npm - @trac3er/oh-my-god - Versions diffs - 2.0.4 → 2.0.5 - Mend

@trac3er/oh-my-god 2.0.4 → 2.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (206) hide show

package/control_plane/openapi.yaml ADDED Viewed

@@ -0,0 +1,228 @@
+openapi: 3.1.0
+info:
+  title: OMG Control Plane API
+  version: 2.0.5
+  description: Policy/trust/evidence/runtime/registry/lab endpoints for OMG v2, with deprecated v1 aliases for one release.
+servers:
+  - url: https://api.omg.local
+paths:
+  /v2/policy/evaluate:
+    post:
+      summary: Evaluate policy decision
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PolicyInput'
+      responses:
+        '200':
+          description: Decision result
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PolicyDecision'
+  /v1/policy/evaluate:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/policy/evaluate
+      responses:
+        '200':
+          description: Decision result
+  /v2/trust/review:
+    post:
+      summary: Review trust-sensitive config changes
+      responses:
+        '200':
+          description: Trust review report
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/TrustReview'
+  /v1/trust/review:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/trust/review
+      responses:
+        '200':
+          description: Trust review report
+  /v2/evidence/ingest:
+    post:
+      summary: Ingest evidence pack
+      responses:
+        '202':
+          description: Accepted
+  /v1/evidence/ingest:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/evidence/ingest
+      responses:
+        '202':
+          description: Accepted
+  /v2/security/check:
+    post:
+      summary: Run canonical OMG security check
+      responses:
+        '200':
+          description: Security check result
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SecurityCheckResult'
+  /v1/security/check:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/security/check
+      responses:
+        '200':
+          description: Security check result
+  /v2/guide/assert:
+    post:
+      summary: Assert output against explicit project rules
+      responses:
+        '200':
+          description: Guide assertion result
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GuideAssertionResult'
+  /v1/guide/assert:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/guide/assert
+      responses:
+        '200':
+          description: Guide assertion result
+  /v2/runtime/dispatch:
+    post:
+      summary: Dispatch job to runtime adapter
+      responses:
+        '200':
+          description: Runtime dispatch result
+  /v1/runtime/dispatch:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/runtime/dispatch
+      responses:
+        '200':
+          description: Runtime dispatch result
+  /v2/registry/verify:
+    post:
+      summary: Verify supply-chain artifact
+      responses:
+        '200':
+          description: Verification decision
+  /v1/registry/verify:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/registry/verify
+      responses:
+        '200':
+          description: Verification decision
+  /v2/lab/jobs:
+    post:
+      summary: Create lab pipeline job
+      responses:
+        '201':
+          description: Created
+  /v1/lab/jobs:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/lab/jobs
+      responses:
+        '201':
+          description: Created
+  /v2/scoreboard/baseline:
+    get:
+      summary: Return baseline scorecard
+      responses:
+        '200':
+          description: KPI baseline snapshot
+  /v1/scoreboard/baseline:
+    get:
+      deprecated: true
+      summary: Deprecated alias of /v2/scoreboard/baseline
+      responses:
+        '200':
+          description: KPI baseline snapshot
+components:
+  schemas:
+    PolicyInput:
+      type: object
+      properties:
+        tool:
+          type: string
+        input:
+          type: object
+      additionalProperties: true
+    PolicyDecision:
+      type: object
+      required: [action, risk_level, reason, controls]
+      properties:
+        action:
+          type: string
+          enum: [allow, ask, deny]
+        risk_level:
+          type: string
+          enum: [low, med, high, critical]
+        reason:
+          type: string
+        controls:
+          type: array
+          items:
+            type: string
+    TrustReview:
+      type: object
+      required: [changed_files, mcp_changes, hook_changes, env_changes, risk_score, verdict]
+      properties:
+        changed_files:
+          type: array
+          items: { type: string }
+        mcp_changes:
+          type: array
+          items: { type: object }
+        hook_changes:
+          type: object
+        env_changes:
+          type: array
+          items: { type: object }
+        risk_score:
+          type: integer
+        verdict:
+          type: string
+    SecurityCheckResult:
+      type: object
+      required: [schema, status, scope, findings, summary, provenance, trust_scores]
+      properties:
+        schema:
+          type: string
+        status:
+          type: string
+        scope:
+          type: string
+        findings:
+          type: array
+          items:
+            type: object
+        summary:
+          type: object
+        provenance:
+          type: array
+          items:
+            type: object
+        trust_scores:
+          type: object
+    GuideAssertionResult:
+      type: object
+      required: [schema, verdict, violations, summary]
+      properties:
+        schema:
+          type: string
+        verdict:
+          type: string
+        violations:
+          type: array
+          items:
+            type: object
+        summary:
+          type: object

package/control_plane/server.py ADDED Viewed

@@ -0,0 +1,123 @@
+"""Lightweight HTTP server for OMG control-plane APIs."""
+from __future__ import annotations
+import argparse
+import sys
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import json
+from typing import Any
+from control_plane.service import ControlPlaneService
+def _json_response(handler: BaseHTTPRequestHandler, status: int, payload: dict[str, Any]) -> None:
+    body = json.dumps(payload, ensure_ascii=True).encode("utf-8")
+    handler.send_response(status)
+    handler.send_header("Content-Type", "application/json")
+    handler.send_header("Content-Length", str(len(body)))
+    handler.end_headers()
+    handler.wfile.write(body)
+def _read_json(handler: BaseHTTPRequestHandler) -> dict[str, Any]:
+    length = int(handler.headers.get("Content-Length", "0"))
+    if length <= 0:
+        return {}
+    raw = handler.rfile.read(length)
+    if not raw:
+        return {}
+    try:
+        parsed = json.loads(raw.decode("utf-8"))
+        return parsed if isinstance(parsed, dict) else {}
+    except json.JSONDecodeError:
+        return {}
+_POST_ROUTE_TABLE = {
+    "/v2/policy/evaluate": ("policy_evaluate", False),
+    "/v1/policy/evaluate": ("policy_evaluate", True),
+    "/v2/trust/review": ("trust_review", False),
+    "/v1/trust/review": ("trust_review", True),
+    "/v2/evidence/ingest": ("evidence_ingest", False),
+    "/v1/evidence/ingest": ("evidence_ingest", True),
+    "/v2/security/check": ("security_check", False),
+    "/v1/security/check": ("security_check", True),
+    "/v2/guide/assert": ("guide_assert", False),
+    "/v1/guide/assert": ("guide_assert", True),
+    "/v2/runtime/dispatch": ("runtime_dispatch", False),
+    "/v1/runtime/dispatch": ("runtime_dispatch", True),
+    "/v2/registry/verify": ("registry_verify", False),
+    "/v1/registry/verify": ("registry_verify", True),
+    "/v2/lab/jobs": ("lab_jobs", False),
+    "/v1/lab/jobs": ("lab_jobs", True),
+}
+_GET_ROUTE_TABLE = {
+    "/v2/scoreboard/baseline": ("scoreboard_baseline", False),
+    "/v1/scoreboard/baseline": ("scoreboard_baseline", True),
+}
+def _decorate_payload(payload: dict[str, Any], *, deprecated: bool) -> dict[str, Any]:
+    decorated = dict(payload)
+    decorated["api_version"] = "v2"
+    if deprecated:
+        decorated["deprecated"] = True
+        decorated["deprecated_alias"] = "v1"
+    return decorated
+def make_handler(service: ControlPlaneService):
+    class Handler(BaseHTTPRequestHandler):
+        def do_GET(self) -> None:  # noqa: N802
+            route = _GET_ROUTE_TABLE.get(self.path)
+            if route is not None:
+                method_name, deprecated = route
+                status, payload = getattr(service, method_name)()
+                _json_response(self, status, _decorate_payload(payload, deprecated=deprecated))
+                return
+            _json_response(self, 404, {"status": "error", "message": "Not found"})
+        def do_POST(self) -> None:  # noqa: N802
+            payload = _read_json(self)
+            route = _POST_ROUTE_TABLE.get(self.path)
+            if route is not None:
+                method_name, deprecated = route
+                status, out = getattr(service, method_name)(payload)
+                _json_response(self, status, _decorate_payload(out, deprecated=deprecated))
+                return
+            _json_response(self, 404, {"status": "error", "message": "Not found"})
+        def log_message(self, format: str, *args: Any) -> None:  # noqa: A003
+            # Quiet default request logs; keep response JSON clean for local usage.
+            return
+    return Handler
+def run_server(host: str = "127.0.0.1", port: int = 8787, project_dir: str | None = None) -> None:
+    service = ControlPlaneService(project_dir=project_dir)
+    handler = make_handler(service)
+    server = HTTPServer((host, port), handler)
+    try:
+        server.serve_forever()
+    finally:
+        server.server_close()
+def _main() -> int:
+    parser = argparse.ArgumentParser(description="Run OMG control-plane API server")
+    parser.add_argument("--host", default="127.0.0.1")
+    parser.add_argument("--port", type=int, default=8787)
+    parser.add_argument("--project-dir", default=None)
+    args = parser.parse_args()
+    if args.host != "127.0.0.1":
+        print(f"⚠ WARNING: Binding to {args.host} exposes the control plane to the network. No authentication is configured.", file=sys.stderr)
+    run_server(args.host, args.port, args.project_dir)
+    return 0
+if __name__ == "__main__":
+    raise SystemExit(_main())

package/control_plane/service.py ADDED Viewed

@@ -0,0 +1,185 @@
+"""Control plane service handlers for OMG v1."""
+from __future__ import annotations
+from datetime import datetime, timezone
+import os
+from typing import Any
+from hooks.policy_engine import (
+    evaluate_bash_command,
+    evaluate_file_access,
+    evaluate_supply_artifact,
+)
+from hooks.security_validators import validate_opaque_identifier
+from hooks.shadow_manager import create_evidence_pack
+from hooks.trust_review import review_config_change
+from lab.pipeline import run_pipeline
+from registry.verify_artifact import verify_artifact
+from runtime.guide_assert import guide_assert
+from runtime.dispatcher import dispatch_runtime
+from runtime.security_check import run_security_check
+class ControlPlaneService:
+    def __init__(self, project_dir: str | None = None):
+        self.project_dir = project_dir or os.environ.get("CLAUDE_PROJECT_DIR", os.getcwd())
+    def policy_evaluate(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        tool = str(payload.get("tool", ""))
+        input_data = payload.get("input", {})
+        if tool == "Bash":
+            command = str((input_data or {}).get("command", ""))
+            decision = evaluate_bash_command(command)
+            return 200, decision.to_dict()
+        if tool in {"Read", "Write", "Edit", "MultiEdit"}:
+            file_path = str((input_data or {}).get("file_path", ""))
+            decision = evaluate_file_access(tool, file_path)
+            return 200, decision.to_dict()
+        if tool == "SupplyArtifact":
+            artifact = payload.get("artifact", {})
+            mode = str(payload.get("mode", "warn_and_run"))
+            decision = evaluate_supply_artifact(artifact, mode=mode)
+            return 200, decision.to_dict()
+        return 400, {
+            "status": "error",
+            "error_code": "INVALID_POLICY_INPUT",
+            "message": "Unsupported tool for policy evaluation",
+        }
+    def trust_review(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        file_path = str(payload.get("file_path", "settings.json"))
+        old_config = payload.get("old_config", {})
+        new_config = payload.get("new_config", {})
+        if not isinstance(old_config, dict) or not isinstance(new_config, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_TRUST_INPUT",
+                "message": "old_config and new_config must be objects",
+            }
+        review = review_config_change(file_path, old_config, new_config)
+        return 200, review
+    def evidence_ingest(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        run_id = str(payload.get("run_id", "")).strip()
+        required = ["tests", "security_scans", "diff_summary", "reproducibility", "unresolved_risks"]
+        missing = [key for key in required if key not in payload]
+        if not run_id:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_EVIDENCE_INPUT",
+                "message": "run_id is required",
+            }
+        try:
+            run_id = validate_opaque_identifier(run_id, "run_id")
+        except ValueError as exc:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_EVIDENCE_INPUT",
+                "message": str(exc),
+            }
+        if missing:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_EVIDENCE_INPUT",
+                "message": f"Missing required fields: {', '.join(missing)}",
+            }
+        path = create_evidence_pack(
+            self.project_dir,
+            run_id,
+            tests=payload.get("tests"),
+            security_scans=payload.get("security_scans"),
+            diff_summary=payload.get("diff_summary"),
+            reproducibility=payload.get("reproducibility"),
+            unresolved_risks=payload.get("unresolved_risks"),
+            provenance=payload.get("provenance"),
+            trust_scores=payload.get("trust_scores"),
+            api_twin=payload.get("api_twin"),
+            route_metadata=payload.get("route_metadata"),
+            trace_ids=payload.get("trace_ids"),
+            lineage=payload.get("lineage"),
+        )
+        return 202, {
+            "status": "accepted",
+            "run_id": run_id,
+            "evidence_path": os.path.relpath(path, self.project_dir),
+        }
+    def security_check(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        scope = str(payload.get("scope", "."))
+        include_live_enrichment = bool(payload.get("include_live_enrichment", False))
+        result = run_security_check(
+            project_dir=self.project_dir,
+            scope=scope,
+            include_live_enrichment=include_live_enrichment,
+        )
+        return 200, result
+    def guide_assert(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        candidate = str(payload.get("candidate", ""))
+        rules = payload.get("rules", {})
+        if not isinstance(rules, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_GUIDE_INPUT",
+                "message": "rules must be an object",
+            }
+        return 200, guide_assert(candidate, rules)
+    def runtime_dispatch(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        runtime = str(payload.get("runtime", "")).strip()
+        idea = payload.get("idea", {})
+        if not runtime:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_RUNTIME_INPUT",
+                "message": "runtime is required",
+            }
+        if not isinstance(idea, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_RUNTIME_INPUT",
+                "message": "idea must be an object",
+            }
+        result = dispatch_runtime(runtime, idea)
+        if result.get("status") == "error":
+            return 400, result
+        return 200, result
+    def registry_verify(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        artifact = payload.get("artifact", {})
+        mode = str(payload.get("mode", "warn_and_run"))
+        if not isinstance(artifact, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_REGISTRY_INPUT",
+                "message": "artifact must be an object",
+            }
+        decision = verify_artifact(artifact, mode=mode)
+        return 200, decision
+    def lab_jobs(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        if not isinstance(payload, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_LAB_INPUT",
+                "message": "job payload must be an object",
+            }
+        result = run_pipeline(payload)
+        return 201 if result.get("status") in {"ready", "failed_evaluation"} else 400, result
+    def scoreboard_baseline(self) -> tuple[int, dict[str, Any]]:
+        return 200, {
+            "generated_at": datetime.now(timezone.utc).isoformat(),
+            "baseline": {
+                "safe_autonomy_rate": 0.0,
+                "pr_throughput": 0.0,
+                "adoption_velocity": 0.0,
+            },
+            "target_policy": "non-regression-or-better",
+        }

package/dist/enterprise/bundle/.agents/skills/omg/algorithms/SKILL.md ADDED Viewed

@@ -0,0 +1,11 @@
+---
+name: omg-algorithms
+description: "Determinism and benchmark attachments for algorithm-heavy work."
+---
+# OMG Algorithms Pack
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/evals/latest.json`

package/dist/enterprise/bundle/.agents/skills/omg/algorithms/openai.yaml ADDED Viewed

@@ -0,0 +1,11 @@
+name: omg-algorithms
+description: "Determinism and benchmark attachments for algorithm-heavy work."
+allow_implicit_invocation: false
+metadata:
+  channel: enterprise
+  bundle_id: algorithms
+  title: "OMG Algorithms Pack"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"

package/dist/enterprise/bundle/.agents/skills/omg/api-twin/SKILL.md ADDED Viewed

@@ -0,0 +1,11 @@
+---
+name: omg-api-twin
+description: "Versioned endpoint cassette replay with latency, drift, and cost reporting."
+---
+# OMG API Twin
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/state/api_twin.json`

package/dist/enterprise/bundle/.agents/skills/omg/api-twin/openai.yaml ADDED Viewed

@@ -0,0 +1,12 @@
+name: omg-api-twin
+description: "Versioned endpoint cassette replay with latency, drift, and cost reporting."
+allow_implicit_invocation: false
+metadata:
+  channel: enterprise
+  bundle_id: api-twin
+  title: "OMG API Twin"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"
+  - "Bash(python3:*)"

package/dist/enterprise/bundle/.agents/skills/omg/data-lineage/SKILL.md ADDED Viewed

@@ -0,0 +1,11 @@
+---
+name: omg-data-lineage
+description: "Provenance and privacy tracking for traces, fixtures, examples, and synthetic artifacts."
+---
+# OMG Data Lineage
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/lineage/*.json`

package/dist/enterprise/bundle/.agents/skills/omg/data-lineage/openai.yaml ADDED Viewed

@@ -0,0 +1,12 @@
+name: omg-data-lineage
+description: "Provenance and privacy tracking for traces, fixtures, examples, and synthetic artifacts."
+allow_implicit_invocation: true
+metadata:
+  channel: enterprise
+  bundle_id: data-lineage
+  title: "OMG Data Lineage"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"
+  - "Bash(python3:*)"

package/dist/enterprise/bundle/.agents/skills/omg/delta-classifier/SKILL.md ADDED Viewed

@@ -0,0 +1,11 @@
+---
+name: omg-delta-classifier
+description: "Change classifier that attaches risk-aware checks, approvals, and packs."
+---
+# OMG Delta Classifier
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/tracebank/events.jsonl`

package/dist/enterprise/bundle/.agents/skills/omg/delta-classifier/openai.yaml ADDED Viewed

@@ -0,0 +1,12 @@
+name: omg-delta-classifier
+description: "Change classifier that attaches risk-aware checks, approvals, and packs."
+allow_implicit_invocation: true
+metadata:
+  channel: enterprise
+  bundle_id: delta-classifier
+  title: "OMG Delta Classifier"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"
+  - "Grep"

package/dist/enterprise/bundle/.agents/skills/omg/eval-gate/SKILL.md ADDED Viewed

@@ -0,0 +1,11 @@
+---
+name: omg-eval-gate
+description: "Reproducible evaluation gate that blocks regressions before release."
+---
+# OMG Eval Gate
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/evals/latest.json`

package/dist/enterprise/bundle/.agents/skills/omg/eval-gate/openai.yaml ADDED Viewed

@@ -0,0 +1,12 @@
+name: omg-eval-gate
+description: "Reproducible evaluation gate that blocks regressions before release."
+allow_implicit_invocation: false
+metadata:
+  channel: enterprise
+  bundle_id: eval-gate
+  title: "OMG Eval Gate"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"
+  - "Bash(python3:*)"

package/dist/enterprise/bundle/.agents/skills/omg/health/SKILL.md ADDED Viewed

@@ -0,0 +1,11 @@
+---
+name: omg-health
+description: "Health-sensitive approvals, provenance, and replay attachments."
+---
+# OMG Health Pack
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/lineage/*.json`

package/dist/enterprise/bundle/.agents/skills/omg/health/openai.yaml ADDED Viewed

@@ -0,0 +1,11 @@
+name: omg-health
+description: "Health-sensitive approvals, provenance, and replay attachments."
+allow_implicit_invocation: false
+metadata:
+  channel: enterprise
+  bundle_id: health
+  title: "OMG Health Pack"
+mcp_servers:
+  - omg-control
+allowed_tools:
+  - "Read"