@trac3er/oh-my-god 2.0.3 → 2.0.5

package/runtime/data_lineage.py

@@ -0,0 +1,73 @@
+"""Lineage manifests for generated OMG artifacts."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def build_lineage_manifest(
+    project_dir: str,
+    *,
+    artifact_type: str,
+    sources: list[dict[str, Any]],
+    privacy: str,
+    license: str,
+    derivation: dict[str, Any],
+    trace_id: str | None = None,
+) -> dict[str, Any]:
+    lineage_id = f"lineage-{uuid4().hex}"
+    payload = {
+        "schema": "DataLineageManifest",
+        "lineage_id": lineage_id,
+        "generated_at": _now(),
+        "artifact_type": artifact_type,
+        "sources": sources,
+        "privacy": privacy,
+        "license": license,
+        "derivation": derivation,
+        "trace_id": trace_id or "",
+    }
+    validation = validate_lineage_manifest(payload)
+    payload["status"] = validation["status"]
+    payload["errors"] = validation["errors"]
+
+    rel_path = Path(".omg") / "lineage" / f"{lineage_id}.json"
+    path = Path(project_dir) / rel_path
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    payload["path"] = rel_path.as_posix()
+    return payload
+
+
+def validate_lineage_manifest(payload: dict[str, Any]) -> dict[str, Any]:
+    errors: list[str] = []
+    if not payload.get("artifact_type"):
+        errors.append("artifact_type is required")
+    if not payload.get("privacy"):
+        errors.append("privacy is required")
+    if not payload.get("license"):
+        errors.append("license is required")
+    sources = payload.get("sources", [])
+    if not isinstance(sources, list) or not sources:
+        errors.append("sources are required")
+    else:
+        for idx, source in enumerate(sources):
+            if not isinstance(source, dict):
+                errors.append(f"source {idx} must be an object")
+                continue
+            if not source.get("license"):
+                errors.append(f"source {idx} missing license")
+            if not source.get("path"):
+                errors.append(f"source {idx} missing path")
+    return {
+        "schema": "DataLineageValidationResult",
+        "status": "ok" if not errors else "error",
+        "errors": errors,
+    }

package/runtime/delta_classifier.py

@@ -0,0 +1,81 @@
+"""Repo-aware change classification for routing and policy attachment."""
+from __future__ import annotations
+
+import json
+from pathlib import Path
+import subprocess
+from typing import Any
+
+
+_CATEGORY_RULES: dict[str, tuple[str, ...]] = {
+    "auth": ("auth", "token", "secret", "login", "credential"),
+    "payment": ("payment", "billing", "invoice", "stripe", "checkout"),
+    "db": ("migration", "schema", "database", "sql", "postgres", "mysql"),
+    "infra": ("terraform", ".tf", "deploy", "helm", "k8s", "docker"),
+    "api": ("openapi", "swagger", "postman", "endpoint", "api"),
+    "data": ("dataset", "lineage", "privacy", "warehouse", "etl"),
+    "compliance": ("gdpr", "hipaa", "pci", "soc2", "privacy"),
+    "robotics": ("robot", "actuator", "sensor", "simulator"),
+    "vision": ("vision", "image", "camera", "cv"),
+    "health": ("health", "patient", "clinical", "medical"),
+    "algorithms": ("algorithm", "benchmark", "determinism", "complexity"),
+}
+
+
+def classify_project_changes(
+    project_dir: str,
+    *,
+    touched_files: list[str] | None = None,
+    goal: str = "",
+) -> dict[str, Any]:
+    files = touched_files if touched_files is not None else _discover_files(project_dir)
+    manifest_names = sorted(path.name for path in Path(project_dir).glob("*") if path.is_file())
+    haystacks = [goal.lower(), *[file.lower() for file in files], *[name.lower() for name in manifest_names]]
+
+    categories = {
+        category
+        for category, tokens in _CATEGORY_RULES.items()
+        if any(token in haystack for token in tokens for haystack in haystacks)
+    }
+    if not categories:
+        categories.add("implementation")
+
+    result = {
+        "schema": "DeltaClassification",
+        "project_dir": project_dir,
+        "goal": goal,
+        "categories": sorted(categories),
+        "touched_files": files,
+        "manifests": manifest_names,
+    }
+    return result
+
+
+def _discover_files(project_dir: str) -> list[str]:
+    root = Path(project_dir)
+    git_dir = root / ".git"
+    if git_dir.exists():
+        proc = subprocess.run(
+            ["git", "diff", "--name-only", "HEAD"],
+            cwd=str(root),
+            capture_output=True,
+            text=True,
+            check=False,
+            timeout=10,
+        )
+        if proc.returncode == 0:
+            files = [line.strip() for line in proc.stdout.splitlines() if line.strip()]
+            if files:
+                return files
+
+    discovered: list[str] = []
+    for path in sorted(root.rglob("*")):
+        if not path.is_file():
+            continue
+        rel = path.relative_to(root).as_posix()
+        if rel.startswith(".omg/"):
+            continue
+        discovered.append(rel)
+        if len(discovered) >= 32:
+            break
+    return discovered

