@trac3er/oh-my-god 2.0.4 → 2.0.7

package/control_plane/openapi.yaml

@@ -0,0 +1,260 @@
+openapi: 3.1.0
+info:
+  title: OMG Control Plane API
+  version: 2.0.7
+  description: Policy/trust/evidence/runtime/registry/lab endpoints for OMG v2, with deprecated v1 aliases for one release.
+servers:
+  - url: https://api.omg.local
+paths:
+  /v2/policy/evaluate:
+    post:
+      summary: Evaluate policy decision
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/PolicyInput'
+      responses:
+        '200':
+          description: Decision result
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/PolicyDecision'
+  /v1/policy/evaluate:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/policy/evaluate
+      responses:
+        '200':
+          description: Decision result
+  /v2/trust/review:
+    post:
+      summary: Review trust-sensitive config changes
+      responses:
+        '200':
+          description: Trust review report
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/TrustReview'
+  /v1/trust/review:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/trust/review
+      responses:
+        '200':
+          description: Trust review report
+  /v2/evidence/ingest:
+    post:
+      summary: Ingest evidence pack
+      responses:
+        '202':
+          description: Accepted
+  /v1/evidence/ingest:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/evidence/ingest
+      responses:
+        '202':
+          description: Accepted
+  /v2/security/check:
+    post:
+      summary: Run canonical OMG security check
+      requestBody:
+        required: false
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/SecurityCheckInput'
+      responses:
+        '200':
+          description: Security check result
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/SecurityCheckResult'
+  /v1/security/check:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/security/check
+      responses:
+        '200':
+          description: Security check result
+  /v2/guide/assert:
+    post:
+      summary: Assert output against explicit project rules
+      responses:
+        '200':
+          description: Guide assertion result
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GuideAssertionResult'
+  /v1/guide/assert:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/guide/assert
+      responses:
+        '200':
+          description: Guide assertion result
+  /v2/runtime/dispatch:
+    post:
+      summary: Dispatch job to runtime adapter
+      responses:
+        '200':
+          description: Runtime dispatch result
+  /v1/runtime/dispatch:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/runtime/dispatch
+      responses:
+        '200':
+          description: Runtime dispatch result
+  /v2/registry/verify:
+    post:
+      summary: Verify supply-chain artifact
+      responses:
+        '200':
+          description: Verification decision
+  /v1/registry/verify:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/registry/verify
+      responses:
+        '200':
+          description: Verification decision
+  /v2/lab/jobs:
+    post:
+      summary: Create lab pipeline job
+      responses:
+        '201':
+          description: Created
+  /v1/lab/jobs:
+    post:
+      deprecated: true
+      summary: Deprecated alias of /v2/lab/jobs
+      responses:
+        '201':
+          description: Created
+  /v2/scoreboard/baseline:
+    get:
+      summary: Return baseline scorecard
+      responses:
+        '200':
+          description: KPI baseline snapshot
+  /v1/scoreboard/baseline:
+    get:
+      deprecated: true
+      summary: Deprecated alias of /v2/scoreboard/baseline
+      responses:
+        '200':
+          description: KPI baseline snapshot
+components:
+  schemas:
+    PolicyInput:
+      type: object
+      properties:
+        tool:
+          type: string
+        input:
+          type: object
+      additionalProperties: true
+    PolicyDecision:
+      type: object
+      required: [action, risk_level, reason, controls]
+      properties:
+        action:
+          type: string
+          enum: [allow, ask, deny]
+        risk_level:
+          type: string
+          enum: [low, med, high, critical]
+        reason:
+          type: string
+        controls:
+          type: array
+          items:
+            type: string
+    TrustReview:
+      type: object
+      required: [changed_files, mcp_changes, hook_changes, env_changes, risk_score, verdict]
+      properties:
+        changed_files:
+          type: array
+          items: { type: string }
+        mcp_changes:
+          type: array
+          items: { type: object }
+        hook_changes:
+          type: object
+        env_changes:
+          type: array
+          items: { type: object }
+        risk_score:
+          type: integer
+        verdict:
+          type: string
+    SecurityCheckInput:
+      type: object
+      properties:
+        scope:
+          type: string
+          default: "."
+          description: Directory scope to scan
+        include_live_enrichment:
+          type: boolean
+          default: false
+          description: Whether to include live enrichment data
+        external_inputs:
+          type: array
+          nullable: true
+          items:
+            type: object
+          description: External input sources to include in provenance
+        waivers:
+          type: array
+          nullable: true
+          items:
+            oneOf:
+              - type: string
+              - type: object
+          description: Finding identifiers or waiver objects to suppress matched findings
+      additionalProperties: false
+    SecurityCheckResult:
+      type: object
+      required: [schema, status, scope, findings, summary, provenance, trust_scores]
+      properties:
+        schema:
+          type: string
+        status:
+          type: string
+        scope:
+          type: string
+        findings:
+          type: array
+          items:
+            type: object
+        summary:
+          type: object
+        provenance:
+          type: array
+          items:
+            type: object
+        trust_scores:
+          type: object
+    GuideAssertionResult:
+      type: object
+      required: [schema, verdict, violations, summary]
+      properties:
+        schema:
+          type: string
+        verdict:
+          type: string
+        violations:
+          type: array
+          items:
+            type: object
+        summary:
+          type: object

package/control_plane/server.py

@@ -0,0 +1,147 @@
+"""Lightweight HTTP server for OMG control-plane APIs."""
+from __future__ import annotations
+
+import argparse
+import sys
+from http.server import BaseHTTPRequestHandler, HTTPServer
+import json
+from typing import Any
+
+from control_plane.service import ControlPlaneService
+
+
+def _json_response(handler: BaseHTTPRequestHandler, status: int, payload: dict[str, Any]) -> None:
+    body = json.dumps(payload, ensure_ascii=True).encode("utf-8")
+    handler.send_response(status)
+    handler.send_header("Content-Type", "application/json")
+    handler.send_header("Content-Length", str(len(body)))
+    handler.end_headers()
+    handler.wfile.write(body)
+
+
+def _read_json(handler: BaseHTTPRequestHandler) -> dict[str, Any]:
+    length = int(handler.headers.get("Content-Length", "0"))
+    if length <= 0:
+        return {}
+    raw = handler.rfile.read(length)
+    if not raw:
+        return {}
+    try:
+        parsed = json.loads(raw.decode("utf-8"))
+        return parsed if isinstance(parsed, dict) else {}
+    except json.JSONDecodeError:
+        return {}
+
+
+_POST_ROUTE_TABLE = {
+    "/v2/policy/evaluate": ("policy_evaluate", False),
+    "/v1/policy/evaluate": ("policy_evaluate", True),
+    "/v2/trust/review": ("trust_review", False),
+    "/v1/trust/review": ("trust_review", True),
+    "/v2/evidence/ingest": ("evidence_ingest", False),
+    "/v1/evidence/ingest": ("evidence_ingest", True),
+    "/v2/security/check": ("security_check", False),
+    "/v1/security/check": ("security_check", True),
+    "/v2/guide/assert": ("guide_assert", False),
+    "/v1/guide/assert": ("guide_assert", True),
+    "/v2/runtime/dispatch": ("runtime_dispatch", False),
+    "/v1/runtime/dispatch": ("runtime_dispatch", True),
+    "/v2/registry/verify": ("registry_verify", False),
+    "/v1/registry/verify": ("registry_verify", True),
+    "/v2/lab/jobs": ("lab_jobs", False),
+    "/v1/lab/jobs": ("lab_jobs", True),
+}
+
+_GET_ROUTE_TABLE = {
+    "/v2/scoreboard/baseline": ("scoreboard_baseline", False),
+    "/v1/scoreboard/baseline": ("scoreboard_baseline", True),
+}
+
+
+def _decorate_payload(payload: dict[str, Any], *, deprecated: bool) -> dict[str, Any]:
+    decorated = dict(payload)
+    decorated["api_version"] = "v2"
+    if deprecated:
+        decorated["deprecated"] = True
+        decorated["deprecated_alias"] = "v1"
+    return decorated
+
+
+def make_handler(service: ControlPlaneService):
+    class Handler(BaseHTTPRequestHandler):
+        def do_GET(self) -> None:  # noqa: N802
+            route = _GET_ROUTE_TABLE.get(self.path)
+            if route is not None:
+                method_name, deprecated = route
+                status, payload = getattr(service, method_name)()
+                _json_response(self, status, _decorate_payload(payload, deprecated=deprecated))
+                return
+            _json_response(self, 404, {"status": "error", "message": "Not found"})
+
+        def do_POST(self) -> None:  # noqa: N802
+            payload = _read_json(self)
+            route = _POST_ROUTE_TABLE.get(self.path)
+            if route is not None:
+                method_name, deprecated = route
+                status, out = getattr(service, method_name)(payload)
+                _json_response(self, status, _decorate_payload(out, deprecated=deprecated))
+                return
+
+            _json_response(self, 404, {"status": "error", "message": "Not found"})
+
+        def log_message(self, format: str, *args: Any) -> None:  # noqa: A003
+            # Quiet default request logs; keep response JSON clean for local usage.
+            return
+
+    return Handler
+
+
+def run_server(host: str = "127.0.0.1", port: int = 8787, project_dir: str | None = None) -> None:
+    service = ControlPlaneService(project_dir=project_dir)
+    handler = make_handler(service)
+    server = HTTPServer((host, port), handler)
+    try:
+        server.serve_forever()
+    finally:
+        server.server_close()
+
+
+_LOOPBACK_HOSTS = frozenset({"127.0.0.1", "localhost", "::1"})
+
+
+def _main() -> int:
+    parser = argparse.ArgumentParser(description="Run OMG control-plane API server")
+    parser.add_argument("--host", default="127.0.0.1")
+    parser.add_argument("--port", type=int, default=8787)
+    parser.add_argument("--project-dir", default=None)
+    parser.add_argument(
+        "--unsafe", action="store_true",
+        help="Allow binding to non-loopback addresses (no auth; use at own risk)",
+    )
+    parser.add_argument(
+        "--dev", action="store_true",
+        help="Development mode — implies --unsafe for non-loopback binding",
+    )
+    args = parser.parse_args()
+
+    if args.host not in _LOOPBACK_HOSTS:
+        if not (args.unsafe or args.dev):
+            print(
+                f"ERROR: Binding to '{args.host}' exposes the control plane to the network.\n"
+                "No authentication is configured. This is blocked by default.\n"
+                "Pass --unsafe or --dev to override.",
+                file=sys.stderr,
+            )
+            return 1
+        print(
+            f"⚠ WARNING: Binding to {args.host} with {'--unsafe' if args.unsafe else '--dev'} flag. "
+            "No authentication is configured.",
+            file=sys.stderr,
+        )
+
+    run_server(args.host, args.port, args.project_dir)
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(_main())

