@trac3er/oh-my-god 2.0.5 → 2.0.8
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.agents/skills/omg/AGENTS.fragment.md +57 -4
- package/.agents/skills/omg/claim-judge/SKILL.md +11 -0
- package/.agents/skills/omg/claim-judge/openai.yaml +13 -0
- package/.agents/skills/omg/codex-rules.md +33 -0
- package/.agents/skills/omg/plan-council/SKILL.md +11 -0
- package/.agents/skills/omg/plan-council/openai.yaml +12 -0
- package/.agents/skills/omg/proof-gate/SKILL.md +11 -0
- package/.agents/skills/omg/proof-gate/openai.yaml +13 -0
- package/.agents/skills/omg/test-intent-lock/SKILL.md +11 -0
- package/.agents/skills/omg/test-intent-lock/openai.yaml +13 -0
- package/.claude-plugin/marketplace.json +5 -5
- package/.claude-plugin/plugin.json +1 -1
- package/.claude-plugin/scripts/uninstall.sh +1 -1
- package/.mcp.json +0 -22
- package/CHANGELOG.md +20 -0
- package/OMG-setup.sh +64 -14
- package/OMG_COMPAT_CONTRACT.md +8 -1
- package/README.md +9 -7
- package/agents/omg-security-auditor.md +1 -1
- package/artifacts/release/.agents/skills/omg/AGENTS.fragment.md +58 -0
- package/artifacts/release/.agents/skills/omg/algorithms/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/algorithms/openai.yaml +11 -0
- package/artifacts/release/.agents/skills/omg/api-twin/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/api-twin/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/claim-judge/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/claim-judge/openai.yaml +13 -0
- package/artifacts/release/.agents/skills/omg/codex-mcp.toml +4 -0
- package/artifacts/release/.agents/skills/omg/codex-rules.md +33 -0
- package/artifacts/release/.agents/skills/omg/control-plane/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/control-plane/openai.yaml +14 -0
- package/artifacts/release/.agents/skills/omg/data-lineage/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/data-lineage/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/delta-classifier/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/delta-classifier/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/eval-gate/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/eval-gate/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/health/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/health/openai.yaml +11 -0
- package/artifacts/release/.agents/skills/omg/hook-governor/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/hook-governor/openai.yaml +11 -0
- package/artifacts/release/.agents/skills/omg/incident-replay/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/incident-replay/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/lsp-pack/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/lsp-pack/openai.yaml +11 -0
- package/artifacts/release/.agents/skills/omg/mcp-fabric/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/mcp-fabric/openai.yaml +13 -0
- package/artifacts/release/.agents/skills/omg/plan-council/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/plan-council/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/preflight/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/preflight/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/proof-gate/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/proof-gate/openai.yaml +13 -0
- package/artifacts/release/.agents/skills/omg/remote-supervisor/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/remote-supervisor/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/robotics/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/robotics/openai.yaml +11 -0
- package/artifacts/release/.agents/skills/omg/secure-worktree-pipeline/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/secure-worktree-pipeline/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/security-check/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/security-check/openai.yaml +13 -0
- package/artifacts/release/.agents/skills/omg/test-intent-lock/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/test-intent-lock/openai.yaml +13 -0
- package/artifacts/release/.agents/skills/omg/tracebank/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/tracebank/openai.yaml +12 -0
- package/artifacts/release/.agents/skills/omg/vision/SKILL.md +11 -0
- package/artifacts/release/.agents/skills/omg/vision/openai.yaml +11 -0
- package/artifacts/release/.claude-plugin/marketplace.json +36 -0
- package/artifacts/release/.claude-plugin/plugin.json +23 -0
- package/artifacts/release/.mcp.json +18 -0
- package/artifacts/release/OMG_COMPAT_CONTRACT.md +99 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/AGENTS.fragment.md +58 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/algorithms/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/algorithms/openai.yaml +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/api-twin/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/api-twin/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/claim-judge/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/claim-judge/openai.yaml +13 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/codex-mcp.toml +4 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/codex-rules.md +33 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/control-plane/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/control-plane/openai.yaml +14 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/data-lineage/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/data-lineage/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/delta-classifier/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/delta-classifier/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/eval-gate/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/eval-gate/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/health/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/health/openai.yaml +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/hook-governor/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/hook-governor/openai.yaml +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/incident-replay/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/incident-replay/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/lsp-pack/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/lsp-pack/openai.yaml +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/mcp-fabric/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/mcp-fabric/openai.yaml +13 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/plan-council/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/plan-council/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/preflight/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/preflight/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/proof-gate/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/proof-gate/openai.yaml +13 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/remote-supervisor/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/remote-supervisor/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/robotics/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/robotics/openai.yaml +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/secure-worktree-pipeline/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/secure-worktree-pipeline/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/security-check/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/security-check/openai.yaml +13 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/test-intent-lock/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/test-intent-lock/openai.yaml +13 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/tracebank/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/tracebank/openai.yaml +12 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/vision/SKILL.md +11 -0
- package/artifacts/release/dist/enterprise/bundle/.agents/skills/omg/vision/openai.yaml +11 -0
- package/artifacts/release/dist/enterprise/bundle/.claude-plugin/marketplace.json +36 -0
- package/artifacts/release/dist/enterprise/bundle/.claude-plugin/plugin.json +23 -0
- package/artifacts/release/dist/enterprise/bundle/.mcp.json +18 -0
- package/artifacts/release/dist/enterprise/bundle/OMG_COMPAT_CONTRACT.md +99 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:code-review.md +114 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:deep-plan.md +266 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:handoff.md +115 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:learn.md +110 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:maintainer.md +31 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:ralph-start.md +43 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:ralph-stop.md +23 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:security-review.md +16 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:sequential-thinking.md +20 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/commands/OMG:ship.md +46 -0
- package/artifacts/release/dist/enterprise/bundle/plugins/advanced/plugin.json +87 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/algorithms.yaml +45 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/api-twin.yaml +48 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/claim-judge.yaml +49 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/control-plane.yaml +151 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/data-lineage.yaml +47 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/delta-classifier.yaml +47 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/eval-gate.yaml +47 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/health.yaml +45 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/hook-governor.yaml +97 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/incident-replay.yaml +47 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/lsp-pack.yaml +48 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/mcp-fabric.yaml +53 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/plan-council.yaml +51 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/preflight.yaml +48 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/proof-gate.yaml +49 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/remote-supervisor.yaml +49 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/robotics.yaml +45 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/secure-worktree-pipeline.yaml +54 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/security-check.yaml +50 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/test-intent-lock.yaml +49 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/tracebank.yaml +47 -0
- package/artifacts/release/dist/enterprise/bundle/registry/bundles/vision.yaml +45 -0
- package/artifacts/release/dist/enterprise/bundle/registry/omg-capability.schema.json +296 -0
- package/artifacts/release/dist/enterprise/bundle/settings.json +598 -0
