@trac3er/oh-my-god 2.0.4 → 2.0.7

package/build/lib/plugins/advanced/commands/OMG:ralph-stop.md

@@ -0,0 +1,23 @@
+---
+description: "Stop Ralph autonomous loop — deactivates the state file."
+allowed-tools: Read, Write, Edit, Bash
+argument-hint: ""
+---
+
+# /OMG:ralph-stop — Stop Ralph Autonomous Loop
+
+## Purpose
+Stops an active Ralph loop by deactivating the state file.
+
+## Usage
+```
+/OMG:ralph-stop
+```
+
+## How it Works
+1. Read `.omg/state/ralph-loop.json`
+2. Set `active: false` in the state file (preserve iteration count for review)
+3. Report: "Ralph loop stopped after N iterations. Gomg was: [original_prompt]"
+
+## If No Active Loop
+Report: "No active Ralph loop found. Nothing to stop."

package/build/lib/plugins/advanced/commands/OMG:security-review.md

@@ -0,0 +1,16 @@
+---
+description: Deprecated alias to OMG's canonical security-check pipeline.
+allowed-tools: Read, Grep, Glob, Bash(python3:*), Bash(rg:*)
+argument-hint: "[path or '.' for the current project]"
+---
+
+# /OMG:security-review — Deprecated Alias
+
+`/OMG:security-review` remains available only for compatibility.
+
+Use `/OMG:security-check` instead. The canonical pipeline now owns:
+
+- normalized security findings
+- dependency and AST enrichment
+- evidence-ready provenance and trust scores
+- reuse across CLI, compat routing, control plane, MCP, and ship flows

package/build/lib/plugins/advanced/commands/OMG:sequential-thinking.md

@@ -0,0 +1,20 @@
+---
+description: Structured multi-step reasoning using sequential-thinking tool for complex debugging and planning.
+allowed-tools: sequential-thinking_sequentialthinking, Read, Grep, Glob
+argument-hint: "[problem statement to reason through]"
+---
+
+# /OMG:sequential-thinking
+
+Use the sequential-thinking tool when the task needs explicit step-by-step reasoning,
+branching, and hypothesis verification.
+
+Execution contract:
+- Start with an initial thought budget
+- Revise or branch when new evidence appears
+- End only when a verified conclusion is reached
+
+Output contract:
+- Return final conclusion
+- Return key assumptions
+- Return verification steps used

package/build/lib/plugins/advanced/commands/OMG:ship.md

@@ -0,0 +1,46 @@
+---
+description: Ship pipeline — Idea -> Plan -> Execute -> Evidence -> PR-ready summary
+allowed-tools: Read, Write, Edit, MultiEdit, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*), Bash(python3:*), Bash(pytest:*), Bash(npm test:*), Bash(go test:*), Bash(cargo test:*), Bash(jest:*), Bash(vitest:*)
+argument-hint: "[goal or optional path to .omg/idea.yml]"
+---
+
+# /OMG:ship — Idea -> Evidence -> PR
+
+## Step 1: Load idea contract
+- Prefer `.omg/idea.yml`.
+- If missing, scaffold from `~/.claude/templates/omg/idea.yml` and ask user for minimum fields:
+  - `goal`, `constraints`, `acceptance`, `risk`, `evidence_required`.
+
+## Step 2: Convert idea to execution plan
+- Consume plan artifacts generated by `/OMG:deep-plan`.
+- Require `.omg/plans/deep-plan.md` and `.omg/plans/deep-plan.json` to already encode the business workflow contract.
+- If missing, invoke `/OMG:deep-plan` first and return after those artifacts are created.
+- Use the deep-plan workflow path and task metadata as the execution source of truth.
+
+## Step 3: Execute with Shadow + Evidence discipline
+- Implement changes.
+- Run verification commands.
+- Build an evidence pack at `.omg/evidence/<run-id>.json` containing:
+  - `tests[]`, `security_scans[]`, `diff_summary`, `reproducibility`, `unresolved_risks[]`.
+
+## Step 4: Security and trust checks
+- Run `/OMG:security-check` for auth/payment/database/sensitive changes.
+- If config/hook/MCP changes are involved, ensure trust manifest is updated at `.omg/trust/manifest.lock.json`.
+
+## Step 5: PR-ready output
+Return:
+1. Goal and scope delivered
+2. Files changed
+3. Verification evidence (command + exit code)
+4. Risks/unknowns
+5. Suggested PR title + body
+
+## Full-power sub-agent protocol
+- Prefer parallel background sub-agent launches for independent workstreams.
+- Do not finalize until every launched track is collected via `background_output`.
+- Use `sequential-thinking` to reconcile conflicts and enforce execution order.
+
+## Anti-patterns
+- Do not claim done without evidence.
+- Do not edit tests to hide product bugs.
+- Do not skip trust review for `.claude/.omg` or MCP changes.

