@trac3er/oh-my-god 2.0.4 → 2.0.5

package/runtime/contract_compiler.py

@@ -7,10 +7,15 @@ import json
 import os
 from pathlib import Path
 import shutil
+import subprocess
+import sys
+import tempfile
 from typing import Any, Iterable
+import zipfile
 
 import yaml
 
+from runtime.asset_loader import resolve_asset, resolve_assets
 from runtime.adoption import (
     CANONICAL_MARKETPLACE_ID,
     CANONICAL_PACKAGE_NAME,
@@ -31,6 +36,19 @@ DEFAULT_REQUIRED_BUNDLES = (
     "mcp-fabric",
     "lsp-pack",
     "secure-worktree-pipeline",
+    "security-check",
+    "api-twin",
+    "preflight",
+    "robotics",
+    "vision",
+    "algorithms",
+    "health",
+    "tracebank",
+    "eval-gate",
+    "delta-classifier",
+    "incident-replay",
+    "data-lineage",
+    "remote-supervisor",
 )
 REQUIRED_DOC_TOKENS = (
     "execution_contract",
@@ -96,24 +114,36 @@ def _sha256_file(path: Path) -> str:
 
 
 def load_contract_doc(root_dir: str | Path | None = None) -> str:
-    root = _resolve_root(root_dir)
-    return (root / CONTRACT_DOC_PATH).read_text(encoding="utf-8")
+    if root_dir is not None:
+        root = _resolve_root(root_dir)
+        candidate = root / CONTRACT_DOC_PATH
+        if candidate.exists():
+            return candidate.read_text(encoding="utf-8")
+    return resolve_asset(CONTRACT_DOC_PATH).read_text(encoding="utf-8")
 
 
 def load_contract_schema(root_dir: str | Path | None = None) -> dict[str, Any]:
-    root = _resolve_root(root_dir)
-    return _load_json(root / SCHEMA_PATH)
+    if root_dir is not None:
+        root = _resolve_root(root_dir)
+        candidate = root / SCHEMA_PATH
+        if candidate.exists():
+            return _load_json(candidate)
+    return _load_json(resolve_asset(SCHEMA_PATH))
 
 
 def load_contract_bundles(root_dir: str | Path | None = None) -> list[dict[str, Any]]:
     root = _resolve_root(root_dir)
     bundles: list[dict[str, Any]] = []
-    for path in sorted((root / BUNDLES_DIR).glob("*.yaml")):
+    paths = sorted((root / BUNDLES_DIR).glob("*.yaml")) if (root / BUNDLES_DIR).exists() else resolve_assets(BUNDLES_DIR, suffix=".yaml")
+    for path in paths:
         parsed = yaml.safe_load(path.read_text(encoding="utf-8"))
         if not isinstance(parsed, dict):
             raise ValueError(f"Expected mapping bundle manifest in {path}")
         bundle = dict(parsed)
-        bundle["_path"] = str(path.relative_to(root))
+        try:
+            bundle["_path"] = str(path.relative_to(root))
+        except ValueError:
+            bundle["_path"] = str(Path(BUNDLES_DIR) / path.name)
         bundles.append(bundle)
     return bundles
 
@@ -133,34 +163,30 @@ def validate_contract_registry(root_dir: str | Path | None = None) -> dict[str,
     root = _resolve_root(root_dir)
     errors: list[str] = []
 
-    doc_path = root / CONTRACT_DOC_PATH
-    schema_path = root / SCHEMA_PATH
-    bundles_path = root / BUNDLES_DIR
-
-    if not doc_path.exists():
+    try:
+        doc_text = load_contract_doc(root)
+    except FileNotFoundError:
         errors.append(f"missing contract doc: {CONTRACT_DOC_PATH}")
         doc_text = ""
     else:
-        doc_text = doc_path.read_text(encoding="utf-8")
         for token in REQUIRED_DOC_TOKENS:
             if token not in doc_text:
                 errors.append(f"contract doc missing token: {token}")
         if CANONICAL_VERSION not in doc_text:
             errors.append(f"contract doc missing version: {CANONICAL_VERSION}")
 