- package/artifacts/release/dist/enterprise/manifest.json +351 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/AGENTS.fragment.md +58 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/algorithms/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/algorithms/openai.yaml +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/api-twin/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/api-twin/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/claim-judge/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/claim-judge/openai.yaml +13 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/codex-mcp.toml +4 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/codex-rules.md +33 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/control-plane/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/control-plane/openai.yaml +14 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/data-lineage/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/data-lineage/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/delta-classifier/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/delta-classifier/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/eval-gate/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/eval-gate/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/health/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/health/openai.yaml +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/hook-governor/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/hook-governor/openai.yaml +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/incident-replay/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/incident-replay/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/lsp-pack/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/lsp-pack/openai.yaml +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/mcp-fabric/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/mcp-fabric/openai.yaml +13 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/plan-council/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/plan-council/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/preflight/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/preflight/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/proof-gate/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/proof-gate/openai.yaml +13 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/remote-supervisor/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/remote-supervisor/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/robotics/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/robotics/openai.yaml +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/secure-worktree-pipeline/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/secure-worktree-pipeline/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/security-check/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/security-check/openai.yaml +13 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/test-intent-lock/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/test-intent-lock/openai.yaml +13 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/tracebank/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/tracebank/openai.yaml +12 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/vision/SKILL.md +11 -0
- package/artifacts/release/dist/public/bundle/.agents/skills/omg/vision/openai.yaml +11 -0
- package/artifacts/release/dist/public/bundle/.claude-plugin/marketplace.json +36 -0
- package/artifacts/release/dist/public/bundle/.claude-plugin/plugin.json +23 -0
- package/artifacts/release/dist/public/bundle/.mcp.json +18 -0
- package/artifacts/release/dist/public/bundle/OMG_COMPAT_CONTRACT.md +99 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:code-review.md +114 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:deep-plan.md +266 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:handoff.md +115 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:learn.md +110 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:maintainer.md +31 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:ralph-start.md +43 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:ralph-stop.md +23 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:security-review.md +16 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:sequential-thinking.md +20 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/commands/OMG:ship.md +46 -0
- package/artifacts/release/dist/public/bundle/plugins/advanced/plugin.json +87 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/algorithms.yaml +45 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/api-twin.yaml +48 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/claim-judge.yaml +49 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/control-plane.yaml +151 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/data-lineage.yaml +47 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/delta-classifier.yaml +47 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/eval-gate.yaml +47 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/health.yaml +45 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/hook-governor.yaml +97 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/incident-replay.yaml +47 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/lsp-pack.yaml +48 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/mcp-fabric.yaml +53 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/plan-council.yaml +51 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/preflight.yaml +48 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/proof-gate.yaml +49 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/remote-supervisor.yaml +49 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/robotics.yaml +45 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/secure-worktree-pipeline.yaml +54 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/security-check.yaml +50 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/test-intent-lock.yaml +49 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/tracebank.yaml +47 -0
- package/artifacts/release/dist/public/bundle/registry/bundles/vision.yaml +45 -0
- package/artifacts/release/dist/public/bundle/registry/omg-capability.schema.json +296 -0
- package/artifacts/release/dist/public/bundle/settings.json +598 -0
- package/artifacts/release/dist/public/manifest.json +351 -0
- package/artifacts/release/plugins/advanced/commands/OMG:code-review.md +114 -0
- package/artifacts/release/plugins/advanced/commands/OMG:deep-plan.md +266 -0
- package/artifacts/release/plugins/advanced/commands/OMG:handoff.md +115 -0
- package/artifacts/release/plugins/advanced/commands/OMG:learn.md +110 -0
- package/artifacts/release/plugins/advanced/commands/OMG:maintainer.md +31 -0
- package/artifacts/release/plugins/advanced/commands/OMG:ralph-start.md +43 -0
- package/artifacts/release/plugins/advanced/commands/OMG:ralph-stop.md +23 -0
- package/artifacts/release/plugins/advanced/commands/OMG:security-review.md +16 -0
- package/artifacts/release/plugins/advanced/commands/OMG:sequential-thinking.md +20 -0
- package/artifacts/release/plugins/advanced/commands/OMG:ship.md +46 -0
- package/artifacts/release/plugins/advanced/plugin.json +87 -0
- package/artifacts/release/registry/bundles/algorithms.yaml +45 -0
- package/artifacts/release/registry/bundles/api-twin.yaml +48 -0
- package/artifacts/release/registry/bundles/claim-judge.yaml +49 -0
- package/artifacts/release/registry/bundles/control-plane.yaml +151 -0
- package/artifacts/release/registry/bundles/data-lineage.yaml +47 -0
- package/artifacts/release/registry/bundles/delta-classifier.yaml +47 -0
- package/artifacts/release/registry/bundles/eval-gate.yaml +47 -0
- package/artifacts/release/registry/bundles/health.yaml +45 -0
- package/artifacts/release/registry/bundles/hook-governor.yaml +97 -0
- package/artifacts/release/registry/bundles/incident-replay.yaml +47 -0
- package/artifacts/release/registry/bundles/lsp-pack.yaml +48 -0
- package/artifacts/release/registry/bundles/mcp-fabric.yaml +53 -0
- package/artifacts/release/registry/bundles/plan-council.yaml +51 -0
- package/artifacts/release/registry/bundles/preflight.yaml +48 -0
- package/artifacts/release/registry/bundles/proof-gate.yaml +49 -0
- package/artifacts/release/registry/bundles/remote-supervisor.yaml +49 -0
- package/artifacts/release/registry/bundles/robotics.yaml +45 -0
- package/artifacts/release/registry/bundles/secure-worktree-pipeline.yaml +54 -0
- package/artifacts/release/registry/bundles/security-check.yaml +50 -0
- package/artifacts/release/registry/bundles/test-intent-lock.yaml +49 -0
- package/artifacts/release/registry/bundles/tracebank.yaml +47 -0
- package/artifacts/release/registry/bundles/vision.yaml +45 -0
- package/artifacts/release/registry/omg-capability.schema.json +296 -0
- package/artifacts/release/settings.json +598 -0
- package/build/lib/agents/__init__.py +1 -0
- package/build/lib/agents/designer.md +67 -0
- package/build/lib/agents/explore.md +60 -0
- package/build/lib/agents/model_roles.py +196 -0
- package/build/lib/agents/omg-api-builder.md +23 -0
- package/build/lib/agents/omg-architect-mode.md +41 -0
- package/build/lib/agents/omg-architect.md +13 -0
- package/build/lib/agents/omg-backend-engineer.md +41 -0
- package/build/lib/agents/omg-critic.md +16 -0
- package/build/lib/agents/omg-database-engineer.md +41 -0
- package/build/lib/agents/omg-escalation-router.md +17 -0
- package/build/lib/agents/omg-executor.md +12 -0
- package/build/lib/agents/omg-frontend-designer.md +41 -0
- package/build/lib/agents/omg-implement-mode.md +49 -0
- package/build/lib/agents/omg-infra-engineer.md +41 -0
- package/build/lib/agents/omg-qa-tester.md +16 -0
- package/build/lib/agents/omg-research-mode.md +41 -0
- package/build/lib/agents/omg-security-auditor.md +41 -0
- package/build/lib/agents/omg-testing-engineer.md +41 -0
- package/build/lib/agents/plan.md +80 -0
- package/build/lib/agents/quick_task.md +64 -0
- package/build/lib/agents/reviewer.md +83 -0
- package/build/lib/agents/task.md +71 -0
- package/build/lib/commands/OMG:ai-commit.md +113 -0
- package/build/lib/commands/OMG:api-twin.md +22 -0
- package/build/lib/commands/OMG:arch.md +313 -0
- package/build/lib/commands/OMG:ccg.md +22 -0
- package/build/lib/commands/OMG:compat.md +57 -0
- package/build/lib/commands/OMG:cost.md +181 -0
- package/build/lib/commands/OMG:crazy.md +125 -0
- package/build/lib/commands/OMG:create-agent.md +183 -0
- package/build/lib/commands/OMG:deps.md +248 -0
- package/build/lib/commands/OMG:doctor.md +37 -0
- package/build/lib/commands/OMG:domain-init.md +11 -0
- package/build/lib/commands/OMG:escalate.md +52 -0
- package/build/lib/commands/OMG:health-check.md +45 -0
- package/build/lib/commands/OMG:init.md +134 -0
- package/build/lib/commands/OMG:mode.md +44 -0
- package/build/lib/commands/OMG:preflight.md +26 -0
- package/build/lib/commands/OMG:project-init.md +11 -0
- package/build/lib/commands/OMG:ralph-start.md +43 -0
- package/build/lib/commands/OMG:ralph-stop.md +23 -0
- package/build/lib/commands/OMG:security-check.md +28 -0
- package/build/lib/commands/OMG:session-branch.md +85 -0
- package/build/lib/commands/OMG:session-fork.md +53 -0
- package/build/lib/commands/OMG:session-merge.md +134 -0
- package/build/lib/commands/OMG:setup.md +78 -0
- package/build/lib/commands/OMG:stats.md +225 -0
- package/build/lib/commands/OMG:teams.md +39 -0
- package/build/lib/commands/OMG:theme.md +44 -0
- package/build/lib/commands/__init__.py +1 -0
- package/build/lib/control_plane/__init__.py +2 -0
- package/build/lib/control_plane/openapi.yaml +260 -0
- package/build/lib/control_plane/server.py +147 -0
- package/build/lib/control_plane/service.py +222 -0
- package/build/lib/hooks/__init__.py +0 -0
- package/build/lib/hooks/_agent_registry.py +423 -0
- package/build/lib/hooks/_analytics.py +291 -0
- package/build/lib/hooks/_budget.py +31 -0
- package/build/lib/hooks/_common.py +569 -0
- package/build/lib/hooks/_compression_optimizer.py +119 -0
- package/build/lib/hooks/_cost_ledger.py +176 -0
- package/build/lib/hooks/_learnings.py +126 -0
- package/build/lib/hooks/_memory.py +103 -0
- package/build/lib/hooks/_protected_context.py +150 -0
- package/build/lib/hooks/_token_counter.py +221 -0
- package/build/lib/hooks/branch_manager.py +236 -0
- package/build/lib/hooks/budget_governor.py +232 -0
- package/build/lib/hooks/circuit-breaker.py +270 -0
- package/build/lib/hooks/compression_feedback.py +254 -0
- package/build/lib/hooks/config-guard.py +216 -0
- package/build/lib/hooks/context_pressure.py +53 -0
- package/build/lib/hooks/credential_store.py +1020 -0
- package/build/lib/hooks/fetch-rate-limits.py +212 -0
- package/build/lib/hooks/firewall.py +48 -0
- package/build/lib/hooks/hashline-formatter-bridge.py +224 -0
- package/build/lib/hooks/hashline-injector.py +273 -0
- package/build/lib/hooks/hashline-validator.py +216 -0
- package/build/lib/hooks/idle-detector.py +95 -0
- package/build/lib/hooks/intentgate-keyword-detector.py +188 -0