package/runtime/domain_packs.py

@@ -0,0 +1,46 @@
+"""Optional domain pack contracts for high-risk verticals."""
+from __future__ import annotations
+
+from typing import Any
+
+
+DOMAIN_PACKS: dict[str, dict[str, Any]] = {
+    "robotics": {
+        "name": "robotics",
+        "required_approvals": ["actuation-approval"],
+        "required_evidence": ["simulator-replay", "kill-switch-check"],
+        "policy_modules": ["safe-actuation", "simulator-gate"],
+        "eval_hooks": ["robotics-sim"],
+        "replay_hooks": ["incident-replay"],
+    },
+    "vision": {
+        "name": "vision",
+        "required_approvals": [],
+        "required_evidence": ["dataset-provenance", "drift-check"],
+        "policy_modules": ["dataset-lineage", "drift-gate"],
+        "eval_hooks": ["vision-regression"],
+        "replay_hooks": ["incident-replay"],
+    },
+    "algorithms": {
+        "name": "algorithms",
+        "required_approvals": [],
+        "required_evidence": ["benchmark-harness", "determinism-check"],
+        "policy_modules": ["benchmark-gate", "determinism-gate"],
+        "eval_hooks": ["algorithm-benchmarks"],
+        "replay_hooks": ["incident-replay"],
+    },
+    "health": {
+        "name": "health",
+        "required_approvals": ["human-review"],
+        "required_evidence": ["audit-trail", "restricted-tools", "provenance"],
+        "policy_modules": ["human-review", "privacy-gate"],
+        "eval_hooks": ["health-safety"],
+        "replay_hooks": ["incident-replay"],
+    },
+}
+
+
+def get_domain_pack_contract(name: str) -> dict[str, Any]:
+    if name not in DOMAIN_PACKS:
+        raise KeyError(name)
+    return dict(DOMAIN_PACKS[name])

package/runtime/ecosystem.py

@@ -8,7 +8,7 @@ import subprocess
 from typing import Any
 
 ECOSYSTEM_SCHEMA = "OmgEcosystemCatalog"
-ECOSYSTEM_CATALOG_VERSION = "1.0.0"
+ECOSYSTEM_CATALOG_VERSION = "2.0.5"
 ECOSYSTEM_LOCK_SCHEMA = "OmgEcosystemLock"
 DEFAULT_ECOSYSTEM_REPO_DIR = ".omg/ecosystem/repos"
 DEFAULT_ECOSYSTEM_LOCK_PATH = ".omg/state/ecosystem-lock.json"

package/runtime/eval_gate.py

@@ -0,0 +1,50 @@
+"""Reproducible evaluation results for release gating."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+
+
+EVAL_GATE_LATEST_REL_PATH = Path(".omg") / "evals" / "latest.json"
+EVAL_GATE_HISTORY_REL_PATH = Path(".omg") / "evals" / "history.jsonl"
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def evaluate_trace(
+    project_dir: str,
+    *,
+    trace_id: str,
+    suites: list[str],
+    metrics: dict[str, float],
+    regression_threshold: float = 0.95,
+) -> dict[str, Any]:
+    scorecard = {name: float(metrics.get(name, 0.0)) for name in suites}
+    regressed = any(score < regression_threshold for score in scorecard.values())
+    result = {
+        "schema": "EvalGateResult",
+        "trace_id": trace_id,
+        "evaluated_at": _now(),
+        "status": "fail" if regressed else "ok",
+        "suites": suites,
+        "metrics": scorecard,
+        "summary": {
+            "regressed": regressed,
+            "regression_threshold": regression_threshold,
+        },
+    }
+
+    latest_path = Path(project_dir) / EVAL_GATE_LATEST_REL_PATH
+    latest_path.parent.mkdir(parents=True, exist_ok=True)
+    latest_path.write_text(json.dumps(result, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+
+    history_path = Path(project_dir) / EVAL_GATE_HISTORY_REL_PATH
+    with history_path.open("a", encoding="utf-8") as handle:
+        handle.write(json.dumps(result, ensure_ascii=True) + "\n")
+
+    result["path"] = EVAL_GATE_LATEST_REL_PATH.as_posix()
+    return result