package/build/lib/plugins/advanced/plugin.json

@@ -0,0 +1,87 @@
+{
+  "name": "omg-advanced",
+  "version": "2.0.7",
+  "description": "Advanced OMG commands - deep planning, learning, code review, and specialized workflows",
+  "type": "omg-plugin",
+  "commands": {
+    "deep-plan": {
+      "path": "commands/OMG:deep-plan.md",
+      "description": "Deep strategic planning with domain awareness",
+      "category": "planning"
+    },
+    "learn": {
+      "path": "commands/OMG:learn.md",
+      "description": "Create reusable skills from patterns",
+      "category": "knowledge"
+    },
+    "code-review": {
+      "path": "commands/OMG:code-review.md",
+      "description": "Deep code review with line-by-line analysis",
+      "category": "quality"
+    },
+    "ship": {
+      "path": "commands/OMG:ship.md",
+      "description": "Ship pipeline - idea to PR-ready summary",
+      "category": "delivery"
+    },
+    "handoff": {
+      "path": "commands/OMG:handoff.md",
+      "description": "Intelligent session transfer",
+      "category": "collaboration"
+    },
+    "maintainer": {
+      "path": "commands/OMG:maintainer.md",
+      "description": "Open-source maintainer workflows",
+      "category": "oss"
+    },
+    "sequential-thinking": {
+      "path": "commands/OMG:sequential-thinking.md",
+      "description": "Structured multi-step reasoning",
+      "category": "thinking"
+    },
+    "ralph-start": {
+      "path": "commands/OMG:ralph-start.md",
+      "description": "Start Ralph autonomous loop",
+      "category": "automation"
+    },
+    "ralph-stop": {
+      "path": "commands/OMG:ralph-stop.md",
+      "description": "Stop Ralph autonomous loop",
+      "category": "automation"
+    }
+  },
+  "categories": {
+    "planning": {
+      "description": "Strategic planning and architecture",
+      "commands": ["deep-plan"]
+    },
+    "quality": {
+      "description": "Code quality and review",
+      "commands": ["code-review"]
+    },
+    "knowledge": {
+      "description": "Learning and skill creation",
+      "commands": ["learn"]
+    },
+    "delivery": {
+      "description": "Shipping and release workflows",
+      "commands": ["ship"]
+    },
+    "collaboration": {
+      "description": "Team collaboration and handoff",
+      "commands": ["handoff"]
+    },
+    "automation": {
+      "description": "Autonomous execution modes",
+      "commands": ["ralph-start", "ralph-stop"]
+    },
+    "thinking": {
+      "description": "Structured thinking tools",
+      "commands": ["sequential-thinking"]
+    },
+    "oss": {
+      "description": "Open source maintainer tools",
+      "commands": ["maintainer"]
+    }
+  }
+}