- package/build/lib/hooks/magic-keyword-router.py +195 -0
- package/build/lib/hooks/policy_engine.py +641 -0
- package/build/lib/hooks/post-tool-failure.py +19 -0
- package/build/lib/hooks/post-write.py +219 -0
- package/build/lib/hooks/post_write.py +46 -0
- package/build/lib/hooks/pre-compact.py +398 -0
- package/build/lib/hooks/pre-tool-inject.py +98 -0
- package/build/lib/hooks/prompt-enhancer.py +672 -0
- package/build/lib/hooks/quality-runner.py +191 -0
- package/build/lib/hooks/query.py +512 -0
- package/build/lib/hooks/secret-guard.py +61 -0
- package/build/lib/hooks/secret_audit.py +144 -0
- package/build/lib/hooks/security_validators.py +75 -0
- package/build/lib/hooks/session-end-capture.py +137 -0
- package/build/lib/hooks/session-start.py +277 -0
- package/build/lib/hooks/setup_wizard.py +646 -0
- package/build/lib/hooks/shadow_manager.py +344 -0
- package/build/lib/hooks/state_migration.py +225 -0
- package/build/lib/hooks/stop-gate.py +7 -0
- package/build/lib/hooks/stop_dispatcher.py +945 -0
- package/build/lib/hooks/test-validator.py +361 -0
- package/build/lib/hooks/test_generator_hook.py +123 -0
- package/build/lib/hooks/todo-state-tracker.py +114 -0
- package/build/lib/hooks/tool-ledger.py +149 -0
- package/build/lib/hooks/trust_review.py +585 -0
- package/build/lib/plugins/README.md +60 -0
- package/build/lib/plugins/__init__.py +1 -0
- package/build/lib/plugins/advanced/commands/OMG:code-review.md +114 -0
- package/build/lib/plugins/advanced/commands/OMG:deep-plan.md +266 -0
- package/build/lib/plugins/advanced/commands/OMG:handoff.md +115 -0
- package/build/lib/plugins/advanced/commands/OMG:learn.md +110 -0
- package/build/lib/plugins/advanced/commands/OMG:maintainer.md +31 -0
- package/build/lib/plugins/advanced/commands/OMG:ralph-start.md +43 -0
- package/build/lib/plugins/advanced/commands/OMG:ralph-stop.md +23 -0
- package/build/lib/plugins/advanced/commands/OMG:security-review.md +16 -0
- package/build/lib/plugins/advanced/commands/OMG:sequential-thinking.md +20 -0
- package/build/lib/plugins/advanced/commands/OMG:ship.md +46 -0
- package/build/lib/plugins/advanced/plugin.json +87 -0
- package/build/lib/plugins/core/plugin.json +145 -0
- package/build/lib/plugins/dephealth/__init__.py +0 -0
- package/build/lib/plugins/dephealth/cve_scanner.py +188 -0
- package/build/lib/plugins/dephealth/license_checker.py +135 -0
- package/build/lib/plugins/dephealth/manifest_detector.py +423 -0
- package/build/lib/plugins/dephealth/vuln_analyzer.py +169 -0
- package/build/lib/plugins/testgen/__init__.py +0 -0
- package/build/lib/plugins/testgen/codamosa_engine.py +402 -0
- package/build/lib/plugins/testgen/edge_case_synthesizer.py +184 -0
- package/build/lib/plugins/testgen/framework_detector.py +271 -0
- package/build/lib/plugins/testgen/skeleton_generator.py +219 -0
- package/build/lib/plugins/viz/__init__.py +0 -0
- package/build/lib/plugins/viz/ast_parser.py +139 -0
- package/build/lib/plugins/viz/diagram_generator.py +192 -0
- package/build/lib/plugins/viz/graph_builder.py +444 -0
- package/build/lib/plugins/viz/native_parsers.py +259 -0
- package/build/lib/plugins/viz/regex_parser.py +112 -0
- package/build/lib/registry/__init__.py +1 -0
- package/build/lib/registry/bundles/algorithms.yaml +45 -0
- package/build/lib/registry/bundles/api-twin.yaml +48 -0
- package/build/lib/registry/bundles/claim-judge.yaml +49 -0
- package/build/lib/registry/bundles/control-plane.yaml +151 -0
- package/build/lib/registry/bundles/data-lineage.yaml +47 -0
- package/build/lib/registry/bundles/delta-classifier.yaml +47 -0
- package/build/lib/registry/bundles/eval-gate.yaml +47 -0
- package/build/lib/registry/bundles/health.yaml +45 -0
- package/build/lib/registry/bundles/hook-governor.yaml +97 -0
- package/build/lib/registry/bundles/incident-replay.yaml +47 -0
- package/build/lib/registry/bundles/lsp-pack.yaml +48 -0
- package/build/lib/registry/bundles/mcp-fabric.yaml +53 -0
- package/build/lib/registry/bundles/plan-council.yaml +51 -0
- package/build/lib/registry/bundles/preflight.yaml +48 -0
- package/build/lib/registry/bundles/proof-gate.yaml +49 -0
- package/build/lib/registry/bundles/remote-supervisor.yaml +49 -0
- package/build/lib/registry/bundles/robotics.yaml +45 -0
- package/build/lib/registry/bundles/secure-worktree-pipeline.yaml +54 -0
- package/build/lib/registry/bundles/security-check.yaml +50 -0
- package/build/lib/registry/bundles/test-intent-lock.yaml +49 -0
- package/build/lib/registry/bundles/tracebank.yaml +47 -0
- package/build/lib/registry/bundles/vision.yaml +45 -0
- package/build/lib/registry/omg-capability.schema.json +296 -0
- package/build/lib/registry/verify_artifact.py +90 -0
- package/build/lib/runtime/__init__.py +32 -0
- package/build/lib/runtime/adapters/__init__.py +13 -0
- package/build/lib/runtime/adapters/claude.py +63 -0
- package/build/lib/runtime/adapters/gpt.py +56 -0
- package/build/lib/runtime/adapters/local.py +56 -0
- package/build/lib/runtime/adoption.py +212 -0
- package/build/lib/runtime/api_twin.py +450 -0
- package/build/lib/runtime/asset_loader.py +62 -0
- package/build/lib/runtime/business_workflow.py +234 -0
- package/build/lib/runtime/claim_judge.py +95 -0
- package/build/lib/runtime/cli_provider.py +85 -0
- package/build/lib/runtime/compat.py +1459 -0
- package/build/lib/runtime/contract_compiler.py +1989 -0
- package/build/lib/runtime/custom_agent_loader.py +366 -0
- package/build/lib/runtime/data_lineage.py +73 -0
- package/build/lib/runtime/delta_classifier.py +81 -0
- package/build/lib/runtime/dispatcher.py +47 -0
- package/build/lib/runtime/domain_packs.py +46 -0
- package/build/lib/runtime/ecosystem.py +371 -0
- package/build/lib/runtime/eval_gate.py +96 -0
- package/build/lib/runtime/guide_assert.py +45 -0
- package/build/lib/runtime/incident_replay.py +47 -0
- package/build/lib/runtime/legacy_compat.py +7 -0
- package/build/lib/runtime/mcp_config_writers.py +233 -0
- package/build/lib/runtime/mcp_lifecycle.py +175 -0
- package/build/lib/runtime/mcp_memory_server.py +135 -0
- package/build/lib/runtime/memory_parsers/__init__.py +0 -0
- package/build/lib/runtime/memory_parsers/chatgpt_parser.py +257 -0
- package/build/lib/runtime/memory_parsers/claude_import.py +107 -0
- package/build/lib/runtime/memory_parsers/export.py +97 -0
- package/build/lib/runtime/memory_parsers/gemini_import.py +91 -0
- package/build/lib/runtime/memory_parsers/kimi_import.py +91 -0
- package/build/lib/runtime/memory_store.py +215 -0
- package/build/lib/runtime/omc_compat.py +7 -0
- package/build/lib/runtime/omg_compat_contract_snapshot.json +916 -0
- package/build/lib/runtime/omg_contract_snapshot.json +916 -0
- package/build/lib/runtime/omg_mcp_server.py +212 -0
- package/build/lib/runtime/playwright_pack.py +169 -0
- package/build/lib/runtime/preflight.py +117 -0
- package/build/lib/runtime/proof_chain.py +228 -0
- package/build/lib/runtime/proof_gate.py +163 -0
- package/build/lib/runtime/providers/__init__.py +0 -0
- package/build/lib/runtime/providers/codex_provider.py +102 -0
- package/build/lib/runtime/providers/gemini_provider.py +109 -0
- package/build/lib/runtime/providers/kimi_provider.py +132 -0
- package/build/lib/runtime/remote_supervisor.py +64 -0
- package/build/lib/runtime/runtime_profile.py +61 -0
- package/build/lib/runtime/security_check.py +965 -0
- package/build/lib/runtime/subagent_dispatcher.py +469 -0
- package/build/lib/runtime/team_router.py +1167 -0
- package/build/lib/runtime/test_intent_lock.py +91 -0
- package/build/lib/runtime/tmux_session_manager.py +169 -0
- package/build/lib/runtime/tracebank.py +95 -0
- package/build/lib/runtime/untrusted_content.py +269 -0
- package/commands/OMG:doctor.md +37 -0
- package/commands/OMG:preflight.md +1 -1
- package/control_plane/openapi.yaml +33 -1
- package/control_plane/server.py +26 -2
- package/control_plane/service.py +37 -0
- package/dist/enterprise/bundle/.agents/skills/omg/AGENTS.fragment.md +57 -4
- package/dist/enterprise/bundle/.agents/skills/omg/claim-judge/SKILL.md +11 -0
- package/dist/enterprise/bundle/.agents/skills/omg/claim-judge/openai.yaml +13 -0
- package/dist/enterprise/bundle/.agents/skills/omg/codex-rules.md +33 -0
- package/dist/enterprise/bundle/.agents/skills/omg/plan-council/SKILL.md +11 -0
- package/dist/enterprise/bundle/.agents/skills/omg/plan-council/openai.yaml +12 -0
- package/dist/enterprise/bundle/.agents/skills/omg/proof-gate/SKILL.md +11 -0
- package/dist/enterprise/bundle/.agents/skills/omg/proof-gate/openai.yaml +13 -0
- package/dist/enterprise/bundle/.agents/skills/omg/test-intent-lock/SKILL.md +11 -0
- package/dist/enterprise/bundle/.agents/skills/omg/test-intent-lock/openai.yaml +13 -0
- package/dist/enterprise/bundle/.claude-plugin/marketplace.json +5 -5
- package/dist/enterprise/bundle/.claude-plugin/plugin.json +1 -1
- package/dist/enterprise/bundle/.mcp.json +0 -22
- package/dist/enterprise/bundle/OMG_COMPAT_CONTRACT.md +8 -1
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:code-review.md +114 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:deep-plan.md +266 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:handoff.md +115 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:learn.md +110 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:maintainer.md +31 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:ralph-start.md +43 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:ralph-stop.md +23 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:security-review.md +16 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:sequential-thinking.md +20 -0
- package/dist/enterprise/bundle/plugins/advanced/commands/OMG:ship.md +46 -0
- package/dist/enterprise/bundle/plugins/advanced/plugin.json +87 -0
- package/dist/enterprise/bundle/registry/bundles/algorithms.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/api-twin.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/claim-judge.yaml +49 -0
- package/dist/enterprise/bundle/registry/bundles/control-plane.yaml +91 -1
- package/dist/enterprise/bundle/registry/bundles/data-lineage.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/delta-classifier.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/eval-gate.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/health.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/hook-governor.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/incident-replay.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/lsp-pack.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/mcp-fabric.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/plan-council.yaml +51 -0
- package/dist/enterprise/bundle/registry/bundles/preflight.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/proof-gate.yaml +49 -0
- package/dist/enterprise/bundle/registry/bundles/remote-supervisor.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/robotics.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/secure-worktree-pipeline.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/security-check.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/test-intent-lock.yaml +49 -0
- package/dist/enterprise/bundle/registry/bundles/tracebank.yaml +1 -1
- package/dist/enterprise/bundle/registry/bundles/vision.yaml +1 -1
- package/dist/enterprise/bundle/registry/omg-capability.schema.json +217 -1
- package/dist/enterprise/bundle/settings.json +223 -6
- package/dist/enterprise/manifest.json +122 -26
- package/dist/public/bundle/.agents/skills/omg/AGENTS.fragment.md +57 -4
- package/dist/public/bundle/.agents/skills/omg/claim-judge/SKILL.md +11 -0
- package/dist/public/bundle/.agents/skills/omg/claim-judge/openai.yaml +13 -0
- package/dist/public/bundle/.agents/skills/omg/codex-rules.md +33 -0
- package/dist/public/bundle/.agents/skills/omg/plan-council/SKILL.md +11 -0
- package/dist/public/bundle/.agents/skills/omg/plan-council/openai.yaml +12 -0
- package/dist/public/bundle/.agents/skills/omg/proof-gate/SKILL.md +11 -0
- package/dist/public/bundle/.agents/skills/omg/proof-gate/openai.yaml +13 -0
- package/dist/public/bundle/.agents/skills/omg/test-intent-lock/SKILL.md +11 -0
- package/dist/public/bundle/.agents/skills/omg/test-intent-lock/openai.yaml +13 -0
- package/dist/public/bundle/.claude-plugin/marketplace.json +5 -5
- package/dist/public/bundle/.claude-plugin/plugin.json +1 -1
- package/dist/public/bundle/.mcp.json +0 -22
- package/dist/public/bundle/OMG_COMPAT_CONTRACT.md +8 -1
- package/dist/public/bundle/plugins/advanced/commands/OMG:code-review.md +114 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:deep-plan.md +266 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:handoff.md +115 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:learn.md +110 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:maintainer.md +31 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:ralph-start.md +43 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:ralph-stop.md +23 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:security-review.md +16 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:sequential-thinking.md +20 -0
- package/dist/public/bundle/plugins/advanced/commands/OMG:ship.md +46 -0
- package/dist/public/bundle/plugins/advanced/plugin.json +87 -0
- package/dist/public/bundle/registry/bundles/algorithms.yaml +1 -1
- package/dist/public/bundle/registry/bundles/api-twin.yaml +1 -1
- package/dist/public/bundle/registry/bundles/claim-judge.yaml +49 -0
- package/dist/public/bundle/registry/bundles/control-plane.yaml +91 -1
- package/dist/public/bundle/registry/bundles/data-lineage.yaml +1 -1
- package/dist/public/bundle/registry/bundles/delta-classifier.yaml +1 -1
- package/dist/public/bundle/registry/bundles/eval-gate.yaml +1 -1
- package/dist/public/bundle/registry/bundles/health.yaml +1 -1
- package/dist/public/bundle/registry/bundles/hook-governor.yaml +1 -1
- package/dist/public/bundle/registry/bundles/incident-replay.yaml +1 -1
- package/dist/public/bundle/registry/bundles/lsp-pack.yaml +1 -1
- package/dist/public/bundle/registry/bundles/mcp-fabric.yaml +1 -1
- package/dist/public/bundle/registry/bundles/plan-council.yaml +51 -0
- package/dist/public/bundle/registry/bundles/preflight.yaml +1 -1
- package/dist/public/bundle/registry/bundles/proof-gate.yaml +49 -0
- package/dist/public/bundle/registry/bundles/remote-supervisor.yaml +1 -1
- package/dist/public/bundle/registry/bundles/robotics.yaml +1 -1
- package/dist/public/bundle/registry/bundles/secure-worktree-pipeline.yaml +1 -1
- package/dist/public/bundle/registry/bundles/security-check.yaml +1 -1
- package/dist/public/bundle/registry/bundles/test-intent-lock.yaml +49 -0
- package/dist/public/bundle/registry/bundles/tracebank.yaml +1 -1
- package/dist/public/bundle/registry/bundles/vision.yaml +1 -1
- package/dist/public/bundle/registry/omg-capability.schema.json +217 -1
- package/dist/public/bundle/settings.json +222 -3
- package/dist/public/manifest.json +122 -26
- package/docs/proof.md +22 -12
- package/docs/release-checklist.md +2 -0
- package/hooks/policy_engine.py +122 -17
- package/hooks/setup_wizard.py +52 -12
- package/hooks/shadow_manager.py +21 -0
- package/package.json +2 -2
- package/plugins/README.md +5 -1
- package/plugins/advanced/commands/OMG:deep-plan.md +51 -6
- package/plugins/advanced/commands/OMG:ship.md +1 -1
- package/plugins/advanced/plugin.json +1 -10
- package/plugins/core/plugin.json +7 -1
- package/pyproject.toml +6 -2
- package/registry/bundles/algorithms.yaml +1 -1
- package/registry/bundles/api-twin.yaml +1 -1
- package/registry/bundles/claim-judge.yaml +49 -0
- package/registry/bundles/control-plane.yaml +91 -1
- package/registry/bundles/data-lineage.yaml +1 -1
- package/registry/bundles/delta-classifier.yaml +1 -1
- package/registry/bundles/eval-gate.yaml +1 -1
- package/registry/bundles/health.yaml +1 -1
- package/registry/bundles/hook-governor.yaml +1 -1
- package/registry/bundles/incident-replay.yaml +1 -1
- package/registry/bundles/lsp-pack.yaml +1 -1
- package/registry/bundles/mcp-fabric.yaml +1 -1
- package/registry/bundles/plan-council.yaml +51 -0
- package/registry/bundles/preflight.yaml +1 -1
- package/registry/bundles/proof-gate.yaml +49 -0
- package/registry/bundles/remote-supervisor.yaml +1 -1
- package/registry/bundles/robotics.yaml +1 -1
- package/registry/bundles/secure-worktree-pipeline.yaml +1 -1
- package/registry/bundles/security-check.yaml +1 -1
- package/registry/bundles/test-intent-lock.yaml +49 -0
- package/registry/bundles/tracebank.yaml +1 -1
- package/registry/bundles/vision.yaml +1 -1
- package/registry/omg-capability.schema.json +217 -1
- package/runtime/adoption.py +1 -1
- package/runtime/api_twin.py +279 -8
- package/runtime/business_workflow.py +14 -0
- package/runtime/claim_judge.py +95 -0
- package/runtime/compat.py +139 -0
- package/runtime/contract_compiler.py +1170 -28
- package/runtime/ecosystem.py +1 -1
- package/runtime/eval_gate.py +48 -2
- package/runtime/mcp_config_writers.py +12 -0
- package/runtime/mcp_lifecycle.py +31 -9
- package/runtime/mcp_memory_server.py +1 -1
- package/runtime/omg_compat_contract_snapshot.json +2 -2
- package/runtime/omg_contract_snapshot.json +2 -2
- package/runtime/omg_mcp_server.py +13 -8
- package/runtime/playwright_pack.py +169 -0
- package/runtime/preflight.py +45 -1
- package/runtime/proof_chain.py +228 -0
- package/runtime/proof_gate.py +163 -0
- package/runtime/security_check.py +523 -22
- package/runtime/team_router.py +6 -6
- package/runtime/test_intent_lock.py +91 -0
- package/runtime/tracebank.py +43 -1
- package/runtime/untrusted_content.py +172 -5
- package/scripts/check-omg-public-ready.py +77 -0
- package/scripts/omg.py +28 -9
- package/scripts/verify-standalone.sh +7 -0
- package/settings.json +223 -6
|
@@ -3,14 +3,17 @@ from __future__ import annotations
|
|
|
3
3
|
|
|
4
4
|
import hashlib
|
|
5
5
|
import asyncio
|
|
6
|
+
import importlib
|
|
6
7
|
import json
|
|
7
8
|
import os
|
|
8
9
|
from pathlib import Path
|
|
10
|
+
import re
|
|
9
11
|
import shutil
|
|
10
12
|
import subprocess
|
|
11
13
|
import sys
|
|
12
14
|
import tempfile
|
|
13
15
|
from typing import Any, Iterable
|
|
16
|
+
from urllib.parse import urlparse
|
|
14
17
|
import zipfile
|
|
15
18
|
|
|
16
19
|
import yaml
|
|
@@ -32,6 +35,10 @@ SUPPORTED_HOSTS = ("claude", "codex")
|
|
|
32
35
|
SUPPORTED_CHANNELS = ("public", "enterprise")
|
|
33
36
|
DEFAULT_REQUIRED_BUNDLES = (
|
|
34
37
|
"control-plane",
|
|
38
|
+
"plan-council",
|
|
39
|
+
"claim-judge",
|
|
40
|
+
"test-intent-lock",
|
|
41
|
+
"proof-gate",
|
|
35
42
|
"hook-governor",
|
|
36
43
|
"mcp-fabric",
|
|
37
44
|
"lsp-pack",
|
|
@@ -50,6 +57,17 @@ DEFAULT_REQUIRED_BUNDLES = (
|
|
|
50
57
|
"data-lineage",
|
|
51
58
|
"remote-supervisor",
|
|
52
59
|
)
|
|
60
|
+
TRUTH_COUNCIL_BUNDLES = (
|
|
61
|
+
"plan-council",
|
|
62
|
+
"claim-judge",
|
|
63
|
+
"test-intent-lock",
|
|
64
|
+
"proof-gate",
|
|
65
|
+
)
|
|
66
|
+
REQUIRED_ADVANCED_PLUGIN_ARTIFACTS = (
|
|
67
|
+
"bundle/plugins/advanced/plugin.json",
|
|
68
|
+
"bundle/plugins/advanced/commands/OMG:deep-plan.md",
|
|
69
|
+
"bundle/plugins/advanced/commands/OMG:security-review.md",
|
|
70
|
+
)
|
|
53
71
|
REQUIRED_DOC_TOKENS = (
|
|
54
72
|
"execution_contract",
|
|
55
73
|
"tool_policy",
|
|
@@ -74,6 +92,237 @@ REQUIRED_BUNDLE_FIELDS = (
|
|
|
74
92
|
"execution_contract",
|
|
75
93
|
"channel_overrides",
|
|
76
94
|
)
|
|
95
|
+
REQUIRED_POLICY_MODEL_FIELDS = (
|
|
96
|
+
"trust_tiers",
|
|
97
|
+
"tool_policies",
|
|
98
|
+
"protected_paths",
|
|
99
|
+
"evidence_contract",
|
|
100
|
+
"host_rules",
|
|
101
|
+
)
|
|
102
|
+
REQUIRED_CLAUDE_HOOK_EVENTS = (
|
|
103
|
+
"UserPromptSubmit",
|
|
104
|
+
"PreToolUse",
|
|
105
|
+
"PostToolUse",
|
|
106
|
+
"PostToolUseFailure",
|
|
107
|
+
"InstructionsLoaded",
|
|
108
|
+
)
|
|
109
|
+
REQUIRED_CLAUDE_SUBAGENT_NAMES = ("security-reviewer", "release-manager")
|
|
110
|
+
REQUIRED_CODEX_AGENTS_SECTIONS = (
|
|
111
|
+
"## Build & Test",
|
|
112
|
+
"## Protected Paths",
|
|
113
|
+
"## Evidence Contract",
|
|
114
|
+
"## Required Skills",
|
|
115
|
+
"## Web Search Policy",
|
|
116
|
+
"## Approval Constraints",
|
|
117
|
+
)
|
|
118
|
+
REQUIRED_CODEX_OUTPUTS = (
|
|
119
|
+
"AGENTS.fragment.md",
|
|
120
|
+
"codex-rules.md",
|
|
121
|
+
"codex-mcp.toml",
|
|
122
|
+
)
|
|
123
|
+
|
|
124
|
+
|
|
125
|
+
def _ensure_list(
|
|
126
|
+
*,
|
|
127
|
+
bundle_id: str,
|
|
128
|
+
path: str,
|
|
129
|
+
value: Any,
|
|
130
|
+
errors: list[str],
|
|
131
|
+
min_items: int = 1,
|
|
132
|
+
) -> list[Any]:
|
|
133
|
+
if not isinstance(value, list):
|
|
134
|
+
errors.append(f"{bundle_id}: {path} must be a list")
|
|
135
|
+
return []
|
|
136
|
+
if len(value) < min_items:
|
|
137
|
+
errors.append(f"{bundle_id}: {path} must contain at least {min_items} item(s)")
|
|
138
|
+
return value
|
|
139
|
+
|
|
140
|
+
|
|
141
|
+
def _ensure_dict(*, bundle_id: str, path: str, value: Any, errors: list[str]) -> dict[str, Any]:
|
|
142
|
+
if not isinstance(value, dict):
|
|
143
|
+
errors.append(f"{bundle_id}: {path} must be an object")
|
|
144
|
+
return {}
|
|
145
|
+
return value
|
|
146
|
+
|
|
147
|
+
|
|
148
|
+
def _validate_host_rule(
|
|
149
|
+
*,
|
|
150
|
+
bundle_id: str,
|
|
151
|
+
host_name: str,
|
|
152
|
+
host_rule: Any,
|
|
153
|
+
required_fields: tuple[str, ...],
|
|
154
|
+
errors: list[str],
|
|
155
|
+
) -> None:
|
|
156
|
+
path = f"policy_model.host_rules.{host_name}"
|
|
157
|
+
host_payload = _ensure_dict(bundle_id=bundle_id, path=path, value=host_rule, errors=errors)
|
|
158
|
+
if not host_payload:
|
|
159
|
+
return
|
|
160
|
+
for field in required_fields:
|
|
161
|
+
if field not in host_payload:
|
|
162
|
+
errors.append(f"{bundle_id}: malformed host_rules entry for {host_name}: missing '{field}'")
|
|
163
|
+
continue
|
|
164
|
+
_ensure_list(
|
|
165
|
+
bundle_id=bundle_id,
|
|
166
|
+
path=f"{path}.{field}",
|
|
167
|
+
value=host_payload[field],
|
|
168
|
+
errors=errors,
|
|
169
|
+
min_items=1,
|
|
170
|
+
)
|
|
171
|
+
|
|
172
|
+
|
|
173
|
+
def _validate_policy_model(bundle_id: str, policy_model: Any) -> list[str]:
|
|
174
|
+
errors: list[str] = []
|
|
175
|
+
payload = _ensure_dict(bundle_id=bundle_id, path="policy_model", value=policy_model, errors=errors)
|
|
176
|
+
if not payload:
|
|
177
|
+
return errors
|
|
178
|
+
|
|
179
|
+
for field in REQUIRED_POLICY_MODEL_FIELDS:
|
|
180
|
+
if field not in payload:
|
|
181
|
+
errors.append(f"{bundle_id}: policy_model missing field {field}")
|
|
182
|
+
|
|
183
|
+
tier_names: set[str] = set()
|
|
184
|
+
for index, tier in enumerate(
|
|
185
|
+
_ensure_list(
|
|
186
|
+
bundle_id=bundle_id,
|
|
187
|
+
path="policy_model.trust_tiers",
|
|
188
|
+
value=payload.get("trust_tiers", []),
|
|
189
|
+
errors=errors,
|
|
190
|
+
)
|
|
191
|
+
):
|
|
192
|
+
tier_payload = _ensure_dict(
|
|
193
|
+
bundle_id=bundle_id,
|
|
194
|
+
path=f"policy_model.trust_tiers[{index}]",
|
|
195
|
+
value=tier,
|
|
196
|
+
errors=errors,
|
|
197
|
+
)
|
|
198
|
+
if not tier_payload:
|
|
199
|
+
continue
|
|
200
|
+
for field in ("name", "level", "label", "allowed_sources"):
|
|
201
|
+
if field not in tier_payload:
|
|
202
|
+
errors.append(f"{bundle_id}: policy_model.trust_tiers[{index}] missing field {field}")
|
|
203
|
+
if isinstance(tier_payload.get("name"), str) and tier_payload["name"].strip():
|
|
204
|
+
tier_names.add(tier_payload["name"].strip())
|
|
205
|
+
if "allowed_sources" in tier_payload:
|
|
206
|
+
_ensure_list(
|
|
207
|
+
bundle_id=bundle_id,
|
|
208
|
+
path=f"policy_model.trust_tiers[{index}].allowed_sources",
|
|
209
|
+
value=tier_payload.get("allowed_sources"),
|
|
210
|
+
errors=errors,
|
|
211
|
+
min_items=1,
|
|
212
|
+
)
|
|
213
|
+
|
|
214
|
+
for index, tool in enumerate(
|
|
215
|
+
_ensure_list(
|
|
216
|
+
bundle_id=bundle_id,
|
|
217
|
+
path="policy_model.tool_policies",
|
|
218
|
+
value=payload.get("tool_policies", []),
|
|
219
|
+
errors=errors,
|
|
220
|
+
)
|
|
221
|
+
):
|
|
222
|
+
tool_payload = _ensure_dict(
|
|
223
|
+
bundle_id=bundle_id,
|
|
224
|
+
