_dir
                 _persist_job(job_id, record)
 
-        # --- Simulated execution ---
-        # Real implementation would dispatch to an agent here.
-        # For now, simulate work + produce an artifact.
-        time.sleep(0.05)  # Simulate brief work
+        active_project_dir = worktree_dir or project_dir
+        dispatch_result = _dispatch_job_task(record, project_dir=active_project_dir)
+        if dispatch_result.get("status") != "ok":
+            raise RuntimeError(str(dispatch_result.get("message", "worker dispatch failed")))
 
         artifact = {
-            "type": "result",
+            "type": "worker-result",
             "agent": record["agent_name"],
-            "content": f"Simulated output for: {record['task_text'][:100]}",
+            "worker": dispatch_result.get("worker", "unknown"),
+            "exit_code": dispatch_result.get("exit_code", 0),
+            "output": dispatch_result.get("output", ""),
             "produced_at": datetime.now(timezone.utc).isoformat(),
         }
+        evidence_payload = {
+            "schema": "OmgSubagentEvidence",
+            "job_id": job_id,
+            "agent_name": record["agent_name"],
+            "task_text": record["task_text"],
+            "worker": dispatch_result.get("worker", "unknown"),
+            "exit_code": dispatch_result.get("exit_code", 0),
+            "output": dispatch_result.get("output", ""),
+            "worktree": worktree_dir,
+            "project_dir": active_project_dir,
+        }
+        evidence_path = _write_job_evidence(job_id, evidence_payload, project_dir=project_dir)
+        artifact["evidence_path"] = os.path.relpath(evidence_path, project_dir)
 
         with _lock:
             # Check for cancellation mid-execution

package/runtime/team_router.py

@@ -30,6 +30,8 @@ try:
 except ImportError:
     pass
 
+from runtime.runtime_profile import resolve_parallel_workers
+
 @dataclass
 class TeamDispatchRequest:
     target: str  # codex | gemini | ccg | auto
@@ -659,7 +661,7 @@ def execute_agents_parallel(
     if not sorted_tasks:
         return []
 
-    max_workers = min(len(sorted_tasks), 5)
+    max_workers = resolve_parallel_workers(project_dir, requested_workers=min(len(sorted_tasks), 5))
     results_by_index: dict[int, dict[str, Any]] = {}
 
     with ThreadPoolExecutor(max_workers=max_workers) as pool: