npm - @trac3er/oh-my-god - Versions diffs - 2.0.4 → 2.0.5 - Mend

@trac3er/oh-my-god 2.0.4 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (206) hide show

package/runtime/remote_supervisor.py ADDED Viewed

@@ -0,0 +1,64 @@
+"""Local-only authenticated supervisor sessions."""
+from __future__ import annotations
+import base64
+from datetime import datetime, timezone
+import hashlib
+import hmac
+import json
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+def issue_local_supervisor_session(project_dir: str, *, worker_id: str, shared_secret: str) -> dict[str, Any]:
+    session_id = f"session-{uuid4().hex}"
+    issued_at = _now()
+    token_payload = {
+        "session_id": session_id,
+        "worker_id": worker_id,
+        "issued_at": issued_at,
+    }
+    payload_json = json.dumps(token_payload, sort_keys=True, separators=(",", ":"))
+    signature = hmac.new(shared_secret.encode("utf-8"), payload_json.encode("utf-8"), hashlib.sha256).hexdigest()
+    token = base64.urlsafe_b64encode(
+        json.dumps({"payload": token_payload, "signature": signature}, sort_keys=True, separators=(",", ":")).encode("utf-8")
+    ).decode("ascii")
+    result = {
+        "schema": "RemoteSupervisorSession",
+        "status": "ok",
+        "session_id": session_id,
+        "worker_id": worker_id,
+        "issued_at": issued_at,
+        "local_only": True,
+        "token": token,
+    }
+    rel_path = Path(".omg") / "supervisor" / "sessions" / f"{session_id}.json"
+    path = Path(project_dir) / rel_path
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps({k: v for k, v in result.items() if k != "token"}, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    result["path"] = rel_path.as_posix()
+    return result
+def verify_local_supervisor_token(token: str, *, shared_secret: str) -> dict[str, Any]:
+    decoded = json.loads(base64.urlsafe_b64decode(token.encode("ascii")).decode("utf-8"))
+    payload = decoded["payload"]
+    payload_json = json.dumps(payload, sort_keys=True, separators=(",", ":"))
+    signature = str(decoded["signature"])
+    expected = hmac.new(shared_secret.encode("utf-8"), payload_json.encode("utf-8"), hashlib.sha256).hexdigest()
+    status = "ok" if hmac.compare_digest(signature, expected) else "error"
+    return {
+        "schema": "RemoteSupervisorTokenVerification",
+        "status": status,
+        "session_id": str(payload["session_id"]),
+        "worker_id": str(payload["worker_id"]),
+        "issued_at": str(payload["issued_at"]),
+        "local_only": True,
+    }

package/runtime/security_check.py CHANGED Viewed

@@ -3,11 +3,15 @@ from __future__ import annotations
 import ast
 from collections import Counter
+from hashlib import sha256
+import json
 from pathlib import Path
 import subprocess
 from typing import Any
 from hooks.security_validators import ensure_path_within_dir
+from runtime.delta_classifier import classify_project_changes
+from runtime.tracebank import record_trace
 from plugins.dephealth.cve_scanner import scan_for_cves
 from plugins.dephealth.manifest_detector import detect_manifests
 from plugins.dephealth.vuln_analyzer import analyze_reachability
@@ -33,9 +37,11 @@ def run_security_check(
     project_dir: str,
     scope: str = ".",
     include_live_enrichment: bool = False,
+    external_inputs: list[dict[str, Any]] | None = None,
 ) -> dict[str, Any]:
     scope_path = _resolve_scope(project_dir, scope)
     findings: list[dict[str, Any]] = []
+    manifests = detect_manifests(str(scope_path))
     findings.extend(_scan_python_ast(scope_path))
     findings.extend(_scan_dependency_health(scope_path, include_live_enrichment))
@@ -44,6 +50,33 @@ def run_security_check(
     severity_counts = Counter(finding["severity"] for finding in findings)
     source_counts = Counter(finding["source"] for finding in findings)
     relative_scope = _display_scope(project_dir, scope_path)
+    delta = classify_project_changes(project_dir, touched_files=[relative_scope], goal="security check")
+    provenance = _build_provenance(
+        scope=relative_scope,
+        manifests=manifests.manifests,
+        findings=findings,
+        include_live_enrichment=include_live_enrichment,
+        external_inputs=external_inputs or [],
+    )
+    trust_scores = _build_trust_scores(findings)
+    trace = record_trace(
+        project_dir,
+        trace_type="security-check",
+        route="security-check",
+        status="ok",
+        plan={"scope": relative_scope, "delta_categories": delta["categories"]},
+        verify={"finding_count": len(findings)},
+        failures=[],
+        rejections=[],
+    )
+    evidence_path = _write_evidence_record(
+        project_dir,
+        scope=relative_scope,
+        findings=findings,
+        provenance=provenance,
+        trust_scores=trust_scores,
+        include_live_enrichment=include_live_enrichment,
+    )
     return {
         "schema": "SecurityCheckResult",
         "status": "ok",
@@ -54,9 +87,14 @@ def run_security_check(
             "by_severity": dict(sorted(severity_counts.items())),
             "by_source": dict(sorted(source_counts.items())),
             "live_enrichment": include_live_enrichment,
+            "scan_status": "completed",
+            "manifest_count": len(manifests.manifests),
+            "delta_categories": delta["categories"],
         },
-        "provenance": [],
-        "trust_scores": {},
+        "provenance": provenance,
+        "trust_scores": trust_scores,
+        "evidence": {"path": evidence_path},
+        "trace": {"trace_id": trace["trace_id"], "path": trace["path"]},
     }
@@ -345,3 +383,82 @@ def _finding(
         "recommendation": recommendation,
         "message": message,
     }
+def _build_provenance(
+    *,
+    scope: str,
+    manifests: list[Any],
+    findings: list[dict[str, Any]],
+    include_live_enrichment: bool,
+    external_inputs: list[dict[str, Any]],
+) -> list[dict[str, Any]]:
+    provenance = [
+        {
+            "source": "bandit-lite",
+            "scope": scope,
+            "mode": "static",
+            "finding_count": len([finding for finding in findings if finding["source"] == "bandit-lite"]),
+        },
+        {
+            "source": "manifest-detector",
+            "scope": scope,
+            "manifest_count": len(manifests),
+            "mode": "live" if include_live_enrichment else "offline",
+        },
+    ]
+    if include_live_enrichment:
+        provenance.append(
+            {
+                "source": "osv",
+                "scope": scope,
+                "mode": "live-enrichment",
+            }
+        )
+    if external_inputs:
+        provenance.append(
+            {
+                "source": "external-content",
+                "scope": scope,
+                "mode": "zero-trust",
+                "count": len(external_inputs),
+            }
+        )
+    return provenance
+def _build_trust_scores(findings: list[dict[str, Any]]) -> dict[str, float]:
+    if not findings:
+        return {"overall": 1.0}
+    weighted = 0.0
+    for finding in findings:
+        severity = finding.get("severity", "medium")
+        weighted += {"critical": 0.4, "high": 0.25, "medium": 0.1, "low": 0.05}.get(str(severity), 0.1)
+    overall = max(0.0, round(1.0 - min(weighted, 0.95), 3))
+    return {"overall": overall}
+def _write_evidence_record(
+    project_dir: str,
+    *,
+    scope: str,
+    findings: list[dict[str, Any]],
+    provenance: list[dict[str, Any]],
+    trust_scores: dict[str, float],
+    include_live_enrichment: bool,
+) -> str:
+    rel_name = f"security-check-{sha256(scope.encode('utf-8')).hexdigest()[:12]}.json"
+    rel_path = Path(".omg") / "evidence" / rel_name
+    path = Path(project_dir) / rel_path
+    path.parent.mkdir(parents=True, exist_ok=True)
+    payload = {
+        "schema": "SecurityCheckEvidence",
+        "scope": scope,
+        "scan_status": "completed",
+        "live_enrichment": include_live_enrichment,
+        "findings": findings,
+        "provenance": provenance,
+        "trust_scores": trust_scores,
+    }
+    path.write_text(json.dumps(payload, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    return rel_path.as_posix()

package/runtime/tracebank.py ADDED Viewed

@@ -0,0 +1,53 @@
+"""Structured trace capture for OMG routes and release evidence."""
+from __future__ import annotations
+from datetime import datetime, timezone
+import json
+from pathlib import Path
+from typing import Any
+from uuid import uuid4
+TRACEBANK_REL_PATH = Path(".omg") / "tracebank" / "events.jsonl"
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+def record_trace(
+    project_dir: str,
+    *,
+    trace_type: str,
+    route: str,
+    status: str,
+    plan: dict[str, Any] | None = None,
+    patch: dict[str, Any] | None = None,
+    verify: dict[str, Any] | None = None,
+    failures: list[dict[str, Any]] | None = None,
+    rejections: list[dict[str, Any]] | None = None,
+    metadata: dict[str, Any] | None = None,
+) -> dict[str, Any]:
+    trace_id = f"trace-{uuid4().hex}"
+    record = {
+        "schema": "TracebankRecord",
+        "trace_id": trace_id,
+        "recorded_at": _now(),
+        "trace_type": trace_type,
+        "route": route,
+        "status": status,
+        "plan": plan or {},
+        "patch": patch or {},
+        "verify": verify or {},
+        "failures": failures or [],
+        "rejections": rejections or [],
+        "metadata": metadata or {},
+    }
+    path = Path(project_dir) / TRACEBANK_REL_PATH
+    path.parent.mkdir(parents=True, exist_ok=True)
+    with path.open("a", encoding="utf-8") as handle:
+        handle.write(json.dumps(record, ensure_ascii=True) + "\n")
+    record["path"] = TRACEBANK_REL_PATH.as_posix()
+    return record

package/scripts/omg.py CHANGED Viewed

@@ -1,5 +1,5 @@
 #!/usr/bin/env python3
-"""OMG 2.0.4 CLI entrypoint.
+"""OMG 2.0.5 CLI entrypoint.
 Implements practical command-line flows for:
 - omg ship
@@ -33,14 +33,19 @@ from hooks.trust_review import review_config_change, write_trust_manifest
 from lab.pipeline import publish_artifact, run_pipeline
 from runtime.dispatcher import dispatch_runtime
 from runtime.api_twin import ingest_contract, record_fixture, serve_fixture, verify_fixture
+from runtime.data_lineage import build_lineage_manifest
+from runtime.eval_gate import evaluate_trace
+from runtime.incident_replay import build_incident_pack
 from runtime.domain_packs import get_domain_pack_contract
 from runtime.preflight import run_preflight
+from runtime.remote_supervisor import issue_local_supervisor_session, verify_local_supervisor_token
 from runtime.security_check import run_security_check
 from runtime.contract_compiler import (
     build_release_readiness,
     compile_contract_outputs,
     validate_contract_registry,
 )
+from runtime.tracebank import record_trace
 from runtime.compat import (
     DEFAULT_CONTRACT_SNAPSHOT_PATH,
     DEFAULT_GAP_REPORT_PATH,
@@ -130,14 +135,55 @@ def cmd_ship(args: argparse.Namespace) -> int:
     run_id = args.run_id or _now_run_id()
     verification = dispatched.get("verification", {})
     checks = verification.get("checks", []) if isinstance(verification, dict) else []
+    preflight = run_preflight(project_dir, goal=str(idea.get("goal", "")))
+    security_result = run_security_check(project_dir=project_dir, scope=".")
+    trace = record_trace(
+        project_dir,
+        trace_type="ship",
+        route=preflight["route"],
+        status="ok",
+        plan=dispatched.get("plan", {}),
+        verify=verification if isinstance(verification, dict) else {},
+        metadata={"runtime": runtime, "run_id": run_id},
+    )
+    eval_result = evaluate_trace(
+        project_dir,
+        trace_id=trace["trace_id"],
+        suites=["planning", "security"],
+        metrics={
+            "planning": 1.0 if dispatched.get("status") == "ok" else 0.0,
+            "security": max(float(security_result["trust_scores"].get("overall", 0.0)), 0.0),
+        },
+    )
+    lineage = build_lineage_manifest(
+        project_dir,
+        artifact_type="evidence-pack",
+        sources=[{"kind": "repo", "path": ".", "license": "MIT"}],
+        privacy="internal",
+        license="MIT",
+        derivation={"trace_id": trace["trace_id"], "route": preflight["route"], "eval_path": eval_result["path"]},
+        trace_id=trace["trace_id"],
+    )
     evidence_path = create_evidence_pack(
         project_dir,
         run_id,
         tests=checks if isinstance(checks, list) else [],
-        security_scans=[],
+        security_scans=[
+            {
+                "tool": "security-check",
+                "finding_count": security_result["summary"]["finding_count"],
+                "path": security_result["evidence"]["path"],
+            }
+        ],
         diff_summary={"runtime": runtime, "goal": idea.get("goal", "")},
         reproducibility={"command": f"omg ship --runtime {runtime} --idea {idea_path}"},
         unresolved_risks=[],
+        provenance=security_result["provenance"],
+        trust_scores=security_result["trust_scores"],
+        api_twin={"recommended_route": preflight["route"] if preflight["route"] == "api-twin" else ""},
+        route_metadata=preflight,
+        trace_ids=[trace["trace_id"]],
+        lineage=lineage,
     )
     out = {
@@ -147,6 +193,8 @@ def cmd_ship(args: argparse.Namespace) -> int:
         "run_id": run_id,
         "goal": idea.get("goal", ""),
         "evidence_path": os.path.relpath(evidence_path, project_dir),
+        "trace_id": trace["trace_id"],
+        "eval_path": eval_result["path"],
     }
     print(json.dumps(out, indent=2))
     return 0
@@ -185,9 +233,12 @@ def cmd_api_twin_record(args: argparse.Namespace) -> int:
     result = record_fixture(
         _ensure_project_dir(),
         name=args.name,
+        endpoint=args.endpoint,
+        cassette_version=args.cassette_version,
         request=json.loads(args.request_json),
         response=json.loads(args.response_json),
         validated=bool(args.validated),
+        redactions=json.loads(args.redactions_json) if args.redactions_json else None,
     )
     print(json.dumps(result, indent=2))
     return 0
@@ -197,6 +248,8 @@ def cmd_api_twin_serve(args: argparse.Namespace) -> int:
     result = serve_fixture(
         _ensure_project_dir(),
         name=args.name,
+        endpoint=args.endpoint,
+        cassette_version=args.cassette_version,
         latency_ms=int(args.latency_ms),
         failure_mode=args.failure_mode,
         schema_drift=bool(args.schema_drift),
@@ -209,6 +262,8 @@ def cmd_api_twin_verify(args: argparse.Namespace) -> int:
     result = verify_fixture(
         _ensure_project_dir(),
         name=args.name,
+        endpoint=args.endpoint,
+        cassette_version=args.cassette_version,
         live_response=json.loads(args.live_response_json),
     )
     print(json.dumps(result, indent=2))
@@ -227,6 +282,82 @@ def cmd_domain_pack(args: argparse.Namespace) -> int:
     return 0
+def cmd_trace_record(args: argparse.Namespace) -> int:
+    result = record_trace(
+        _ensure_project_dir(),
+        trace_type=args.trace_type,
+        route=args.route,
+        status=args.status,
+        plan=json.loads(args.plan_json) if args.plan_json else {},
+        verify=json.loads(args.verify_json) if args.verify_json else {},
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+def cmd_eval_gate(args: argparse.Namespace) -> int:
+    result = evaluate_trace(
+        _ensure_project_dir(),
+        trace_id=args.trace_id,
+        suites=args.suites.split(","),