-    if not schema_path.exists():
+    try:
+        schema_payload = load_contract_schema(root)
+    except FileNotFoundError:
         errors.append(f"missing contract schema: {SCHEMA_PATH}")
         schema_payload: dict[str, Any] = {}
     else:
-        schema_payload = _load_json(schema_path)
         if str(schema_payload.get("version", "")) != CANONICAL_VERSION:
             errors.append(f"contract schema version drift: {schema_payload.get('version')!r}")
 
-    if not bundles_path.exists():
+    bundles = load_contract_bundles(root)
+    if not bundles:
         errors.append(f"missing bundles directory: {BUNDLES_DIR}")
-        bundles: list[dict[str, Any]] = []
-    else:
-        bundles = load_contract_bundles(root)
 
     bundle_ids = set()
     bundle_summaries: list[dict[str, Any]] = []
@@ -208,14 +234,15 @@ def validate_contract_registry(root_dir: str | Path | None = None) -> dict[str,
 def _copy_contract_inputs(root: Path, output_root: Path) -> list[Path]:
     copied: list[Path] = []
     for rel_path in [CONTRACT_DOC_PATH, SCHEMA_PATH]:
-        src = root / rel_path
+        src = resolve_asset(rel_path)
         dst = output_root / rel_path
         _write_text(dst, src.read_text(encoding="utf-8"))
         copied.append(dst)
-    for path in sorted((root / BUNDLES_DIR).glob("*.yaml")):
-        rel_path = path.relative_to(root)
+    for bundle in load_contract_bundles(root):
+        rel_path = Path(str(bundle["_path"]))
+        src = resolve_asset(rel_path)
         dst = output_root / rel_path
-        _write_text(dst, path.read_text(encoding="utf-8"))
+        _write_text(dst, src.read_text(encoding="utf-8"))
         copied.append(dst)
     return copied
 
@@ -368,6 +395,8 @@ def _compile_claude_outputs(
     artifacts.append(output_root / ".mcp.json")
 
     settings_path = root / "settings.json"
+    if not settings_path.exists():
+        settings_path = resolve_asset("settings.json")
     settings = _load_json(settings_path)
     hook_bundle = _bundle_map(bundles)["hook-governor"]
     settings["hooks"] = _compile_hook_settings(hook_bundle)
@@ -673,6 +702,31 @@ def build_release_readiness(
         blockers.append(f"missing compiled outputs: {', '.join(missing_outputs)}")
     checks["compiled_outputs"] = {"missing": missing_outputs}
 