package/control_plane/service.py

@@ -0,0 +1,222 @@
+"""Control plane service handlers for OMG v1."""
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import os
+from typing import Any
+
+from hooks.policy_engine import (
+    evaluate_bash_command,
+    evaluate_file_access,
+    evaluate_supply_artifact,
+)
+from hooks.security_validators import validate_opaque_identifier
+from hooks.shadow_manager import create_evidence_pack
+from hooks.trust_review import review_config_change
+from lab.pipeline import run_pipeline
+from registry.verify_artifact import verify_artifact
+from runtime.guide_assert import guide_assert
+from runtime.dispatcher import dispatch_runtime
+from runtime.security_check import run_security_check
+
+
+class ControlPlaneService:
+    def __init__(self, project_dir: str | None = None):
+        self.project_dir = project_dir or os.environ.get("CLAUDE_PROJECT_DIR", os.getcwd())
+
+    def policy_evaluate(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        tool = str(payload.get("tool", ""))
+        input_data = payload.get("input", {})
+
+        if tool == "Bash":
+            command = str((input_data or {}).get("command", ""))
+            decision = evaluate_bash_command(command)
+            return 200, decision.to_dict()
+
+        if tool in {"Read", "Write", "Edit", "MultiEdit"}:
+            file_path = str((input_data or {}).get("file_path", ""))
+            decision = evaluate_file_access(tool, file_path)
+            return 200, decision.to_dict()
+
+        if tool == "SupplyArtifact":
+            artifact = payload.get("artifact", {})
+            mode = str(payload.get("mode", "warn_and_run"))
+            decision = evaluate_supply_artifact(artifact, mode=mode)
+            return 200, decision.to_dict()
+
+        return 400, {
+            "status": "error",
+            "error_code": "INVALID_POLICY_INPUT",
+            "message": "Unsupported tool for policy evaluation",
+        }
+
+    def trust_review(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        file_path = str(payload.get("file_path", "settings.json"))
+        old_config = payload.get("old_config", {})
+        new_config = payload.get("new_config", {})
+        if not isinstance(old_config, dict) or not isinstance(new_config, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_TRUST_INPUT",
+                "message": "old_config and new_config must be objects",
+            }
+        review = review_config_change(file_path, old_config, new_config)
+        return 200, review
+
+    def evidence_ingest(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        run_id = str(payload.get("run_id", "")).strip()
+        required = ["tests", "security_scans", "diff_summary", "reproducibility", "unresolved_risks"]
+        missing = [key for key in required if key not in payload]
+
+        if not run_id:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_EVIDENCE_INPUT",
+                "message": "run_id is required",
+            }
+        try:
+            run_id = validate_opaque_identifier(run_id, "run_id")
+        except ValueError as exc:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_EVIDENCE_INPUT",
+                "message": str(exc),
+            }
+        if missing:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_EVIDENCE_INPUT",
+                "message": f"Missing required fields: {', '.join(missing)}",
+            }
+
+        path = create_evidence_pack(
+            self.project_dir,
+            run_id,
+            tests=payload.get("tests"),
+            security_scans=payload.get("security_scans"),
+            diff_summary=payload.get("diff_summary"),
+            reproducibility=payload.get("reproducibility"),
+            unresolved_risks=payload.get("unresolved_risks"),
+            provenance=payload.get("provenance"),
+            trust_scores=payload.get("trust_scores"),
+            api_twin=payload.get("api_twin"),
+            route_metadata=payload.get("route_metadata"),
+            trace_ids=payload.get("trace_ids"),
+            lineage=payload.get("lineage"),
+        )
+        return 202, {
+            "status": "accepted",
+            "run_id": run_id,
+            "evidence_path": os.path.relpath(path, self.project_dir),
+        }
+