path=f"policy_model.tool_policies[{index}]",
|
|
225
|
+
value=tool,
|
|
226
|
+
errors=errors,
|
|
227
|
+
)
|
|
228
|
+
if not tool_payload:
|
|
229
|
+
continue
|
|
230
|
+
for field in ("tool_name", "allowed_tiers", "requires_approval"):
|
|
231
|
+
if field not in tool_payload:
|
|
232
|
+
errors.append(f"{bundle_id}: policy_model.tool_policies[{index}] missing field {field}")
|
|
233
|
+
allowed_tiers = _ensure_list(
|
|
234
|
+
bundle_id=bundle_id,
|
|
235
|
+
path=f"policy_model.tool_policies[{index}].allowed_tiers",
|
|
236
|
+
value=tool_payload.get("allowed_tiers", []),
|
|
237
|
+
errors=errors,
|
|
238
|
+
min_items=1,
|
|
239
|
+
)
|
|
240
|
+
if tier_names:
|
|
241
|
+
unknown_tiers = sorted(
|
|
242
|
+
tier_name
|
|
243
|
+
for tier_name in allowed_tiers
|
|
244
|
+
if isinstance(tier_name, str) and tier_name not in tier_names
|
|
245
|
+
)
|
|
246
|
+
if unknown_tiers:
|
|
247
|
+
errors.append(
|
|
248
|
+
f"{bundle_id}: policy_model.tool_policies[{index}] references unknown tiers {unknown_tiers}"
|
|
249
|
+
)
|
|
250
|
+
|
|
251
|
+
for index, item in enumerate(
|
|
252
|
+
_ensure_list(
|
|
253
|
+
bundle_id=bundle_id,
|
|
254
|
+
path="policy_model.protected_paths",
|
|
255
|
+
value=payload.get("protected_paths", []),
|
|
256
|
+
errors=errors,
|
|
257
|
+
)
|
|
258
|
+
):
|
|
259
|
+
path_payload = _ensure_dict(
|
|
260
|
+
bundle_id=bundle_id,
|
|
261
|
+
path=f"policy_model.protected_paths[{index}]",
|
|
262
|
+
value=item,
|
|
263
|
+
errors=errors,
|
|
264
|
+
)
|
|
265
|
+
if not path_payload:
|
|
266
|
+
continue
|
|
267
|
+
for field in ("path_pattern", "required_tier"):
|
|
268
|
+
if field not in path_payload:
|
|
269
|
+
errors.append(f"{bundle_id}: policy_model.protected_paths[{index}] missing field {field}")
|
|
270
|
+
required_tier = path_payload.get("required_tier")
|
|
271
|
+
if tier_names and isinstance(required_tier, str) and required_tier not in tier_names:
|
|
272
|
+
errors.append(
|
|
273
|
+
f"{bundle_id}: policy_model.protected_paths[{index}] references unknown tier '{required_tier}'"
|
|
274
|
+
)
|
|
275
|
+
|
|
276
|
+
evidence_contract = _ensure_dict(
|
|
277
|
+
bundle_id=bundle_id,
|
|
278
|
+
path="policy_model.evidence_contract",
|
|
279
|
+
value=payload.get("evidence_contract", {}),
|
|
280
|
+
errors=errors,
|
|
281
|
+
)
|
|
282
|
+
for field in ("timestamp", "executor", "trace_id", "lineage"):
|
|
283
|
+
if field not in evidence_contract:
|
|
284
|
+
errors.append(f"{bundle_id}: policy_model.evidence_contract missing field {field}")
|
|
285
|
+
|
|
286
|
+
host_rules = _ensure_dict(
|
|
287
|
+
bundle_id=bundle_id,
|
|
288
|
+
path="policy_model.host_rules",
|
|
289
|
+
value=payload.get("host_rules", {}),
|
|
290
|
+
errors=errors,
|
|
291
|
+
)
|
|
292
|
+
_validate_host_rule(
|
|
293
|
+
bundle_id=bundle_id,
|
|
294
|
+
host_name="claude",
|
|
295
|
+
host_rule=host_rules.get("claude"),
|
|
296
|
+
required_fields=("compilation_targets", "hooks", "subagents", "skills"),
|
|
297
|
+
errors=errors,
|
|
298
|
+
)
|
|
299
|
+
_validate_host_rule(
|
|
300
|
+
bundle_id=bundle_id,
|
|
301
|
+
host_name="codex",
|
|
302
|
+
host_rule=host_rules.get("codex"),
|
|
303
|
+
required_fields=("compilation_targets", "skills", "agents_fragments", "rules", "automations"),
|
|
304
|
+
errors=errors,
|
|
305
|
+
)
|
|
306
|
+
return errors
|
|
307
|
+
|
|
308
|
+
|
|
309
|
+
def _policy_model_for_bundle(bundles: Iterable[dict[str, Any]], bundle_id: str) -> dict[str, Any] | None:
|
|
310
|
+
for bundle in bundles:
|
|
311
|
+
if str(bundle.get("id", "")) == bundle_id and isinstance(bundle.get("policy_model"), dict):
|
|
312
|
+
return dict(bundle["policy_model"])
|
|
313
|
+
return None
|
|
314
|
+
|
|
315
|
+
|
|
316
|
+
def _policy_protected_paths(policy_model: dict[str, Any] | None, *, channel: str) -> list[str]:
|
|
317
|
+
if not policy_model:
|
|
318
|
+
return _protected_paths_for_channel(channel)
|
|
319
|
+
values: list[str] = []
|
|
320
|
+
for item in policy_model.get("protected_paths", []):
|
|
321
|
+
if isinstance(item, dict):
|
|
322
|
+
pattern = str(item.get("path_pattern", "")).strip()
|
|
323
|
+
if pattern:
|
|
324
|
+
values.append(pattern)
|
|
325
|
+
return values or _protected_paths_for_channel(channel)
|
|
77
326
|
|
|
78
327
|
|
|
79
328
|
def _resolve_root(root_dir: str | Path | None) -> Path:
|
|
@@ -211,6 +460,8 @@ def validate_contract_registry(root_dir: str | Path | None = None) -> dict[str,
|
|
|
211
460
|
bad_hosts = [host for host in hosts if host not in SUPPORTED_HOSTS]
|
|
212
461
|
if bad_hosts:
|
|
213
462
|
errors.append(f"{bundle_id}: unsupported hosts {bad_hosts}")
|
|
463
|
+
if "policy_model" in bundle:
|
|
464
|
+
errors.extend(_validate_policy_model(bundle_id, bundle.get("policy_model")))
|
|
214
465
|
|
|
215
466
|
missing_bundles = [bundle_id for bundle_id in DEFAULT_REQUIRED_BUNDLES if bundle_id not in bundle_ids]
|
|
216
467
|
for bundle_id in missing_bundles:
|
|
@@ -244,31 +495,33 @@ def _copy_contract_inputs(root: Path, output_root: Path) -> list[Path]:
|
|
|
244
495
|
dst = output_root / rel_path
|
|
245
496
|
_write_text(dst, src.read_text(encoding="utf-8"))
|
|
246
497
|
copied.append(dst)
|
|
498
|
+
|
|
499
|
+
# Copy advanced plugin artifacts (plugin.json + all command markdown files)
|
|
500
|
+
advanced_plugin_json = Path("plugins") / "advanced" / "plugin.json"
|
|
501
|
+
try:
|
|
502
|
+
src = resolve_asset(advanced_plugin_json)
|
|
503
|
+
dst = output_root / advanced_plugin_json
|
|
504
|
+
_write_text(dst, src.read_text(encoding="utf-8"))
|
|
505
|
+
copied.append(dst)
|
|
506
|
+
except FileNotFoundError:
|
|
507
|
+
pass
|
|
508
|
+
|
|
509
|
+
advanced_commands = resolve_assets(Path("plugins") / "advanced" / "commands", suffix=".md")
|
|
510
|
+
for src in advanced_commands:
|
|
511
|
+
rel = Path("plugins") / "advanced" / "commands" / src.name
|
|
512
|
+
dst = output_root / rel
|
|
513
|
+
_write_text(dst, src.read_text(encoding="utf-8"))
|
|
514
|
+
copied.append(dst)
|
|
515
|
+
|
|
247
516
|
return copied
|
|
248
517
|
|
|
249
518
|
|
|
250
519
|
def _base_mcp_servers() -> dict[str, Any]:
|
|
251
520
|
return {
|
|
252
|
-
"context7": {
|
|
253
|
-
"command": "npx",
|
|
254
|
-
"args": ["@upstash/context7-mcp@2.1.3"],
|
|
255
|
-
},
|
|
256
521
|
"filesystem": {
|
|
257
522
|
"command": "npx",
|
|
258
523
|
"args": ["@modelcontextprotocol/server-filesystem@2026.1.14", "."],
|
|
259
524
|
},
|
|
260
|
-
"websearch": {
|
|
261
|
-
"command": "npx",
|
|
262
|
-
"args": ["@zhafron/mcp-web-search@1.2.2"],
|
|
263
|
-
},
|
|
264
|
-
"chrome-devtools": {
|
|
265
|
-
"command": "npx",
|
|
266
|
-
"args": ["chrome-devtools-mcp@0.19.0"],
|
|
267
|
-
},
|
|
268
|
-
"omg-memory": {
|
|
269
|
-
"type": "http",
|
|
270
|
-
"url": "http://127.0.0.1:8765/mcp",
|
|
271
|
-
},
|
|
272
525
|
"omg-control": {
|
|
273
526
|
"command": "python3",
|
|
274
527
|
"args": ["-m", "runtime.omg_mcp_server"],
|
|
@@ -306,7 +559,7 @@ def _build_claude_marketplace() -> dict[str, Any]:
|
|
|
306
559
|
"description": "Marketplace metadata for the OMG Claude plugin",
|
|
307
560
|
"owner": {"name": "trac3er00"},
|
|
308
561
|
"metadata": {
|
|
309
|
-
"description": "OMG - Oh-My-God for Claude Code",
|
|
562
|
+
"description": "OMG - Oh-My-God for Claude Code and supported agent hosts",
|
|
310
563
|
"version": CANONICAL_VERSION,
|
|
311
564
|
"homepage": CANONICAL_REPO_URL,
|
|
312
565
|
"repository": CANONICAL_REPO_URL,
|
|
@@ -314,7 +567,7 @@ def _build_claude_marketplace() -> dict[str, Any]:
|
|
|
314
567
|
"plugins": [
|
|
315
568
|
{
|
|
316
569
|
"name": CANONICAL_PLUGIN_ID,
|
|
317
|
-
|
|
570
|
+
"description": "OMG plugin layer for Claude Code and supported agent hosts with native setup, orchestration, and interop.",
|
|
318
571
|
"version": CANONICAL_VERSION,
|
|
319
572
|
"source": "./",
|
|
320
573
|
"author": {"name": "trac3er00"},
|
|
@@ -375,12 +628,166 @@ def _protected_paths_for_channel(channel: str) -> list[str]:
|
|
|
375
628
|
return paths
|
|
376
629
|
|
|
377
630
|
|
|
631
|
+
def _default_claude_hook_registrations() -> dict[str, list[dict[str, Any]]]:
|
|
632
|
+
"""Default OMG hook registrations for each required Claude event."""
|
|
633
|
+
return {
|
|
634
|
+
"UserPromptSubmit": [
|
|
635
|
+
{
|
|
636
|
+
"hooks": [
|
|
637
|
+
{
|
|
638
|
+
"type": "command",
|
|
639
|
+
"command": 'python3 "$HOME/.claude/hooks/user-prompt-submit.py"',
|
|
640
|
+
"timeout": 10,
|
|
641
|
+
}
|
|
642
|
+
],
|
|
643
|
+
}
|
|
644
|
+
],
|
|
645
|
+
"PreToolUse": [
|
|
646
|
+
{
|
|
647
|
+
"hooks": [
|
|
648
|
+
{
|
|
649
|
+
"type": "command",
|
|
650
|
+
"command": 'python3 "$HOME/.claude/hooks/firewall.py"',
|
|
651
|
+
"timeout": 10,
|
|
652
|
+
}
|
|
653
|
+
],
|
|
654
|
+
"matcher": "Bash",
|
|
655
|
+
},
|
|
656
|
+
{
|
|
657
|
+
"hooks": [
|
|
658
|
+
{
|
|
659
|
+
"type": "command",
|
|
660
|
+
"command": 'python3 "$HOME/.claude/hooks/secret-guard.py"',
|
|
661
|
+
"timeout": 10,
|
|
662
|
+
}
|
|
663
|
+
],
|
|
664
|
+
"matcher": "Read|Write|Edit|MultiEdit",
|
|
665
|
+
},
|
|
666
|
+
],
|
|
667
|
+
"PostToolUse": [
|
|
668
|
+
{
|
|
669
|
+
"hooks": [
|
|
670
|
+
{
|
|
671
|
+
"type": "command",
|
|
672
|
+
"command": 'python3 "$HOME/.claude/hooks/tool-ledger.py"',
|
|
673
|
+
"timeout": 10,
|
|
674
|
+
}
|
|
675
|
+
],
|
|
676
|
+
"matcher": "Write|Edit|MultiEdit",
|
|
677
|
+
},
|
|
678
|
+
],
|
|
679
|
+
"PostToolUseFailure": [
|
|
680
|
+
{
|
|
681
|
+
"hooks": [
|
|
682
|
+
{
|
|
683
|
+
"type": "command",
|
|
684
|
+
"command": 'python3 "$HOME/.claude/hooks/post-tool-failure.py"',
|
|
685
|
+
}
|
|
686
|
+
],
|
|
687
|
+
}
|
|
688
|
+
],
|
|
689
|
+
"InstructionsLoaded": [
|
|
690
|
+
{
|
|
691
|
+
"hooks": [
|
|
692
|
+
{
|
|
693
|
+
"type": "command",
|
|
694
|
+
"command": 'python3 "$HOME/.claude/hooks/instructions-loaded.py"',
|
|
695
|
+
"timeout": 10,
|
|
696
|
+
}
|
|
697
|
+
],
|
|
698
|
+
}
|
|
699
|
+
],
|
|
700
|
+
}
|
|
701
|
+
|
|
702
|
+
|
|
703
|
+
def _build_claude_subagents(protected_paths: list[str]) -> list[dict[str, Any]]:
|
|
704
|
+
"""Build narrow-tool Claude subagent definitions. No bypassPermissions allowed."""
|
|
705
|
+
return [
|
|
706
|
+
{
|
|
707
|
+
"name": "security-reviewer",
|
|
708
|
+
"description": "Read-only security review subagent with scoped tool access.",
|
|
709
|
+
"tools": [
|
|
710
|
+
"Read",
|
|
711
|
+
"Grep",
|
|
712
|
+
"Glob",
|
|
713
|
+
"Bash(grep *)",
|
|
714
|
+
"Bash(find *)",
|
|
715
|
+
"Bash(git log *)",
|
|
716
|
+
"Bash(git diff *)",
|
|
717
|
+
],
|
|
718
|
+
"bypassPermissions": False,
|
|
719
|
+
},
|
|
720
|
+
{
|
|
721
|
+
"name": "release-manager",
|
|
722
|
+
"description": "Release management subagent with write access governed by protected-path policy.",
|
|
723
|
+
"tools": [
|
|
724
|
+
"Read",
|
|
725
|
+
"Write",
|
|
726
|
+
"Edit",
|
|
727
|
+
"Grep",
|
|
728
|
+
"Glob",
|
|
729
|
+
"Bash(git *)",
|
|
730
|
+
"Bash(python3 scripts/omg.py *)",
|
|
731
|
+
],
|
|
732
|
+
"bypassPermissions": False,
|
|
733
|
+
"protectedPaths": protected_paths,
|
|
734
|
+
},
|
|
735
|
+
]
|
|
736
|
+
|
|
737
|
+
|
|
738
|
+
def _build_claude_skills(policy_model: dict[str, Any] | None) -> list[dict[str, Any]]:
|
|
739
|
+
"""Build Claude skill definitions from the policy model host_rules."""
|
|
740
|
+
skill_refs: list[str] = []
|
|
741
|
+
if isinstance(policy_model, dict):
|
|
742
|
+
host_rules = policy_model.get("host_rules", {})
|
|
743
|
+
if isinstance(host_rules, dict):
|
|
744
|
+
claude_rules = host_rules.get("claude", {})
|
|
745
|
+
if isinstance(claude_rules, dict):
|
|
746
|
+
skill_refs = [str(s) for s in claude_rules.get("skills", []) if str(s).strip()]
|
|
747
|
+
skills: list[dict[str, Any]] = []
|
|
748
|
+
for ref in skill_refs:
|
|
749
|
+
skills.append({"name": ref, "source": f".agents/skills/{ref}/"})
|
|
750
|
+
return skills
|
|
751
|
+
|
|
752
|
+
|
|
753
|
+
def _validate_compiled_claude_output(output_root: Path) -> list[str]:
|
|
754
|
+
"""Validate compiled Claude settings.json contains required hooks and subagents."""
|
|
755
|
+
settings_path = output_root / "settings.json"
|
|
756
|
+
if not settings_path.exists():
|
|
757
|
+
return ["claude: missing compiled settings.json"]
|
|
758
|
+
|
|
759
|
+
settings = _load_json(settings_path)
|
|
760
|
+
errors: list[str] = []
|
|
761
|
+
|
|
762
|
+
hooks = settings.get("hooks", {})
|
|
763
|
+
for event in REQUIRED_CLAUDE_HOOK_EVENTS:
|
|
764
|
+
if event not in hooks or not hooks[event]:
|
|
765
|
+
errors.append(f"claude: missing required hook event '{event}'")
|
|
766
|
+
|
|
767
|
+
omg = settings.get("_omg", {})
|
|
768
|
+
generated = omg.get("generated", {})
|
|
769
|
+
subagents = generated.get("subagents", [])
|
|
770
|
+
subagent_names = {sa.get("name") for sa in subagents if isinstance(sa, dict)}
|
|
771
|
+
for name in REQUIRED_CLAUDE_SUBAGENT_NAMES:
|
|
772
|
+
if name not in subagent_names:
|
|
773
|
+
errors.append(f"claude: missing required subagent '{name}'")
|
|
774
|
+
|
|
775
|
+
for sa in subagents:
|
|
776
|
+
if isinstance(sa, dict) and sa.get("bypassPermissions"):
|
|
777
|
+
errors.append(
|
|
778
|
+
f"claude: subagent '{sa.get('name', '<unknown>')}' has bypassPermissions enabled"
|
|
779
|
+
)
|
|
780
|
+
|
|
781
|
+
return errors
|
|
782
|
+
|
|
783
|
+
|
|
378
784
|
def _compile_claude_outputs(
|
|
379
785
|
*,
|
|
380
786
|
root: Path,
|
|
381
787
|
output_root: Path,
|
|
382
788
|
bundles: list[dict[str, Any]],
|
|
383
789
|
channel: str,
|
|
790
|
+
policy_model: dict[str, Any] | None,
|
|
384
791
|
) -> list[Path]:
|
|
385
792
|
artifacts: list[Path] = []
|
|
386
793
|
|
|
@@ -399,15 +806,28 @@ def _compile_claude_outputs(
|
|
|
399
806
|
settings_path = resolve_asset("settings.json")
|
|
400
807
|
settings = _load_json(settings_path)
|
|
401
808
|
hook_bundle = _bundle_map(bundles)["hook-governor"]
|
|
402
|
-
|
|
809
|
+
compiled_hooks = _compile_hook_settings(hook_bundle)
|
|
810
|
+
defaults = _default_claude_hook_registrations()
|
|
811
|
+
for event in REQUIRED_CLAUDE_HOOK_EVENTS:
|
|
812
|
+
if event not in compiled_hooks or not compiled_hooks[event]:
|
|
813
|
+
compiled_hooks[event] = defaults[event]
|
|
814
|
+
settings["hooks"] = compiled_hooks
|
|
815
|
+
|
|
816
|
+
protected_paths = _policy_protected_paths(policy_model, channel=channel)
|
|
817
|
+
subagents = _build_claude_subagents(protected_paths)
|
|
818
|
+
skills = _build_claude_skills(policy_model)
|
|
819
|
+
|
|
403
820
|
omg_settings = dict(settings.get("_omg", {}))
|
|
404
821
|
omg_settings["_version"] = CANONICAL_VERSION
|
|
405
822
|
omg_settings["generated"] = {
|
|
406
823
|
"contract_version": CANONICAL_VERSION,
|
|
407
824
|
"channel": channel,
|
|
408
825
|
"required_bundles": list(DEFAULT_REQUIRED_BUNDLES),
|
|
409
|
-
"protected_paths":
|
|
826
|
+
"protected_paths": protected_paths,
|
|
410
827
|
"emulated_events": list(hook_bundle.get("lifecycle_hooks", {}).get("emulated", [])),
|
|
828
|
+
"policy_model": policy_model or {},
|
|
829
|
+
"subagents": subagents,
|
|
830
|
+
"skills": skills,
|
|
411
831
|
}
|
|
412
832
|
settings["_omg"] = omg_settings
|
|
413
833
|
_write_json(output_root / "settings.json", settings)
|
|
@@ -458,25 +878,251 @@ def _render_openai_yaml(bundle: dict[str, Any], channel: str) -> str:
|
|
|
458
878
|
return "\n".join(lines) + "\n"
|
|
459
879
|
|
|
460
880
|
|
|
881
|
+
def _codex_skill_refs(policy_model: dict[str, Any] | None) -> list[str]:
|
|
882
|
+
"""Extract skill references from policy_model.host_rules.codex.skills."""
|
|
883
|
+
if not isinstance(policy_model, dict):
|
|
884
|
+
return []
|
|
885
|
+
host_rules = policy_model.get("host_rules", {})
|
|
886
|
+
if not isinstance(host_rules, dict):
|
|
887
|
+
return []
|
|
888
|
+
codex_rules = host_rules.get("codex", {})
|
|
889
|
+
if not isinstance(codex_rules, dict):
|
|
890
|
+
return []
|
|
891
|
+
return [str(s) for s in codex_rules.get("skills", []) if str(s).strip()]
|
|
892
|
+
|
|
893
|
+
|
|
894
|
+
def _codex_evidence_fields(policy_model: dict[str, Any] | None) -> list[str]:
|
|
895
|
+
"""Extract required evidence contract fields from the policy model."""
|
|
896
|
+
if not isinstance(policy_model, dict):
|
|
897
|
+
return []
|
|
898
|
+
ec = policy_model.get("evidence_contract", {})
|
|
899
|
+
if not isinstance(ec, dict):
|
|
900
|
+
return []
|
|
901
|
+
return sorted(ec.keys())
|
|
902
|
+
|
|
903
|
+
|
|
904
|
+
def _codex_protected_planning_skills(bundles: Iterable[dict[str, Any]]) -> list[str]:
|
|
905
|
+
protected: list[str] = []
|
|
906
|
+
for bundle in bundles:
|
|
907
|
+
if "codex" not in bundle.get("hosts", []):
|
|
908
|
+
continue
|
|
909
|
+
if str(bundle.get("kind", "")).strip().lower() != "planning":
|
|
910
|
+
continue
|
|
911
|
+
invocation = bundle.get("invocation_policy", {})
|
|
912
|
+
if not isinstance(invocation, dict):
|
|
913
|
+
continue
|
|
914
|
+
if invocation.get("allow_implicit_invocation") is False:
|
|
915
|
+
protected.append(f"omg/{bundle['id']}")
|
|
916
|
+
return sorted(set(protected))
|
|
917
|
+
|
|
918
|
+
|
|
919
|
+
def _render_codex_agents_fragment(
|
|
920
|
+
*,
|
|
921
|
+
channel: str,
|
|
922
|
+
protected_paths: list[str],
|
|
923
|
+
codex_rules: list[str],
|
|
924
|
+
codex_automations: list[str],
|
|
925
|
+
codex_skills: list[str],
|
|
926
|
+
evidence_fields: list[str],
|
|
927
|
+
protected_planning_skills: list[str],
|
|
928
|
+
) -> str:
|
|
929
|
+
"""Render a comprehensive AGENTS.fragment.md for Codex host."""
|
|
930
|
+
sections: list[str] = []
|
|
931
|
+
|
|
932
|
+
# Header
|
|
933
|
+
sections.append(f"# OMG Codex Governance (channel: {channel})\n")
|
|
934
|
+
|
|
935
|
+
# Build & Test
|
|
936
|
+
sections.append("## Build & Test\n")
|
|
937
|
+
sections.append("```bash")
|
|
938
|
+
sections.append("python3 -m pytest tests -q")
|
|
939
|
+
sections.append("python3 scripts/omg.py contract validate")
|
|
940
|
+
sections.append(f"python3 scripts/omg.py contract compile --host codex --channel {channel}")
|
|
941
|
+
sections.append("```\n")
|
|
942
|
+
|
|
943
|
+
# Protected Paths
|
|
944
|
+
sections.append("## Protected Paths\n")
|
|
945
|
+
sections.append("The following paths require tier-gated review before mutation:\n")
|
|
946
|
+
for path in protected_paths:
|
|
947
|
+
sections.append(f"- `{path}`")
|
|
948
|
+
sections.append("")
|
|
949
|
+
|
|
950
|
+
# Evidence Contract
|
|
951
|
+
sections.append("## Evidence Contract\n")
|
|
952
|
+
sections.append("Every production action must emit evidence containing these fields:\n")
|
|
953
|
+
if evidence_fields:
|
|
954
|
+
for field in evidence_fields:
|
|
955
|
+
sections.append(f"- `{field}`")
|
|
956
|
+
else:
|
|
957
|
+
sections.append("- `timestamp`")
|
|
958
|
+
sections.append("- `executor`")
|
|
959
|
+
sections.append("- `trace_id`")
|
|
960
|
+
sections.append("- `lineage`")
|
|
961
|
+
sections.append("")
|
|
962
|
+
|
|
963
|
+
# Required Skills
|
|
964
|
+
sections.append("## Required Skills\n")
|
|
965
|
+
if codex_skills:
|
|
966
|
+
for skill in codex_skills:
|
|
967
|
+
sections.append(f"- `{skill}`")
|
|
968
|
+
else:
|
|
969
|
+
sections.append("- `omg/control-plane`")
|
|
970
|
+
sections.append("")
|
|
971
|
+
|
|
972
|
+
sections.append("## Protected Planning Surface\n")
|
|
973
|
+
if protected_planning_skills:
|
|
974
|
+
sections.append("Council planning skills are protected and explicit-invocation only:")
|
|
975
|
+
sections.append("")
|
|
976
|
+
for skill in protected_planning_skills:
|
|
977
|
+
sections.append(f"- `{skill}`")
|
|
978
|
+
else:
|
|
979
|
+
sections.append("- No protected planning skills configured.")
|
|
980
|
+
sections.append("")
|
|
981
|
+
|
|
982
|
+
# Web Search Policy
|
|
983
|
+
sections.append("## Web Search Policy\n")
|
|
984
|
+
sections.append("- Prefer cached results over live network requests.")
|
|
985
|
+
sections.append("- Do NOT initiate live web searches unless explicitly instructed.")
|
|
986
|
+
sections.append("- Use `context7` or local documentation before external lookups.")
|
|
987
|
+
sections.append("- Set `cached_web_search: prefer_cached` as the default.\n")
|
|
988
|
+
|
|
989
|
+
# Approval Constraints
|
|
990
|
+
sections.append("## Approval Constraints\n")
|
|
991
|
+
sections.append("- Destructive file operations require explicit user approval.")
|
|
992
|
+
sections.append("- `git push --force` and branch deletions require explicit approval.")
|
|
993
|
+
sections.append("- Production deployments require explicit approval.")
|
|
994
|
+
sections.append("- Mutations to protected paths require tier-gated approval.\n")
|
|
995
|
+
|
|
996
|
+
# Rules & Automations (compact summary)
|
|
997
|
+
sections.append("## Rules & Automations\n")
|
|
998
|
+
rules_str = ", ".join(codex_rules) if codex_rules else "protected_paths, explicit_invocation"
|
|
999
|
+
auto_str = ", ".join(codex_automations) if codex_automations else "contract-compile"
|
|
1000
|
+
sections.append(f"- Rules: `{rules_str}`")
|
|
1001
|
+
sections.append(f"- Automations: `{auto_str}`")
|
|
1002
|
+
sections.append("- Require explicit invocation for protected production planning skills.")
|
|
1003
|
+
sections.append("")
|
|
1004
|
+
|
|
1005
|
+
return "\n".join(sections)
|
|
1006
|
+
|
|
1007
|
+
|
|
1008
|
+
def _render_codex_rules(
|
|
1009
|
+
*,
|
|
1010
|
+
channel: str,
|
|
1011
|
+
protected_paths: list[str],
|
|
1012
|
+
codex_skills: list[str],
|
|
1013
|
+
protected_planning_skills: list[str],
|
|
1014
|
+
) -> str:
|
|
1015
|
+
"""Render a codex-rules.md config fragment encoding defaults."""