package/build/lib/plugins/core/plugin.json

@@ -0,0 +1,145 @@
+{
+  "name": "omg-core",
+  "version": "2.0.7",
+  "description": "Core OMG commands - native setup, routing, orchestration, and verification surfaces",
+  "type": "omg-plugin",
+  "commands": {
+    "setup": {
+      "path": "commands/OMG:setup.md",
+      "description": "Native OMG setup and adoption flow for supported hosts",
+      "category": "setup"
+    },
+    "init": {
+      "path": "commands/OMG:init.md",
+      "description": "Unified initializer for project setup and domain scaffolding",
+      "category": "setup"
+    },
+    "escalate": {
+      "path": "commands/OMG:escalate.md",
+      "description": "Auto-route to Codex or Gemini",
+      "category": "routing"
+    },
+    "teams": {
+      "path": "commands/OMG:teams.md",
+      "description": "Internal team routing for standalone operation",
+      "category": "routing"
+    },
+    "ccg": {
+      "path": "commands/OMG:ccg.md",
+      "description": "CCG mode - tri-track synthesis (Claude+Codex+Gemini)",
+      "category": "routing"
+    },
+    "crazy": {
+      "path": "commands/OMG:crazy.md",
+      "description": "CRAZY mode - parallel multi-agent orchestration",
+      "category": "orchestration"
+    },
+    "compat": {
+      "path": "commands/OMG:compat.md",
+      "description": "Legacy skill compatibility dispatcher",
+      "category": "compatibility"
+    },
+    "security-check": {
+      "path": "commands/OMG:security-check.md",
+      "description": "Canonical security pipeline with normalized findings and evidence",
+      "category": "security"
+    },
+    "api-twin": {
+      "path": "commands/OMG:api-twin.md",
+      "description": "Contract replay and fixture-based API simulation",
+      "category": "contracts"
+    },
+    "preflight": {
+      "path": "commands/OMG:preflight.md",
+      "description": "Structured routing and evidence planning before execution",
+      "category": "routing"
+    },
+    "health-check": {
+      "path": "commands/OMG:health-check.md",
+      "description": "Verify project setup and tool integration",
+      "category": "setup"
+    },
+    "mode": {
+      "path": "commands/OMG:mode.md",
+      "description": "Set cognitive mode for the session",
+      "category": "config"
+    },
+    "domain-init": {
+      "path": "commands/OMG:domain-init.md",
+      "description": "Alias for domain scaffolding (use init instead)",
+      "category": "setup",
+      "deprecated": true
+    },
+    "project-init": {
+      "path": "commands/OMG:project-init.md",
+      "description": "Alias for project setup (use init instead)",
+      "category": "setup",
+      "deprecated": true
+    },
+    "cost": {
+      "path": "commands/OMG:cost.md",
+      "description": "Display session cost tracking, budget status, and usage history",
+      "category": "observability"
+    },
+    "stats": {
+      "path": "commands/OMG:stats.md",
+      "description": "Display session analytics, tool usage trends, file heatmaps, and failure patterns",
+      "category": "observability"
+    },
+    "deps": {
+      "path": "commands/OMG:deps.md",
+      "description": "Scan project dependencies for CVEs, license issues, and outdated packages",
+      "category": "observability"
+    },
+    "arch": {
+      "path": "commands/OMG:arch.md",
+      "description": "Codebase visualization — dependency graphs and architecture diagrams",
+      "category": "visualization",
+      "feature_flag": "CODEBASE_VIZ"
+    }
+  },
+  "categories": {
+    "setup": {
+      "description": "Project initialization and setup",
+      "commands": ["setup", "init", "health-check"]
+    },
+    "routing": {
+      "description": "Model routing and escalation",
+      "commands": ["escalate", "teams", "ccg", "preflight"]
+    },
+    "orchestration": {
+      "description": "Multi-agent orchestration modes",
+      "commands": ["crazy"]
+    },
+    "compatibility": {
+      "description": "Legacy compatibility",
+      "commands": ["compat"]
+    },
+    "config": {
+      "description": "Configuration and settings",
+      "commands": ["mode"]
+    },
+    "observability": {
+      "description": "Cost tracking and session observability",
+      "commands": ["cost", "stats", "deps"]
+    },
+    "security": {
+      "description": "Canonical security and trust checks",
+      "commands": ["security-check"]
+    },
+    "contracts": {
+      "description": "Contract replay and API simulation",
+      "commands": ["api-twin"]
+    },
+    "visualization": {
+      "description": "Codebase visualization and architecture diagrams",
+      "commands": ["arch"]
+    }
+  },
+  "roles": {
+    "plan-council": {
+      "description": "Canonical council-style planning role",
+      "bundle": "plan-council"
+    }
+  }
+}