+    def security_check(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        scope = str(payload.get("scope", "."))
+        include_live_enrichment = bool(payload.get("include_live_enrichment", False))
+        external_inputs = payload.get("external_inputs")
+        waivers = payload.get("waivers")
+        
+        # Normalize external_inputs: must be list of dicts or None
+        if external_inputs is not None:
+            if not isinstance(external_inputs, list):
+                return 400, {
+                    "status": "error",
+                    "error_code": "INVALID_EXTERNAL_INPUTS",
+                    "message": "external_inputs must be a list of objects or null",
+                }
+            # Validate each item is a dict
+            for item in external_inputs:
+                if not isinstance(item, dict):
+                    return 400, {
+                        "status": "error",
+                        "error_code": "INVALID_EXTERNAL_INPUTS",
+                        "message": "each item in external_inputs must be an object",
+                    }
+
+        if waivers is not None:
+            if not isinstance(waivers, list):
+                return 400, {
+                    "status": "error",
+                    "error_code": "INVALID_WAIVERS",
+                    "message": "waivers must be a list of finding identifiers or objects",
+                }
+            for item in waivers:
+                if not isinstance(item, (str, dict)):
+                    return 400, {
+                        "status": "error",
+                        "error_code": "INVALID_WAIVERS",
+                        "message": "each waiver must be a string or object",
+                    }
+
+        result = run_security_check(
+            project_dir=self.project_dir,
+            scope=scope,
+            include_live_enrichment=include_live_enrichment,
+            external_inputs=external_inputs,
+            waivers=waivers,
+        )
+        return 200, result
+
+    def guide_assert(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        candidate = str(payload.get("candidate", ""))
+        rules = payload.get("rules", {})
+        if not isinstance(rules, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_GUIDE_INPUT",
+                "message": "rules must be an object",
+            }
+        return 200, guide_assert(candidate, rules)
+
+    def runtime_dispatch(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        runtime = str(payload.get("runtime", "")).strip()
+        idea = payload.get("idea", {})
+        if not runtime:
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_RUNTIME_INPUT",
+                "message": "runtime is required",
+            }
+        if not isinstance(idea, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_RUNTIME_INPUT",
+                "message": "idea must be an object",
+            }
+        result = dispatch_runtime(runtime, idea)
+        if result.get("status") == "error":
+            return 400, result
+        return 200, result
+
+    def registry_verify(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        artifact = payload.get("artifact", {})
+        mode = str(payload.get("mode", "warn_and_run"))
+        if not isinstance(artifact, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_REGISTRY_INPUT",
+                "message": "artifact must be an object",
+            }
+        decision = verify_artifact(artifact, mode=mode)
+        return 200, decision
+
+    def lab_jobs(self, payload: dict[str, Any]) -> tuple[int, dict[str, Any]]:
+        if not isinstance(payload, dict):
+            return 400, {
+                "status": "error",
+                "error_code": "INVALID_LAB_INPUT",
+                "message": "job payload must be an object",
+            }
+        result = run_pipeline(payload)
+        return 201 if result.get("status") in {"ready", "failed_evaluation"} else 400, result
+
+    def scoreboard_baseline(self) -> tuple[int, dict[str, Any]]:
+        return 200, {
+            "generated_at": datetime.now(timezone.utc).isoformat(),
+            "baseline": {
+                "safe_autonomy_rate": 0.0,
+                "pr_throughput": 0.0,
+                "adoption_velocity": 0.0,
+            },
+            "target_policy": "non-regression-or-better",
+        }