|
|
1016
|
+
lines: list[str] = []
|
|
1017
|
+
lines.append(f"# OMG Codex Rules (channel: {channel})\n")
|
|
1018
|
+
|
|
1019
|
+
lines.append("## Defaults\n")
|
|
1020
|
+
lines.append("- `cached_web_search: prefer_cached`")
|
|
1021
|
+
lines.append("- `live_network: deny_by_default`")
|
|
1022
|
+
lines.append("- `destructive_approval: required`\n")
|
|
1023
|
+
|
|
1024
|
+
lines.append("## Protected Paths\n")
|
|
1025
|
+
for path in protected_paths:
|
|
1026
|
+
lines.append(f"- `{path}`")
|
|
1027
|
+
lines.append("")
|
|
1028
|
+
|
|
1029
|
+
lines.append("## Required Skills\n")
|
|
1030
|
+
for skill in (codex_skills or ["omg/control-plane"]):
|
|
1031
|
+
lines.append(f"- `{skill}`")
|
|
1032
|
+
lines.append("")
|
|
1033
|
+
|
|
1034
|
+
lines.append("## Protected Planning Surface\n")
|
|
1035
|
+
if protected_planning_skills:
|
|
1036
|
+
for skill in protected_planning_skills:
|
|
1037
|
+
lines.append(f"- `{skill}` (explicit invocation only)")
|
|
1038
|
+
else:
|
|
1039
|
+
lines.append("- none")
|
|
1040
|
+
lines.append("")
|
|
1041
|
+
|
|
1042
|
+
lines.append("## Approval Matrix\n")
|
|
1043
|
+
lines.append("| Action | Approval Required |")
|
|
1044
|
+
lines.append("|--------|------------------|")
|
|
1045
|
+
lines.append("| Read / Grep | No |")
|
|
1046
|
+
lines.append("| Write to protected paths | Yes |")
|
|
1047
|
+
lines.append("| Bash (python3:*) | Yes (balanced+ tier) |")
|
|
1048
|
+
lines.append("| git push --force | Yes |")
|
|
1049
|
+
lines.append("| Production deploy | Yes |")
|
|
1050
|
+
lines.append("")
|
|
1051
|
+
|
|
1052
|
+
return "\n".join(lines)
|
|
1053
|
+
|
|
1054
|
+
|
|
1055
|
+
def _validate_compiled_codex_output(output_root: Path) -> list[str]:
|
|
1056
|
+
"""Validate compiled Codex output contains required AGENTS sections and artifacts."""
|
|
1057
|
+
errors: list[str] = []
|
|
1058
|
+
shared_dir = output_root / ".agents" / "skills" / "omg"
|
|
1059
|
+
|
|
1060
|
+
for required_file in REQUIRED_CODEX_OUTPUTS:
|
|
1061
|
+
path = shared_dir / required_file
|
|
1062
|
+
if not path.exists():
|
|
1063
|
+
errors.append(f"codex: missing required output '{required_file}'")
|
|
1064
|
+
|
|
1065
|
+
agents_path = shared_dir / "AGENTS.fragment.md"
|
|
1066
|
+
if agents_path.exists():
|
|
1067
|
+
content = agents_path.read_text(encoding="utf-8")
|
|
1068
|
+
for section in REQUIRED_CODEX_AGENTS_SECTIONS:
|
|
1069
|
+
if section not in content:
|
|
1070
|
+
errors.append(f"codex: AGENTS.fragment.md missing required section '{section}'")
|
|
1071
|
+
else:
|
|
1072
|
+
errors.append("codex: cannot validate AGENTS.fragment.md — file missing")
|
|
1073
|
+
|
|
1074
|
+
return errors
|
|
1075
|
+
|
|
1076
|
+
|
|
461
1077
|
def _compile_codex_outputs(
|
|
462
1078
|
*,
|
|
463
1079
|
output_root: Path,
|
|
464
1080
|
bundles: list[dict[str, Any]],
|
|
465
1081
|
channel: str,
|
|
1082
|
+
policy_model: dict[str, Any] | None,
|
|
466
1083
|
) -> list[Path]:
|
|
467
1084
|
artifacts: list[Path] = []
|
|
468
1085
|
shared_dir = output_root / ".agents" / "skills" / "omg"
|
|
469
1086
|
shared_dir.mkdir(parents=True, exist_ok=True)
|
|
470
1087
|
|
|
471
|
-
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
1088
|
+
protected_paths = _policy_protected_paths(policy_model, channel=channel)
|
|
1089
|
+
codex_rules: list[str] = []
|
|
1090
|
+
codex_automations: list[str] = []
|
|
1091
|
+
if isinstance(policy_model, dict):
|
|
1092
|
+
host_rules = policy_model.get("host_rules", {})
|
|
1093
|
+
if isinstance(host_rules, dict):
|
|
1094
|
+
codex_policy = host_rules.get("codex", {})
|
|
1095
|
+
if isinstance(codex_policy, dict):
|
|
1096
|
+
codex_rules = [str(item) for item in codex_policy.get("rules", []) if str(item).strip()]
|
|
1097
|
+
codex_automations = [
|
|
1098
|
+
str(item) for item in codex_policy.get("automations", []) if str(item).strip()
|
|
1099
|
+
]
|
|
1100
|
+
|
|
1101
|
+
codex_skills = _codex_skill_refs(policy_model)
|
|
1102
|
+
evidence_fields = _codex_evidence_fields(policy_model)
|
|
1103
|
+
protected_planning_skills = _codex_protected_planning_skills(bundles)
|
|
1104
|
+
|
|
1105
|
+
agents_fragment = _render_codex_agents_fragment(
|
|
1106
|
+
channel=channel,
|
|
1107
|
+
protected_paths=protected_paths,
|
|
1108
|
+
codex_rules=codex_rules,
|
|
1109
|
+
codex_automations=codex_automations,
|
|
1110
|
+
codex_skills=codex_skills,
|
|
1111
|
+
evidence_fields=evidence_fields,
|
|
1112
|
+
protected_planning_skills=protected_planning_skills,
|
|
476
1113
|
)
|
|
477
|
-
_write_text(shared_dir / "AGENTS.fragment.md",
|
|
1114
|
+
_write_text(shared_dir / "AGENTS.fragment.md", agents_fragment)
|
|
478
1115
|
artifacts.append(shared_dir / "AGENTS.fragment.md")
|
|
479
1116
|
|
|
1117
|
+
rules_content = _render_codex_rules(
|
|
1118
|
+
channel=channel,
|
|
1119
|
+
protected_paths=protected_paths,
|
|
1120
|
+
codex_skills=codex_skills,
|
|
1121
|
+
protected_planning_skills=protected_planning_skills,
|
|
1122
|
+
)
|
|
1123
|
+
_write_text(shared_dir / "codex-rules.md", rules_content)
|
|
1124
|
+
artifacts.append(shared_dir / "codex-rules.md")
|
|
1125
|
+
|
|
480
1126
|
from runtime.mcp_config_writers import write_codex_mcp_stdio_config
|
|
481
1127
|
|
|
482
1128
|
codex_mcp_path = shared_dir / "codex-mcp.toml"
|
|
@@ -580,12 +1226,48 @@ def compile_contract_outputs(
|
|
|
580
1226
|
}
|
|
581
1227
|
|
|
582
1228
|
bundles = load_contract_bundles(root)
|
|
1229
|
+
policy_model = _policy_model_for_bundle(bundles, "control-plane")
|
|
583
1230
|
artifacts = _copy_contract_inputs(root, output)
|
|
584
1231
|
|
|
585
1232
|
if "claude" in selected_hosts:
|
|
586
|
-
artifacts.extend(
|
|
1233
|
+
artifacts.extend(
|
|
1234
|
+
_compile_claude_outputs(
|
|
1235
|
+
root=root,
|
|
1236
|
+
output_root=output,
|
|
1237
|
+
bundles=bundles,
|
|
1238
|
+
channel=channel,
|
|
1239
|
+
policy_model=policy_model,
|
|
1240
|
+
)
|
|
1241
|
+
)
|
|
1242
|
+
claude_errors = _validate_compiled_claude_output(output)
|
|
1243
|
+
if claude_errors:
|
|
1244
|
+
return {
|
|
1245
|
+
"schema": "OmgContractCompileResult",
|
|
1246
|
+
"status": "error",
|
|
1247
|
+
"channel": channel,
|
|
1248
|
+
"hosts": selected_hosts,
|
|
1249
|
+
"errors": claude_errors,
|
|
1250
|
+
"artifacts": [],
|
|
1251
|
+
}
|
|
587
1252
|
if "codex" in selected_hosts:
|
|
588
|
-
artifacts.extend(
|
|
1253
|
+
artifacts.extend(
|
|
1254
|
+
_compile_codex_outputs(
|
|
1255
|
+
output_root=output,
|
|
1256
|
+
bundles=bundles,
|
|
1257
|
+
channel=channel,
|
|
1258
|
+
policy_model=policy_model,
|
|
1259
|
+
)
|
|
1260
|
+
)
|
|
1261
|
+
codex_errors = _validate_compiled_codex_output(output)
|
|
1262
|
+
if codex_errors:
|
|
1263
|
+
return {
|
|
1264
|
+
"schema": "OmgContractCompileResult",
|
|
1265
|
+
"status": "error",
|
|
1266
|
+
"channel": channel,
|
|
1267
|
+
"hosts": selected_hosts,
|
|
1268
|
+
"errors": codex_errors,
|
|
1269
|
+
"artifacts": [],
|
|
1270
|
+
}
|
|
589
1271
|
|
|
590
1272
|
bundled_artifacts = _copy_release_bundle(output_root=output, channel=channel, artifacts=artifacts)
|
|
591
1273
|
manifest_path = _build_dist_manifest(output, channel=channel, artifacts=bundled_artifacts)
|
|
@@ -648,6 +1330,294 @@ def _check_mcp_fabric() -> dict[str, Any]:
|
|
|
648
1330
|
}
|
|
649
1331
|
|
|
650
1332
|
|
|
1333
|
+
def _check_version_identity_drift(root: Path) -> dict[str, Any]:
|
|
1334
|
+
"""Check version/identity drift across all public surface files.