package/runtime/guide_assert.py

@@ -0,0 +1,45 @@
+"""Rule-based output assertions for OMG guide checks."""
+from __future__ import annotations
+
+from typing import Any
+
+
+def guide_assert(candidate: str, rules: dict[str, Any]) -> dict[str, Any]:
+    text = candidate or ""
+    lowered = text.lower()
+    violations: list[dict[str, str]] = []
+
+    for goal in _as_list(rules.get("goals")):
+        if "todo" in goal.lower() and "todo" in lowered:
+            violations.append({"rule_type": "goal", "rule": goal, "reason": "candidate still includes TODO markers"})
+
+    for non_goal in _as_list(rules.get("non_goals")):
+        if _mentions(lowered, non_goal):
+            violations.append({"rule_type": "non_goal", "rule": non_goal, "reason": "candidate mentions an explicit non-goal"})
+
+    for criterion in _as_list(rules.get("acceptance_criteria")):
+        if "production-ready" in criterion.lower() and any(token in lowered for token in ("todo", "insecure", "placeholder")):
+            violations.append({"rule_type": "acceptance_criteria", "rule": criterion, "reason": "candidate contains non-production wording"})
+
+    return {
+        "schema": "GuideAssertionResult",
+        "verdict": "fail" if violations else "pass",
+        "violations": violations,
+        "summary": {
+            "rule_count": sum(len(_as_list(rules.get(key))) for key in ("goals", "non_goals", "acceptance_criteria", "architecture_constraints", "style_rules", "risk_appetite")),
+            "violation_count": len(violations),
+        },
+    }
+
+
+def _as_list(value: Any) -> list[str]:
+    if not isinstance(value, list):
+        return []
+    return [str(item) for item in value if str(item).strip()]
+
+
+def _mentions(lowered_candidate: str, rule: str) -> bool:
+    tokens = [token.lower() for token in rule.split() if len(token) >= 4]
+    if not tokens:
+        return False
+    return all(token in lowered_candidate for token in tokens)

package/runtime/incident_replay.py

@@ -0,0 +1,47 @@
+"""Replayable incident pack generation."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def build_incident_pack(
+    project_dir: str,
+    *,
+    title: str,
+    failing_tests: list[str],
+    logs: list[str],
+    diff_summary: dict[str, Any],
+    trace_id: str | None = None,
+) -> dict[str, Any]:
+    incident_id = f"incident-{uuid4().hex}"
+    payload = {
+        "schema": "IncidentReplayPack",
+        "incident_id": incident_id,
+        "title": title,
+        "generated_at": _now(),
+        "trace_id": trace_id or "",
+        "failing_tests": failing_tests,
+        "logs": logs,
+        "diff_summary": diff_summary,
+        "reproduction_steps": [
+            "Replay the failing tests.",
+            "Inspect the attached logs.",
+            "Validate the diff summary before patching.",
+        ],
+        "regression_guards": failing_tests,
+    }
+
+    rel_path = Path(".omg") / "incidents" / f"{incident_id}.json"
+    path = Path(project_dir) / rel_path
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    payload["path"] = rel_path.as_posix()
+    return payload

package/runtime/mcp_config_writers.py

@@ -5,6 +5,12 @@ import os
 from pathlib import Path
 from typing import cast
 
+from hooks.security_validators import (
+    toml_quote_string,
+    validate_server_name,
+    validate_server_url,
+)
+
 
 def _atomic_write_text(path: Path, content: str) -> None:
     path.parent.mkdir(parents=True, exist_ok=True)
@@ -29,22 +35,61 @@ def _write_json(path: Path, data: dict[str, object]) -> None:
     _atomic_write_text(path, json.dumps(data, indent=2) + "\n")
 
 
-def write_claude_mcp_config(project_dir: str, server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path(project_dir) / ".mcp.json"
-    config = _load_json(config_path)
+def _validated_server_input(server_url: str, server_name: str) -> tuple[str, str]:
+    return validate_server_url(server_url), validate_server_name(server_name)
+
+
+def _validated_stdio_input(command: str, args: list[str], server_name: str) -> tuple[str, list[str], str]:
+    normalized_name = validate_server_name(server_name)
+    normalized_command = str(command).strip()
+    if not normalized_command or "\n" in normalized_command or "\r" in normalized_command:
+        raise ValueError("Invalid command: newline characters are not allowed")
+    normalized_args = [str(arg) for arg in args]
+    for arg in normalized_args:
+        if "\n" in arg or "\r" in arg:
+            raise ValueError("Invalid args: newline characters are not allowed")
+    return normalized_command, normalized_args, normalized_name
+
+
+def _write_json_mcp_server(path: Path, server_name: str, payload: dict[str, object]) -> None:
+    config = _load_json(path)
     mcp_servers = config.get("mcpServers")
     if not isinstance(mcp_servers, dict):
         mcp_servers = {}
         config["mcpServers"] = mcp_servers
-    mcp_servers[server_name] = {"type": "http", "url": server_url}
-    _write_json(config_path, config)
+    mcp_servers[server_name] = payload
+    _write_json(path, config)
 