package/dist/enterprise/bundle/.agents/skills/omg/AGENTS.fragment.md

@@ -1,5 +1,52 @@
-# OMG Codex Protection Rules
+# OMG Codex Governance (channel: enterprise)
 
-- Channel: `enterprise`
-- Protect `.omg/`, `.agents/`, `.codex/`, and `.claude/` from unreviewed mutation.
+## Build & Test
+
+```bash
+python3 -m pytest tests -q
+python3 scripts/omg.py contract validate
+python3 scripts/omg.py contract compile --host codex --channel enterprise
+```
+
+## Protected Paths
+
+The following paths require tier-gated review before mutation:
+
+- `.omg/**`
+- `.agents/**`
+- `.codex/**`
+- `.claude/**`
+
+## Evidence Contract
+
+Every production action must emit evidence containing these fields:
+
+- `executor`
+- `lineage`
+- `timestamp`
+- `trace_id`
+
+## Required Skills
+
+- `omg/control-plane`
+- `omg/mcp-fabric`
+
+## Web Search Policy
+
+- Prefer cached results over live network requests.
+- Do NOT initiate live web searches unless explicitly instructed.
+- Use `context7` or local documentation before external lookups.
+- Set `cached_web_search: prefer_cached` as the default.
+
+## Approval Constraints
+
+- Destructive file operations require explicit user approval.
+- `git push --force` and branch deletions require explicit approval.
+- Production deployments require explicit approval.
+- Mutations to protected paths require tier-gated approval.
+
+## Rules & Automations
+
+- Rules: `protected_paths, explicit_invocation`
+- Automations: `contract-compile, release-readiness`
 - Require explicit invocation for production-control-plane skills.

package/dist/enterprise/bundle/.agents/skills/omg/algorithms/SKILL.md

@@ -0,0 +1,11 @@
+---
+name: omg-algorithms
+description: "Determinism and benchmark attachments for algorithm-heavy work."
+---
+
+# OMG Algorithms Pack
+
+- Channel: `enterprise`
+- Execution modes: `embedded, local_supervisor`
+- MCP servers: `omg-control`
+- Evidence outputs: `.omg/evals/latest.json`