package/build/lib/plugins/dephealth/cve_scanner.py

@@ -0,0 +1,188 @@
+from __future__ import annotations
+
+import json
+import os
+from datetime import datetime, timedelta, timezone
+from pathlib import Path
+from typing import Any
+import urllib.error
+import urllib.request
+
+
+OSV_BATCH_URL = "https://api.osv.dev/v1/querybatch"
+CACHE_REL_PATH = Path(".omg") / "state" / "cve-cache.json"
+CACHE_TTL_HOURS = 24
+
+
+def _dep_health_enabled() -> bool:
+    env_val = os.environ.get("OMG_DEP_HEALTH_ENABLED", "").lower()
+    if env_val in ("1", "true", "yes"):
+        return True
+    if env_val in ("0", "false", "no"):
+        return False
+    try:
+        import sys
+        sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
+        from hooks._common import get_feature_flag
+        return get_feature_flag("DEP_HEALTH", default=False)
+    except Exception:
+        return False
+
+
+def scan_for_cves(dependency_list: list[dict[str, str]], project_dir: str = ".") -> dict[str, Any]:
+    if not _dep_health_enabled():
+        return {"results": {}, "cached": False, "scan_ts": datetime.now(timezone.utc).isoformat()}
+    
+    now = datetime.now(timezone.utc)
+    cache_path = Path(project_dir) / CACHE_REL_PATH
+    cached_payload = _load_cache(cache_path)
+
+    if not dependency_list:
+        return {
+            "results": {},
+            "cached": False,
+            "scan_ts": now.isoformat(),
+        }
+
+    if cached_payload and _is_cache_fresh(cached_payload.get("scan_ts")):
+        return {
+            "results": cached_payload.get("results", {}),
+            "cached": True,
+            "scan_ts": cached_payload.get("scan_ts", now.isoformat()),
+        }
+
+    try:
+        osv_response = _query_osv_batch(dependency_list)
+    except urllib.error.URLError:
+        if cached_payload:
+            return {
+                "results": cached_payload.get("results", {}),
+                "cached": True,
+                "scan_ts": cached_payload.get("scan_ts", now.isoformat()),
+            }
+        return {"status": "offline", "results": {}, "cached": False}
+
+    structured_results = _normalize_results(dependency_list, osv_response)
+    scan_result = {
+        "results": structured_results,
+        "cached": False,
+        "scan_ts": now.isoformat(),
+    }
+    _save_cache(cache_path, scan_result)
+    return scan_result
+
+
+def _query_osv_batch(dependency_list: list[dict[str, str]]) -> dict[str, Any]:
+    payload = {
+        "queries": [
+            {
+                "package": {
+                    "name": dependency["name"],
+                    "ecosystem": dependency["ecosystem"],
+                },
+                "version": dependency["version"],
+            }
+            for dependency in dependency_list
+        ]
+    }
+
+    request = urllib.request.Request(
+        OSV_BATCH_URL,
+        data=json.dumps(payload).encode("utf-8"),
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
+
+    with urllib.request.urlopen(request) as response:
+        body = response.read().decode("utf-8")
+    return json.loads(body)
+
+
+def _normalize_results(
+    dependency_list: list[dict[str, str]], osv_response: dict[str, Any]
+) -> dict[str, list[dict[str, Any]]]:
+    output: dict[str, list[dict[str, Any]]] = {}
+    response_results = osv_response.get("results", [])
+
+    for index, dependency in enumerate(dependency_list):
+        pkg_name = dependency.get("name", "")
+        query_result = response_results[index] if index < len(response_results) else {}
+        vulns = query_result.get("vulns", [])
+
+        normalized_vulns: list[dict[str, Any]] = []
+        for vuln in vulns:
+            affected_versions, fixed_version = _extract_affected(vuln)
+            normalized_vulns.append(
+                {
+                    "id": vuln.get("id", ""),
+                    "severity": _extract_severity(vuln),
+                    "summary": vuln.get("summary", ""),
+                    "affected_versions": affected_versions,
+                    "fixed_version": fixed_version,
+                }
+            )
+
+        output[pkg_name] = normalized_vulns
+
+    return output
+
+
+def _extract_severity(vuln: dict[str, Any]) -> str:
+    severities = vuln.get("severity") or []
+    if severities and isinstance(severities[0], dict):
+        score = severities[0].get("score")
+        if score:
+            return str(score)
+    return "UNKNOWN"
+
+
+def _extract_affected(vuln: dict[str, Any]) -> tuple[list[str], str]:
+    affected_versions: list[str] = []
+    fixed_version = ""
+
+    for affected in vuln.get("affected", []) or []:
+        for version in affected.get("versions", []) or []:
+            affected_versions.append(str(version))
+
+        for version_range in affected.get("ranges", []) or []:
+            for event in version_range.get("events", []) or []:
+                introduced = event.get("introduced")
+                fixed = event.get("fixed")
+                if introduced:
+                    affected_versions.append(str(introduced))
+                if fixed and not fixed_version:
+                    fixed_version = str(fixed)
+
+    deduped_versions = list(dict.fromkeys(affected_versions))
+    return deduped_versions, fixed_version
+
+
+def _load_cache(cache_path: Path) -> dict[str, Any] | None:
+    if not cache_path.exists():
+        return None
+    try:
+        return json.loads(cache_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return None
+
+
+def _save_cache(cache_path: Path, payload: dict[str, Any]) -> None:
+    try:
+        cache_path.parent.mkdir(parents=True, exist_ok=True)
+        cache_path.write_text(json.dumps(payload, separators=(",", ":")), encoding="utf-8")
+    except OSError:
+        return
+
+
+def _is_cache_fresh(scan_ts: str | None) -> bool:
+    if not scan_ts:
+        return False
+    try:
+        scanned_at = datetime.fromisoformat(scan_ts)
+    except ValueError:
+        return False
+
+    if scanned_at.tzinfo is None:
+        scanned_at = scanned_at.replace(tzinfo=timezone.utc)
+
+    return datetime.now(timezone.utc) - scanned_at < timedelta(hours=CACHE_TTL_HOURS)