 
-def write_codex_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".codex" / "config.toml"
-    config_path.parent.mkdir(parents=True, exist_ok=True)
+def write_claude_mcp_config(project_dir: str, server_url: str, server_name: str = "memory-server") -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    config_path = Path(project_dir) / ".mcp.json"
+    _write_json_mcp_server(config_path, server_name, {"type": "http", "url": server_url})
+
+
+def write_claude_mcp_stdio_config(
+    project_dir: str,
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    config_path = Path(project_dir) / ".mcp.json"
+    _write_json_mcp_server(config_path, server_name, {"command": command, "args": args})
+
 
-    existing = config_path.read_text() if config_path.exists() else ""
+def write_codex_mcp_config(
+    server_url: str,
+    server_name: str = "memory-server",
+    *,
+    config_path: str | Path | None = None,
+) -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".codex" / "config.toml"
+    target_path.parent.mkdir(parents=True, exist_ok=True)
+
+    existing = target_path.read_text() if target_path.exists() else ""
     lines = existing.splitlines(keepends=True)
 
     header_unquoted = f"[mcp_servers.{server_name}]"
@@ -60,7 +105,7 @@ def write_codex_mcp_config(server_url: str, server_name: str = "memory-server")
     block = [
         f"{header_unquoted}\n",
         'type = "http"\n',
-        f'url = "{server_url}"\n',
+        f'url = "{toml_quote_string(server_url)}"\n',
         "\n",
     ]
 
@@ -68,7 +113,7 @@ def write_codex_mcp_config(server_url: str, server_name: str = "memory-server")
         if existing and not existing.endswith("\n"):
             existing += "\n"
         content = existing + "".join(block)
-        _atomic_write_text(config_path, content)
+        _atomic_write_text(target_path, content)
         return
 
     end_idx = len(lines)
@@ -79,26 +124,98 @@ def write_codex_mcp_config(server_url: str, server_name: str = "memory-server")
             break
 
     updated_lines = lines[:start_idx] + block + lines[end_idx:]
-    _atomic_write_text(config_path, "".join(updated_lines))
+    _atomic_write_text(target_path, "".join(updated_lines))
 
 
-def write_gemini_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".gemini" / "settings.json"
-    config = _load_json(config_path)
-    mcp_servers = config.get("mcpServers")
-    if not isinstance(mcp_servers, dict):
-        mcp_servers = {}
-        config["mcpServers"] = mcp_servers
-    mcp_servers[server_name] = {"httpUrl": server_url}
-    _write_json(config_path, config)
+def write_codex_mcp_stdio_config(
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+    config_path: str | Path | None = None,
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".codex" / "config.toml"
+    target_path.parent.mkdir(parents=True, exist_ok=True)
 
+    existing = target_path.read_text() if target_path.exists() else ""
+    lines = existing.splitlines(keepends=True)
+    header_unquoted = f"[mcp_servers.{server_name}]"
+    header_quoted = f"[mcp_servers.\"{server_name}\"]"
+    headers = {header_unquoted, header_quoted}
 