+    required_bundle_outputs: list[Path] = []
+    for bundle_id in DEFAULT_REQUIRED_BUNDLES:
+        required_bundle_outputs.extend(
+            [
+                output / ".agents" / "skills" / "omg" / bundle_id / "SKILL.md",
+                output / ".agents" / "skills" / "omg" / bundle_id / "openai.yaml",
+            ]
+        )
+    missing_bundle_outputs = [str(path.relative_to(output)) for path in required_bundle_outputs if not path.exists()]
+    if missing_bundle_outputs:
+        blockers.append(f"missing bundle outputs: {', '.join(missing_bundle_outputs)}")
+    checks["bundle_outputs"] = {"missing": missing_bundle_outputs}
+
+    evidence_check = _check_recent_evidence(output)
+    checks["evidence"] = evidence_check
+    blockers.extend(evidence_check.get("blockers", []))
+
+    eval_check = _check_eval_gate(output)
+    checks["eval_gate"] = eval_check
+    blockers.extend(eval_check.get("blockers", []))
+
+    package_check = _check_packaged_install_smoke(root)
+    checks["package_smoke"] = package_check
+    blockers.extend(package_check.get("blockers", []))
+
     providers = _provider_statuses()
     checks["providers"] = providers
     for provider_name, status in providers.items():
@@ -696,3 +750,98 @@ def build_release_readiness(
         "blockers": blockers,
         "checks": checks,
     }
+
+
+def _check_recent_evidence(output_root: Path) -> dict[str, Any]:
+    evidence_dir = output_root / ".omg" / "evidence"
+    if not evidence_dir.exists():
+        return {"status": "missing", "blockers": []}
+
+    evidence_files = sorted(path for path in evidence_dir.glob("*.json") if path.is_file())
+    if not evidence_files:
+        return {"status": "missing", "blockers": []}
+
+    evidence_payloads: list[tuple[Path, dict[str, Any]]] = []
+    for path in evidence_files:
+        try:
+            payload = _load_json(path)
+        except Exception:
+            continue
+        if payload.get("schema") == "EvidencePack":
+            evidence_payloads.append((path, payload))
+
+    if not evidence_payloads:
+        return {"status": "missing", "blockers": []}
+
+    evidence_path, payload = evidence_payloads[-1]
+    blockers: list[str] = []
+    if not payload.get("security_scans"):
+        blockers.append("cosmetic evidence: security_scans is empty")
+    if not payload.get("provenance"):
+        blockers.append("cosmetic evidence: provenance is empty")
+    if not payload.get("trace_ids"):
+        blockers.append("missing trace ids in evidence")
+    if not payload.get("lineage"):
+        blockers.append("missing lineage in evidence")
+    tests = payload.get("tests", [])
+    if isinstance(tests, list):
+        for item in tests:
+            if isinstance(item, dict) and item.get("name") == "worker_implementation" and not item.get("passed", False):
+                blockers.append("simulated worker evidence detected")
+                break
+    return {
+        "status": "ok" if not blockers else "error",
+        "evidence_file": str(evidence_path.relative_to(output_root)),
+        "blockers": blockers,
+    }
+
+
+def _check_eval_gate(output_root: Path) -> dict[str, Any]:
+    latest_path = output_root / ".omg" / "evals" / "latest.json"
+    if not latest_path.exists():
+        return {"status": "missing", "blockers": []}
+    payload = _load_json(latest_path)
+    blockers: list[str] = []
+    if payload.get("status") != "ok" or bool(payload.get("summary", {}).get("regressed")):
+        blockers.append("eval regression detected")
+    return {
+        "status": "ok" if not blockers else "error",
+        "path": str(latest_path.relative_to(output_root)),
+        "blockers": blockers,
+    }
+
+
+def _check_packaged_install_smoke(root: Path) -> dict[str, Any]:
+    blockers: list[str] = []
+    with tempfile.TemporaryDirectory(prefix="omg-wheel-") as tmp_dir:
+        proc = subprocess.run(
+            [sys.executable, "-m", "pip", "wheel", ".", "--no-deps", "-w", tmp_dir],
+            cwd=str(root),
+            capture_output=True,
+            text=True,
+            check=False,
+            timeout=120,
+        )
+        if proc.returncode != 0:
+            return {
+                "status": "error",
+                "blockers": ["package smoke failed to build wheel"],
+                "stdout": proc.stdout,
+                "stderr": proc.stderr,
+            }
+        wheels = sorted(Path(tmp_dir).glob("*.whl"))
+        if not wheels:
+            return {"status": "error", "blockers": ["package smoke did not produce a wheel"]}
+        with zipfile.ZipFile(wheels[-1]) as archive:
+            names = set(archive.namelist())
+        required_suffixes = (
+            "control_plane/service.py",
+            "registry/verify_artifact.py",
+            "plugins/dephealth/cve_scanner.py",
+            "OMG_COMPAT_CONTRACT.md",
+            ".agents/skills/omg/security-check/SKILL.md",
+        )
+        for suffix in required_suffixes:
+            if not any(name.endswith(suffix) for name in names):
+                blockers.append(f"package parity missing {suffix}")
+    return {"status": "ok" if not blockers else "error", "blockers": blockers}

package/runtime/data_lineage.py

@@ -0,0 +1,73 @@
+"""Lineage manifests for generated OMG artifacts."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def build_lineage_manifest(
+    project_dir: str,
+    *,
+    artifact_type: str,
+    sources: list[dict[str, Any]],
+    privacy: str,
+    license: str,
+    derivation: dict[str, Any],
+    trace_id: str | None = None,
+) -> dict[str, Any]:
+    lineage_id = f"lineage-{uuid4().hex}"
+    payload = {
+        "schema": "DataLineageManifest",
+        "lineage_id": lineage_id,
+        "generated_at": _now(),
+        "artifact_type": artifact_type,
+        "sources": sources,
+        "privacy": privacy,
+        "license": license,
+        "derivation": derivation,
+        "trace_id": trace_id or "",
+    }
+    validation = validate_lineage_manifest(payload)
+    payload["status"] = validation["status"]
+    payload["errors"] = validation["errors"]
+
+    rel_path = Path(".omg") / "lineage" / f"{lineage_id}.json"
+    path = Path(project_dir) / rel_path
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    payload["path"] = rel_path.as_posix()
+    return payload
+
+
+def validate_lineage_manifest(payload: dict[str, Any]) -> dict[str, Any]:
+    errors: list[str] = []
+    if not payload.get("artifact_type"):
+        errors.append("artifact_type is required")
+    if not payload.get("privacy"):
+        errors.append("privacy is required")
+    if not payload.get("license"):
+        errors.append("license is required")
+    sources = payload.get("sources", [])
+    if not isinstance(sources, list) or not sources:
+        errors.append("sources are required")
+    else:
+        for idx, source in enumerate(sources):
+            if not isinstance(source, dict):
+                errors.append(f"source {idx} must be an object")
+                continue
+            if not source.get("license"):
+                errors.append(f"source {idx} missing license")
+            if not source.get("path"):
+                errors.append(f"source {idx} missing path")
+    return {
+        "schema": "DataLineageValidationResult",
+        "status": "ok" if not errors else "error",
+        "errors": errors,
+    }

package/runtime/delta_classifier.py

@@ -0,0 +1,81 @@
+"""Repo-aware change classification for routing and policy attachment."""
+from __future__ import annotations
+
+import json
+from pathlib import Path
+import subprocess
+from typing import Any
+
+
+_CATEGORY_RULES: dict[str, tuple[str, ...]] = {
+    "auth": ("auth", "token", "secret", "login", "credential"),
+    "payment": ("payment", "billing", "invoice", "stripe", "checkout"),
+    "db": ("migration", "schema", "database", "sql", "postgres", "mysql"),
+    "infra": ("terraform", ".tf", "deploy", "helm", "k8s", "docker"),
+    "api": ("openapi", "swagger", "postman", "endpoint", "api"),
+    "data": ("dataset", "lineage", "privacy", "warehouse", "etl"),
+    "compliance": ("gdpr", "hipaa", "pci", "soc2", "privacy"),
+    "robotics": ("robot", "actuator", "sensor", "simulator"),
+    "vision": ("vision", "image", "camera", "cv"),
+    "health": ("health", "patient", "clinical", "medical"),
+    "algorithms": ("algorithm", "benchmark", "determinism", "complexity"),
+}
+
+
+def classify_project_changes(
+    project_dir: str,
+    *,
+    touched_files: list[str] | None = None,
+    goal: str = "",
+) -> dict[str, Any]:
+    files = touched_files if touched_files is not None else _discover_files(project_dir)
+    manifest_names = sorted(path.name for path in Path(project_dir).glob("*") if path.is_file())
+    haystacks = [goal.lower(), *[file.lower() for file in files], *[name.lower() for name in manifest_names]]
+
+    categories = {
+        category
+        for category, tokens in _CATEGORY_RULES.items()
+        if any(token in haystack for token in tokens for haystack in haystacks)
+    }
+    if not categories:
+        categories.add("implementation")
+
+    result = {
+        "schema": "DeltaClassification",
+        "project_dir": project_dir,
+        "goal": goal,
+        "categories": sorted(categories),
+        "touched_files": files,
+        "manifests": manifest_names,
+    }
+    return result
+
+
+def _discover_files(project_dir: str) -> list[str]:
+    root = Path(project_dir)
+    git_dir = root / ".git"
+    if git_dir.exists():
+        proc = subprocess.run(
+            ["git", "diff", "--name-only", "HEAD"],
+            cwd=str(root),
+            capture_output=True,
+            text=True,
+            check=False,
+            timeout=10,
+        )
+        if proc.returncode == 0:
+            files = [line.strip() for line in proc.stdout.splitlines() if line.strip()]
+            if files:
+                return files
+
+    discovered: list[str] = []
+    for path in sorted(root.rglob("*")):
+        if not path.is_file():
+            continue
+        rel = path.relative_to(root).as_posix()
+        if rel.startswith(".omg/"):
+            continue
+        discovered.append(rel)
+        if len(discovered) >= 32:
+            break
+    return discovered