+        metrics=json.loads(args.metrics_json),
+    )
+    print(json.dumps(result, indent=2))
+    return 0 if result["status"] == "ok" else 2
+def cmd_delta_classify(args: argparse.Namespace) -> int:
+    from runtime.delta_classifier import classify_project_changes
+    touched_files = [item for item in args.files.split(",") if item]
+    result = classify_project_changes(_ensure_project_dir(), touched_files=touched_files or None, goal=args.goal)
+    print(json.dumps(result, indent=2))
+    return 0
+def cmd_incident_replay(args: argparse.Namespace) -> int:
+    result = build_incident_pack(
+        _ensure_project_dir(),
+        title=args.title,
+        failing_tests=[item for item in args.failing_tests.split(",") if item],
+        logs=[item for item in args.logs.split("|") if item],
+        diff_summary=json.loads(args.diff_summary_json),
+        trace_id=args.trace_id or None,
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+def cmd_lineage(args: argparse.Namespace) -> int:
+    result = build_lineage_manifest(
+        _ensure_project_dir(),
+        artifact_type=args.artifact_type,
+        sources=json.loads(args.sources_json),
+        privacy=args.privacy,
+        license=args.license_name,
+        derivation=json.loads(args.derivation_json),
+        trace_id=args.trace_id or None,
+    )
+    print(json.dumps(result, indent=2))
+    return 0 if result["status"] == "ok" else 2
+def cmd_supervisor_issue(args: argparse.Namespace) -> int:
+    result = issue_local_supervisor_session(
+        _ensure_project_dir(),
+        worker_id=args.worker_id,
+        shared_secret=args.shared_secret,
+    )
+    print(json.dumps(result, indent=2))
+    return 0
+def cmd_supervisor_verify(args: argparse.Namespace) -> int:
+    result = verify_local_supervisor_token(args.token, shared_secret=args.shared_secret)
+    print(json.dumps(result, indent=2))
+    return 0 if result["status"] == "ok" else 2
 def cmd_maintainer(args: argparse.Namespace) -> int:
     project_dir = _ensure_project_dir()
     out_dir = Path(project_dir) / ".omg" / "evidence"
@@ -562,18 +693,25 @@ def build_parser() -> argparse.ArgumentParser:
     api_twin_ingest.set_defaults(func=cmd_api_twin_ingest)
     api_twin_record = api_twin_sub.add_parser("record", help="Record approved fixture response")
     api_twin_record.add_argument("--name", required=True)
+    api_twin_record.add_argument("--endpoint", default="default")
+    api_twin_record.add_argument("--cassette-version", default="v1")
     api_twin_record.add_argument("--request-json", required=True)
     api_twin_record.add_argument("--response-json", required=True)
     api_twin_record.add_argument("--validated", action="store_true")
+    api_twin_record.add_argument("--redactions-json", default="")
     api_twin_record.set_defaults(func=cmd_api_twin_record)
     api_twin_serve = api_twin_sub.add_parser("serve", help="Replay a fixture with optional drift/failure injection")
     api_twin_serve.add_argument("--name", required=True)
+    api_twin_serve.add_argument("--endpoint", default="default")
+    api_twin_serve.add_argument("--cassette-version", default="v1")
     api_twin_serve.add_argument("--latency-ms", type=int, default=0)
     api_twin_serve.add_argument("--failure-mode", default="")
     api_twin_serve.add_argument("--schema-drift", action="store_true")
     api_twin_serve.set_defaults(func=cmd_api_twin_serve)
     api_twin_verify = api_twin_sub.add_parser("verify", help="Validate a fixture against a live response")
     api_twin_verify.add_argument("--name", required=True)
+    api_twin_verify.add_argument("--endpoint", default="default")
+    api_twin_verify.add_argument("--cassette-version", default="v1")
     api_twin_verify.add_argument("--live-response-json", required=True)
     api_twin_verify.set_defaults(func=cmd_api_twin_verify)
@@ -585,6 +723,53 @@ def build_parser() -> argparse.ArgumentParser:
     domain_pack.add_argument("--name", required=True, choices=["robotics", "vision", "algorithms", "health"])
     domain_pack.set_defaults(func=cmd_domain_pack)
+    tracebank = sub.add_parser("tracebank", help="Record structured route traces")
+    tracebank.add_argument("--trace-type", required=True)
+    tracebank.add_argument("--route", required=True)