package/build/lib/plugins/dephealth/license_checker.py

@@ -0,0 +1,135 @@
+"""License compatibility checker for dependency health analysis.
+
+Checks whether project dependencies have licenses compatible with
+the project's own license using a static compatibility matrix.
+No network access required.
+"""
+
+from __future__ import annotations
+import os
+from typing import Any
+
+# License categories (restrictiveness increases top to bottom)
+_PERMISSIVE = frozenset({
+    "MIT", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Unlicense", "CC0-1.0",
+})
+
+_WEAK_COPYLEFT = frozenset({
+    "Apache-2.0", "LGPL-2.1", "LGPL-3.0", "MPL-2.0",
+})
+
+_STRONG_COPYLEFT = frozenset({
+    "GPL-2.0", "GPL-3.0",
+})
+
+_NETWORK_COPYLEFT = frozenset({
+    "AGPL-3.0",
+})
+
+_ALL_KNOWN = _PERMISSIVE | _WEAK_COPYLEFT | _STRONG_COPYLEFT | _NETWORK_COPYLEFT
+
+
+def _dep_health_enabled() -> bool:
+    env_val = os.environ.get("OMG_DEP_HEALTH_ENABLED", "").lower()
+    if env_val in ("1", "true", "yes"):
+        return True
+    if env_val in ("0", "false", "no"):
+        return False
+    try:
+        import sys
+        sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))))
+        from hooks._common import get_feature_flag
+        return get_feature_flag("DEP_HEALTH", default=False)
+    except Exception:
+        return False
+
+
+def _license_tier(license_id: str) -> int:
+    """Return restrictiveness tier: 0=permissive, 1=weak, 2=strong, 3=network."""
+    if license_id in _PERMISSIVE:
+        return 0
+    if license_id in _WEAK_COPYLEFT:
+        return 1
+    if license_id in _STRONG_COPYLEFT:
+        return 2
+    if license_id in _NETWORK_COPYLEFT:
+        return 3
+    return -1  # unknown
+
+
+def check_license_compatibility(
+    project_license: str,
+    dependencies: list[dict[str, Any]],
+) -> dict[str, list[dict[str, str]]]:
+    """Check license compatibility between project and its dependencies.
+
+    Args:
+        project_license: SPDX identifier for the project license (e.g. "MIT").
+        dependencies: List of dicts with "name" and "license" keys.
+            License may be None or "UNKNOWN".
+
+    Returns:
+        Dict with three lists:
+            compatible: [{"pkg": str, "license": str}]
+            incompatible: [{"pkg": str, "license": str, "reason": str}]
+            unknown: [{"pkg": str}]
+    """
+    if not _dep_health_enabled():
+        return {"compatible": [], "incompatible": [], "unknown": []}
+    
+    compatible: list[dict[str, str]] = []
+    incompatible: list[dict[str, str]] = []
+    unknown: list[dict[str, str]] = []
+
+    project_tier = _license_tier(project_license)
+
+    for dep in dependencies:
+        name = dep.get("name", "")
+        dep_license = dep.get("license")
+
+        # Unknown / missing license
+        if not dep_license or dep_license == "UNKNOWN":
+            unknown.append({"pkg": name})
+            continue
+
+        dep_tier = _license_tier(dep_license)
+
+        # Unrecognized license string
+        if dep_tier == -1:
+            unknown.append({"pkg": name})
+            continue
+
+        # AGPL dep in non-AGPL project is always incompatible
+        if dep_tier == 3 and project_tier != 3:
+            incompatible.append({
+                "pkg": name,
+                "license": dep_license,
+                "reason": (
+                    f"AGPL-3.0 dependency in {project_license} project: "
+                    f"network copyleft requires entire project to be AGPL-3.0"
+                ),
+            })
+            continue
+
+        # Strong copyleft dep in permissive/weak-copyleft project
+        if dep_tier == 2 and project_tier < 2:
+            incompatible.append({
+                "pkg": name,
+                "license": dep_license,
+                "reason": (
+                    f"{dep_license} dependency in {project_license} project: "
+                    f"copyleft contamination requires project to adopt {dep_license}"
+                ),
+            })
+            continue
+
+        # Everything else: permissive deps are always OK,
+        # weak copyleft in permissive is OK (dynamic linking),
+        # same-tier or higher-tier project can use lower-tier deps
+        compatible.append({"pkg": name, "license": dep_license})
+
+    return {
+        "compatible": compatible,
+        "incompatible": incompatible,
+        "unknown": unknown,
+    }