package/runtime/domain_packs.py

@@ -9,21 +9,33 @@ DOMAIN_PACKS: dict[str, dict[str, Any]] = {
         "name": "robotics",
         "required_approvals": ["actuation-approval"],
         "required_evidence": ["simulator-replay", "kill-switch-check"],
+        "policy_modules": ["safe-actuation", "simulator-gate"],
+        "eval_hooks": ["robotics-sim"],
+        "replay_hooks": ["incident-replay"],
     },
     "vision": {
         "name": "vision",
         "required_approvals": [],
         "required_evidence": ["dataset-provenance", "drift-check"],
+        "policy_modules": ["dataset-lineage", "drift-gate"],
+        "eval_hooks": ["vision-regression"],
+        "replay_hooks": ["incident-replay"],
     },
     "algorithms": {
         "name": "algorithms",
         "required_approvals": [],
         "required_evidence": ["benchmark-harness", "determinism-check"],
+        "policy_modules": ["benchmark-gate", "determinism-gate"],
+        "eval_hooks": ["algorithm-benchmarks"],
+        "replay_hooks": ["incident-replay"],
     },
     "health": {
         "name": "health",
         "required_approvals": ["human-review"],
         "required_evidence": ["audit-trail", "restricted-tools", "provenance"],
+        "policy_modules": ["human-review", "privacy-gate"],
+        "eval_hooks": ["health-safety"],
+        "replay_hooks": ["incident-replay"],
     },
 }
 

package/runtime/ecosystem.py

@@ -8,7 +8,7 @@ import subprocess
 from typing import Any
 
 ECOSYSTEM_SCHEMA = "OmgEcosystemCatalog"
-ECOSYSTEM_CATALOG_VERSION = "1.0.0"
+ECOSYSTEM_CATALOG_VERSION = "2.0.5"
 ECOSYSTEM_LOCK_SCHEMA = "OmgEcosystemLock"
 DEFAULT_ECOSYSTEM_REPO_DIR = ".omg/ecosystem/repos"
 DEFAULT_ECOSYSTEM_LOCK_PATH = ".omg/state/ecosystem-lock.json"

package/runtime/eval_gate.py

@@ -0,0 +1,50 @@
+"""Reproducible evaluation results for release gating."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+
+
+EVAL_GATE_LATEST_REL_PATH = Path(".omg") / "evals" / "latest.json"
+EVAL_GATE_HISTORY_REL_PATH = Path(".omg") / "evals" / "history.jsonl"
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def evaluate_trace(
+    project_dir: str,
+    *,
+    trace_id: str,
+    suites: list[str],
+    metrics: dict[str, float],
+    regression_threshold: float = 0.95,
+) -> dict[str, Any]:
+    scorecard = {name: float(metrics.get(name, 0.0)) for name in suites}
+    regressed = any(score < regression_threshold for score in scorecard.values())
+    result = {
+        "schema": "EvalGateResult",
+        "trace_id": trace_id,
+        "evaluated_at": _now(),
+        "status": "fail" if regressed else "ok",
+        "suites": suites,
+        "metrics": scorecard,
+        "summary": {
+            "regressed": regressed,
+            "regression_threshold": regression_threshold,
+        },
+    }
+
+    latest_path = Path(project_dir) / EVAL_GATE_LATEST_REL_PATH
+    latest_path.parent.mkdir(parents=True, exist_ok=True)
+    latest_path.write_text(json.dumps(result, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+
+    history_path = Path(project_dir) / EVAL_GATE_HISTORY_REL_PATH
+    with history_path.open("a", encoding="utf-8") as handle:
+        handle.write(json.dumps(result, ensure_ascii=True) + "\n")
+
+    result["path"] = EVAL_GATE_LATEST_REL_PATH.as_posix()
+    return result

package/runtime/incident_replay.py

@@ -0,0 +1,47 @@
+"""Replayable incident pack generation."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def build_incident_pack(
+    project_dir: str,
+    *,
+    title: str,
+    failing_tests: list[str],
+    logs: list[str],
+    diff_summary: dict[str, Any],
+    trace_id: str | None = None,
+) -> dict[str, Any]:
+    incident_id = f"incident-{uuid4().hex}"
+    payload = {
+        "schema": "IncidentReplayPack",
+        "incident_id": incident_id,
+        "title": title,
+        "generated_at": _now(),
+        "trace_id": trace_id or "",
+        "failing_tests": failing_tests,
+        "logs": logs,
+        "diff_summary": diff_summary,
+        "reproduction_steps": [
+            "Replay the failing tests.",
+            "Inspect the attached logs.",
+            "Validate the diff summary before patching.",
+        ],
+        "regression_guards": failing_tests,
+    }
+
+    rel_path = Path(".omg") / "incidents" / f"{incident_id}.json"
+    path = Path(project_dir) / rel_path
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    payload["path"] = rel_path.as_posix()
+    return payload

package/runtime/mcp_memory_server.py

@@ -66,7 +66,7 @@ mcp = FastMCP("OMG Memory Server", lifespan=lifespan)
 