-def write_kimi_mcp_config(server_url: str, server_name: str = "memory-server") -> None:
-    config_path = Path.home() / ".kimi" / "mcp.json"
-    config = _load_json(config_path)
-    mcp_servers = config.get("mcpServers")
-    if not isinstance(mcp_servers, dict):
-        mcp_servers = {}
-        config["mcpServers"] = mcp_servers
-    mcp_servers[server_name] = {"type": "http", "url": server_url}
-    _write_json(config_path, config)
+    start_idx: int | None = None
+    for idx, line in enumerate(lines):
+        if line.strip() in headers:
+            start_idx = idx
+            break
+
+    args_text = ", ".join(f'"{toml_quote_string(arg)}"' for arg in args)
+    block = [
+        f"{header_unquoted}\n",
+        f'command = "{toml_quote_string(command)}"\n',
+        f"args = [{args_text}]\n",
+        "\n",
+    ]
+
+    if start_idx is None:
+        if existing and not existing.endswith("\n"):
+            existing += "\n"
+        _atomic_write_text(target_path, existing + "".join(block))
+        return
+
+    end_idx = len(lines)
+    for idx in range(start_idx + 1, len(lines)):
+        stripped = lines[idx].strip()
+        if stripped.startswith("[") and stripped.endswith("]"):
+            end_idx = idx
+            break
+
+    updated_lines = lines[:start_idx] + block + lines[end_idx:]
+    _atomic_write_text(target_path, "".join(updated_lines))
+
+
+def write_gemini_mcp_config(
+    server_url: str,
+    server_name: str = "memory-server",
+    *,
+    config_path: str | Path | None = None,
+) -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".gemini" / "settings.json"
+    _write_json_mcp_server(target_path, server_name, {"httpUrl": server_url})
+
+
+def write_gemini_mcp_stdio_config(
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+    config_path: str | Path | None = None,
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".gemini" / "settings.json"
+    _write_json_mcp_server(target_path, server_name, {"command": command, "args": args})
+
+
+def write_kimi_mcp_config(
+    server_url: str,
+    server_name: str = "memory-server",
+    *,
+    config_path: str | Path | None = None,
+) -> None:
+    server_url, server_name = _validated_server_input(server_url, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".kimi" / "mcp.json"
+    _write_json_mcp_server(target_path, server_name, {"type": "http", "url": server_url})
+
+
+def write_kimi_mcp_stdio_config(
+    *,
+    command: str,
+    args: list[str],
+    server_name: str = "omg-control",
+    config_path: str | Path | None = None,
+) -> None:
+    command, args, server_name = _validated_stdio_input(command, args, server_name)
+    target_path = Path(config_path) if config_path is not None else Path.home() / ".kimi" / "mcp.json"
+    _write_json_mcp_server(target_path, server_name, {"command": command, "args": args})

package/runtime/mcp_memory_server.py

@@ -66,7 +66,7 @@ mcp = FastMCP("OMG Memory Server", lifespan=lifespan)
 
 @mcp.custom_route("/health", methods=["GET"])
 async def health(_: Request) -> JSONResponse:
-    return JSONResponse({"status": "ok", "version": "1.0.0"})
+    return JSONResponse({"status": "ok", "version": "2.0.5"})
 
 
 @mcp.tool()

package/runtime/omg_compat_contract_snapshot.json

@@ -1,6 +1,6 @@
 {
   "schema": "OmgCompatContractSnapshot",
-  "contract_version": "1.0.0",
+  "contract_version": "2.0.5",
   "count": 47,
   "contracts": [
     {
@@ -736,19 +736,19 @@
     },
     {
       "skill": "security-review",
-      "route": "secure",
+      "route": "security_check",
       "maturity": "native",
       "inputs": {
-        "required": [
+        "required": [],
+        "optional": [
           "problem"
-        ],
-        "optional": []
+        ]
       },
       "outputs": {
-        "schema": "PolicyDecision"
+        "schema": "SecurityCheckResult"
       },
       "side_effects": [],
-      "notes": ""
+      "notes": "Deprecated alias to the canonical OMG security-check engine."
     },
     {
       "skill": "skill",
@@ -911,5 +911,6 @@
       ],
       "notes": "Writes long-form memory artifact for writing workflows."
     }
-  ]
+  ],
+  "generated_at": "2026-03-07T04:51:08.940394+00:00"
 }

package/runtime/omg_contract_snapshot.json

@@ -1,6 +1,6 @@
 {
   "schema": "OmgCompatContractSnapshot",
-  "contract_version": "1.0.0",
+  "contract_version": "2.0.5",
   "count": 47,
   "contracts": [
     {
@@ -736,19 +736,19 @@
     },
     {
       "skill": "security-review",
-      "route": "secure",
+      "route": "security_check",
       "maturity": "native",
       "inputs": {
-        "required": [
+        "required": [],
+        "optional": [
           "problem"
-        ],
-        "optional": []
+        ]
       },
       "outputs": {
-        "schema": "PolicyDecision"
+        "schema": "SecurityCheckResult"
       },
       "side_effects": [],
-      "notes": ""
+      "notes": "Deprecated alias to the canonical OMG security-check engine."
     },
     {
       "skill": "skill",
@@ -911,5 +911,6 @@
       ],
       "notes": "Writes long-form memory artifact for writing workflows."
     }
-  ]
+  ],
+  "generated_at": "2026-03-07T04:51:08.940453+00:00"
 }