+    tracebank.add_argument("--status", default="ok")
+    tracebank.add_argument("--plan-json", default="")
+    tracebank.add_argument("--verify-json", default="")
+    tracebank.set_defaults(func=cmd_trace_record)
+    eval_gate = sub.add_parser("eval-gate", help="Evaluate a trace for release gating")
+    eval_gate.add_argument("--trace-id", required=True)
+    eval_gate.add_argument("--suites", required=True, help="Comma-separated suite names")
+    eval_gate.add_argument("--metrics-json", required=True)
+    eval_gate.set_defaults(func=cmd_eval_gate)
+    delta = sub.add_parser("delta-classifier", help="Classify repo changes for routing and policy")
+    delta.add_argument("--goal", default="")
+    delta.add_argument("--files", default="")
+    delta.set_defaults(func=cmd_delta_classify)
+    incident = sub.add_parser("incident-replay", help="Build an incident replay pack")
+    incident.add_argument("--title", required=True)
+    incident.add_argument("--failing-tests", default="")
+    incident.add_argument("--logs", default="")
+    incident.add_argument("--diff-summary-json", required=True)
+    incident.add_argument("--trace-id", default="")
+    incident.set_defaults(func=cmd_incident_replay)
+    lineage = sub.add_parser("data-lineage", help="Build lineage metadata for generated artifacts")
+    lineage.add_argument("--artifact-type", required=True)
+    lineage.add_argument("--sources-json", required=True)
+    lineage.add_argument("--privacy", required=True)
+    lineage.add_argument("--license-name", required=True)
+    lineage.add_argument("--derivation-json", required=True)
+    lineage.add_argument("--trace-id", default="")
+    lineage.set_defaults(func=cmd_lineage)
+    supervisor = sub.add_parser("remote-supervisor", help="Local-only authenticated supervisor session helpers")
+    supervisor_sub = supervisor.add_subparsers(dest="remote_supervisor_command", required=True)
+    supervisor_issue = supervisor_sub.add_parser("issue", help="Issue a local supervisor session")
+    supervisor_issue.add_argument("--worker-id", required=True)
+    supervisor_issue.add_argument("--shared-secret", required=True)
+    supervisor_issue.set_defaults(func=cmd_supervisor_issue)
+    supervisor_verify = supervisor_sub.add_parser("verify", help="Verify a supervisor session token")
+    supervisor_verify.add_argument("--token", required=True)
+    supervisor_verify.add_argument("--shared-secret", required=True)
+    supervisor_verify.set_defaults(func=cmd_supervisor_verify)
     maintainer = sub.add_parser("maintainer", help="OSS maintainer evidence helper")
     maintainer.add_argument("--mode", default="impact", choices=["triage", "release", "review", "impact"])
     maintainer.set_defaults(func=cmd_maintainer)

package/settings.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "$schema": "https://json.schemastore.org/claude-code-settings.json",
-  "_comment": "OMG 2.0.4 - project-level config with hook registrations, presets, and feature flags.",
+  "_comment": "OMG 2.0.5 - project-level config with hook registrations, presets, and feature flags.",
   "permissions": {
     "allow": [
       "Agent",
@@ -284,7 +284,7 @@
     ]
   },
   "_omg": {
-    "_version": "2.0.4",
+    "_version": "2.0.5",
     "preset": "safe",
     "default_mode": "ulw+ralph",
     "vision_auto": true,
@@ -337,20 +337,35 @@
       "CONTEXT_MANAGER": false
     },
     "generated": {
-      "contract_version": "2.0.4",
-      "channel": "public",
+      "contract_version": "2.0.5",
+      "channel": "enterprise",
       "required_bundles": [
         "control-plane",
         "hook-governor",
         "mcp-fabric",
         "lsp-pack",
-        "secure-worktree-pipeline"
+        "secure-worktree-pipeline",
+        "security-check",
+        "api-twin",
+        "preflight",
+        "robotics",
+        "vision",
+        "algorithms",
+        "health",
+        "tracebank",
+        "eval-gate",
+        "delta-classifier",
+        "incident-replay",
+        "data-lineage",
+        "remote-supervisor"
       ],
       "protected_paths": [
         ".omg/**",
         ".agents/**",
         ".codex/**",
-        ".claude/**"
+        ".claude/**",
+        "registry/**",
+        "dist/**"
       ],
       "emulated_events": [
         "PreCompact",