 @mcp.custom_route("/health", methods=["GET"])
 async def health(_: Request) -> JSONResponse:
-    return JSONResponse({"status": "ok", "version": "1.0.0"})
+    return JSONResponse({"status": "ok", "version": "2.0.5"})
 
 
 @mcp.tool()

package/runtime/omg_compat_contract_snapshot.json

@@ -1,6 +1,6 @@
 {
   "schema": "OmgCompatContractSnapshot",
-  "contract_version": "1.0.0",
+  "contract_version": "2.0.5",
   "count": 47,
   "contracts": [
     {

package/runtime/omg_contract_snapshot.json

@@ -1,6 +1,6 @@
 {
   "schema": "OmgCompatContractSnapshot",
-  "contract_version": "1.0.0",
+  "contract_version": "2.0.5",
   "count": 47,
   "contracts": [
     {

package/runtime/omg_mcp_server.py

@@ -7,6 +7,8 @@ from dataclasses import dataclass
 from pathlib import Path
 from typing import Any
 
+from runtime.asset_loader import resolve_asset
+
 _MCP_IMPORT_ERROR: ModuleNotFoundError | None = None
 
 try:
@@ -112,7 +114,7 @@ def _service() -> ControlPlaneService:
 
 
 def _read_repo_text(rel_path: str) -> str:
-    return (_root_dir() / rel_path).read_text(encoding="utf-8")
+    return resolve_asset(rel_path).read_text(encoding="utf-8")
 
 
 @mcp.tool()

package/runtime/preflight.py

@@ -1,6 +1,8 @@
 """Structured preflight routing for OMG."""
 from __future__ import annotations
 
+from runtime.delta_classifier import classify_project_changes
+from runtime.tracebank import record_trace
 from typing import Any
 
 
@@ -9,8 +11,15 @@ def run_preflight(project_dir: str, *, goal: str) -> dict[str, Any]:
     task_class = "implementation"
     risk_class = "medium"
     route = "teams"
+    delta = classify_project_changes(project_dir, goal=goal)
+    categories = set(delta["categories"])
+    domain_packs = [category for category in delta["categories"] if category in {"robotics", "vision", "algorithms", "health"}]
 
-    if any(token in lowered for token in ("openapi", "swagger", "postman", "contract", "fixture", "replay")):
+    if categories & {"auth", "payment", "health", "compliance"}:
+        task_class = "security"
+        risk_class = "high"
+        route = "security-check"
+    elif categories & {"api"} or any(token in lowered for token in ("openapi", "swagger", "postman", "contract", "fixture", "replay")):
         task_class = "contract"
         route = "api-twin"
     elif any(token in lowered for token in ("auth", "secret", "security", "token", "injection")):
@@ -22,6 +31,15 @@ def run_preflight(project_dir: str, *, goal: str) -> dict[str, Any]:
         risk_class = "high"
         route = "crazy"
 
+    trace = record_trace(
+        project_dir,
+        trace_type="preflight",
+        route=route,
+        status="ok",
+        plan={"goal": goal, "delta_categories": delta["categories"]},
+        verify={"risk_class": risk_class},
+    )
+
     return {
         "schema": "PreflightResult",
         "project_dir": project_dir,
@@ -33,6 +51,9 @@ def run_preflight(project_dir: str, *, goal: str) -> dict[str, Any]:
         "required_mcps": ["omg-control"] if route in {"security-check", "api-twin", "crazy"} else [],
         "missing_constraints": [],
         "evidence_plan": _evidence_plan(route),
+        "delta_classification": delta,
+        "domain_packs": domain_packs,
+        "trace": {"trace_id": trace["trace_id"], "path": trace["path"]},
     }