|
|
1335
|
+
|
|
1336
|
+
Returns a dict with:
|
|
1337
|
+
- status: "ok" or "error"
|
|
1338
|
+
- blockers: list of named blockers for each mismatch
|
|
1339
|
+
- drift_details: dict mapping file paths to their found versions
|
|
1340
|
+
"""
|
|
1341
|
+
canonical_version = CANONICAL_VERSION
|
|
1342
|
+
blockers: list[str] = []
|
|
1343
|
+
drift_details: dict[str, str] = {}
|
|
1344
|
+
|
|
1345
|
+
# Files to check with their JSON paths to extract version
|
|
1346
|
+
files_to_check = [
|
|
1347
|
+
("package.json", ["version"]),
|
|
1348
|
+
("pyproject.toml", None), # Special case: extract from version = "X.Y.Z"
|
|
1349
|
+
("settings.json", ["_omg", "_version"]),
|
|
1350
|
+
(".claude-plugin/plugin.json", ["version"]),
|
|
1351
|
+
(".claude-plugin/marketplace.json", ["version"]),
|
|
1352
|
+
("plugins/core/plugin.json", ["version"]),
|
|
1353
|
+
("plugins/advanced/plugin.json", ["version"]),
|
|
1354
|
+
("CHANGELOG.md", None), # Special case: check for version in header
|
|
1355
|
+
]
|
|
1356
|
+
|
|
1357
|
+
for file_path, json_path in files_to_check:
|
|
1358
|
+
full_path = root / file_path
|
|
1359
|
+
if not full_path.exists():
|
|
1360
|
+
blockers.append(f"version_drift: missing file {file_path}")
|
|
1361
|
+
continue
|
|
1362
|
+
|
|
1363
|
+
found_version = None
|
|
1364
|
+
|
|
1365
|
+
try:
|
|
1366
|
+
if file_path == "pyproject.toml":
|
|
1367
|
+
# Extract from version = "X.Y.Z"
|
|
1368
|
+
content = full_path.read_text(encoding="utf-8")
|
|
1369
|
+
for line in content.split("\n"):
|
|
1370
|
+
if line.startswith("version = "):
|
|
1371
|
+
found_version = line.split('"')[1]
|
|
1372
|
+
break
|
|
1373
|
+
elif file_path == "CHANGELOG.md":
|
|
1374
|
+
# Extract from "## X.Y.Z -" header (skip "Unreleased" section)
|
|
1375
|
+
content = full_path.read_text(encoding="utf-8")
|
|
1376
|
+
for line in content.split("\n"):
|
|
1377
|
+
if line.startswith("## ") and " - " in line:
|
|
1378
|
+
version_str = line.split(" - ")[0].replace("## ", "").strip()
|
|
1379
|
+
if version_str.lower() != "unreleased":
|
|
1380
|
+
found_version = version_str
|
|
1381
|
+
break
|
|
1382
|
+
else:
|
|
1383
|
+
# JSON file: use json_path to navigate
|
|
1384
|
+
data = _load_json(full_path)
|
|
1385
|
+
current = data
|
|
1386
|
+
if json_path:
|
|
1387
|
+
for key in json_path:
|
|
1388
|
+
current = current.get(key)
|
|
1389
|
+
if current is None:
|
|
1390
|
+
break
|
|
1391
|
+
found_version = current
|
|
1392
|
+
except Exception as e:
|
|
1393
|
+
blockers.append(f"version_drift: failed to parse {file_path}: {e}")
|
|
1394
|
+
continue
|
|
1395
|
+
|
|
1396
|
+
if found_version is None:
|
|
1397
|
+
blockers.append(f"version_drift: could not extract version from {file_path}")
|
|
1398
|
+
elif str(found_version) != canonical_version:
|
|
1399
|
+
blockers.append(
|
|
1400
|
+
f"version_drift: {file_path} has version {found_version}, expected {canonical_version}"
|
|
1401
|
+
)
|
|
1402
|
+
drift_details[file_path] = str(found_version)
|
|
1403
|
+
else:
|
|
1404
|
+
drift_details[file_path] = str(found_version)
|
|
1405
|
+
|
|
1406
|
+
return {
|
|
1407
|
+
"status": "ok" if not blockers else "error",
|
|
1408
|
+
"canonical_version": canonical_version,
|
|
1409
|
+
"blockers": blockers,
|
|
1410
|
+
"drift_details": drift_details,
|
|
1411
|
+
}
|
|
1412
|
+
|
|
1413
|
+
|
|
1414
|
+
def _check_doctor_output(output_root: Path) -> dict[str, Any]:
|
|
1415
|
+
evidence_dir = output_root / ".omg" / "evidence"
|
|
1416
|
+
doctor_path = evidence_dir / "doctor.json"
|
|
1417
|
+
if not doctor_path.exists():
|
|
1418
|
+
return {
|
|
1419
|
+
"status": "error",
|
|
1420
|
+
"path": "",
|
|
1421
|
+
"doctor": {},
|
|
1422
|
+
"blockers": ["doctor_check_missing: missing .omg/evidence/doctor.json"],
|
|
1423
|
+
}
|
|
1424
|
+
try:
|
|
1425
|
+
payload = _load_json(doctor_path)
|
|
1426
|
+
except Exception as exc:
|
|
1427
|
+
return {
|
|
1428
|
+
"status": "error",
|
|
1429
|
+
"path": str(doctor_path.relative_to(output_root)),
|
|
1430
|
+
"doctor": {},
|
|
1431
|
+
"blockers": [f"doctor_check_missing: invalid doctor output ({exc})"],
|
|
1432
|
+
}
|
|
1433
|
+
|
|
1434
|
+
blockers: list[str] = []
|
|
1435
|
+
if payload.get("schema") != "DoctorResult":
|
|
1436
|
+
blockers.append("doctor_check_missing: doctor evidence schema mismatch")
|
|
1437
|
+
if payload.get("status") != "pass":
|
|
1438
|
+
blockers.append("doctor_check_missing: doctor status is not pass")
|
|
1439
|
+
checks = payload.get("checks", [])
|
|
1440
|
+
if not isinstance(checks, list) or not checks:
|
|
1441
|
+
blockers.append("doctor_check_missing: doctor checks missing")
|
|
1442
|
+
|
|
1443
|
+
return {
|
|
1444
|
+
"status": "ok" if not blockers else "error",
|
|
1445
|
+
"path": str(doctor_path.relative_to(output_root)),
|
|
1446
|
+
"doctor": payload,
|
|
1447
|
+
"blockers": blockers,
|
|
1448
|
+
}
|
|
1449
|
+
|
|
1450
|
+
|
|
1451
|
+
def _check_proof_surface(root: Path) -> dict[str, Any]:
|
|
1452
|
+
proof_path = root / "docs" / "proof.md"
|
|
1453
|
+
if not proof_path.exists():
|
|
1454
|
+
return {
|
|
1455
|
+
"status": "error",
|
|
1456
|
+
"path": "docs/proof.md",
|
|
1457
|
+
"blockers": ["prose_only_proof: docs/proof.md missing"],
|
|
1458
|
+
}
|
|
1459
|
+
|
|
1460
|
+
content = proof_path.read_text(encoding="utf-8")
|
|
1461
|
+
lowered = content.lower()
|
|
1462
|
+
hardcoded_counts = bool(
|
|
1463
|
+
re.search(r"\b\d+\s*/\s*\d+\b", lowered)
|
|
1464
|
+
or re.search(r"\b\d+\s+(tests?|checks?|providers?)\s+(passed|pass|green|successful)\b", lowered)
|
|
1465
|
+
or re.search(r"\ball\s+tests?\s+passed\b", lowered)
|
|
1466
|
+
)
|
|
1467
|
+
artifact_refs = (
|
|
1468
|
+
".omg/evidence/",
|
|
1469
|
+
".omg/tracebank/",
|
|
1470
|
+
".omg/evals/",
|
|
1471
|
+
".omg/lineage/",
|
|
1472
|
+
)
|
|
1473
|
+
has_artifact_refs = any(token in content for token in artifact_refs)
|
|
1474
|
+
|
|
1475
|
+
blockers: list[str] = []
|
|
1476
|
+
if hardcoded_counts and not has_artifact_refs:
|
|
1477
|
+
blockers.append("prose_only_proof: hardcoded proof counts without machine artifact references")
|
|
1478
|
+
|
|
1479
|
+
return {
|
|
1480
|
+
"status": "ok" if not blockers else "error",
|
|
1481
|
+
"path": str(proof_path.relative_to(root)),
|
|
1482
|
+
"hardcoded_counts": hardcoded_counts,
|
|
1483
|
+
"has_artifact_refs": has_artifact_refs,
|
|
1484
|
+
"blockers": blockers,
|
|
1485
|
+
}
|
|
1486
|
+
|
|
1487
|
+
|
|
1488
|
+
def _is_loopback_hostname(hostname: str) -> bool:
|
|
1489
|
+
lowered = hostname.strip().lower()
|
|
1490
|
+
return lowered in {"localhost", "127.0.0.1", "::1"}
|
|
1491
|
+
|
|
1492
|
+
|
|
1493
|
+
def _collect_http_urls(line: str) -> list[str]:
|
|
1494
|
+
return re.findall(r"https?://[^\s)\]>'\"]+", line)
|
|
1495
|
+
|
|
1496
|
+
|
|
1497
|
+
def _check_same_machine_scope(root: Path, output_root: Path) -> dict[str, Any]:
|
|
1498
|
+
blockers: list[str] = []
|
|
1499
|
+
scanned: list[str] = []
|
|
1500
|
+
|
|
1501
|
+
for rel_path in ("README.md", "docs/proof.md", "OMG_COMPAT_CONTRACT.md"):
|
|
1502
|
+
path = root / rel_path
|
|
1503
|
+
if not path.exists():
|
|
1504
|
+
continue
|
|
1505
|
+
scanned.append(rel_path)
|
|
1506
|
+
for line in path.read_text(encoding="utf-8").splitlines():
|
|
1507
|
+
if "production" not in line.lower():
|
|
1508
|
+
continue
|
|
1509
|
+
for url in _collect_http_urls(line):
|
|
1510
|
+
parsed = urlparse(url)
|
|
1511
|
+
if parsed.scheme != "http":
|
|
1512
|
+
continue
|
|
1513
|
+
host = parsed.hostname or ""
|
|
1514
|
+
if host and not _is_loopback_hostname(host):
|
|
1515
|
+
blockers.append(
|
|
1516
|
+
f"same_machine_scope_violation: {rel_path} claims production over non-loopback HTTP ({url})"
|
|
1517
|
+
)
|
|
1518
|
+
|
|
1519
|
+
mcp_path = output_root / ".mcp.json"
|
|
1520
|
+
if mcp_path.exists():
|
|
1521
|
+
scanned.append(str(mcp_path.relative_to(output_root)))
|
|
1522
|
+
mcp_payload = _load_json(mcp_path)
|
|
1523
|
+
servers = mcp_payload.get("mcpServers", {})
|
|
1524
|
+
if isinstance(servers, dict):
|
|
1525
|
+
for server_name, server_cfg in servers.items():
|
|
1526
|
+
if not isinstance(server_cfg, dict):
|
|
1527
|
+
continue
|
|
1528
|
+
for key in ("url", "httpUrl"):
|
|
1529
|
+
raw_url = str(server_cfg.get(key, "")).strip()
|
|
1530
|
+
if not raw_url:
|
|
1531
|
+
continue
|
|
1532
|
+
parsed = urlparse(raw_url)
|
|
1533
|
+
if parsed.scheme != "http":
|
|
1534
|
+
continue
|
|
1535
|
+
host = parsed.hostname or ""
|
|
1536
|
+
if host and not _is_loopback_hostname(host):
|
|
1537
|
+
blockers.append(
|
|
1538
|
+
"same_machine_scope_violation: "
|
|
1539
|
+
f".mcp.json server '{server_name}' uses non-loopback HTTP endpoint ({raw_url})"
|
|
1540
|
+
)
|
|
1541
|
+
|
|
1542
|
+
return {
|
|
1543
|
+
"status": "ok" if not blockers else "error",
|
|
1544
|
+
"scanned": scanned,
|
|
1545
|
+
"blockers": blockers,
|
|
1546
|
+
}
|
|
1547
|
+
|
|
1548
|
+
|
|
1549
|
+
def _check_provider_host_parity(output_root: Path, providers: dict[str, dict[str, Any]]) -> dict[str, Any]:
|
|
1550
|
+
blockers: list[str] = []
|
|
1551
|
+
required_for_provider = {
|
|
1552
|
+
"claude": (
|
|
1553
|
+
output_root / "settings.json",
|
|
1554
|
+
output_root / ".claude-plugin" / "plugin.json",
|
|
1555
|
+
),
|
|
1556
|
+
"codex": (
|
|
1557
|
+
output_root / ".agents" / "skills" / "omg" / "AGENTS.fragment.md",
|
|
1558
|
+
output_root / ".agents" / "skills" / "omg" / "codex-mcp.toml",
|
|
1559
|
+
),
|
|
1560
|
+
}
|
|
1561
|
+
for provider, status in providers.items():
|
|
1562
|
+
if not status.get("ready"):
|
|
1563
|
+
continue
|
|
1564
|
+
for required_path in required_for_provider.get(provider, ()):
|
|
1565
|
+
if not required_path.exists():
|
|
1566
|
+
blockers.append(
|
|
1567
|
+
"provider_host_parity: "
|
|
1568
|
+
f"provider '{provider}' ready but host artifact missing {required_path.relative_to(output_root)}"
|
|
1569
|
+
)
|
|
1570
|
+
return {
|
|
1571
|
+
"status": "ok" if not blockers else "error",
|
|
1572
|
+
"blockers": blockers,
|
|
1573
|
+
}
|
|
1574
|
+
|
|
1575
|
+
|
|
1576
|
+
def _has_waiver(risk: dict[str, Any]) -> bool:
|
|
1577
|
+
return bool(
|
|
1578
|
+
risk.get("waived")
|
|
1579
|
+
or risk.get("waiver")
|
|
1580
|
+
or risk.get("waiver_id")
|
|
1581
|
+
or risk.get("waiver_evidence")
|
|
1582
|
+
)
|
|
1583
|
+
|
|
1584
|
+
|
|
1585
|
+
def _check_high_risk_security_waivers(payload: dict[str, Any]) -> list[str]:
|
|
1586
|
+
blockers: list[str] = []
|
|
1587
|
+
unresolved = payload.get("unresolved_risks", [])
|
|
1588
|
+
if isinstance(unresolved, list):
|
|
1589
|
+
for item in unresolved:
|
|
1590
|
+
if isinstance(item, dict):
|
|
1591
|
+
severity = str(item.get("severity") or item.get("risk_level") or "").lower()
|
|
1592
|
+
if severity in {"high", "critical"} and not _has_waiver(item):
|
|
1593
|
+
blockers.append("security_blocker_unwaived: unresolved high-risk item without waiver evidence")
|
|
1594
|
+
break
|
|
1595
|
+
elif isinstance(item, str):
|
|
1596
|
+
lowered = item.lower()
|
|
1597
|
+
is_high = "high" in lowered or "critical" in lowered
|
|
1598
|
+
waived = "waiv" in lowered
|
|
1599
|
+
if is_high and not waived:
|
|
1600
|
+
blockers.append("security_blocker_unwaived: unresolved high-risk item without waiver evidence")
|
|
1601
|
+
break
|
|
1602
|
+
|
|
1603
|
+
scans = payload.get("security_scans", [])
|
|
1604
|
+
if isinstance(scans, list):
|
|
1605
|
+
for scan in scans:
|
|
1606
|
+
if not isinstance(scan, dict):
|
|
1607
|
+
continue
|
|
1608
|
+
findings = scan.get("findings", [])
|
|
1609
|
+
if not isinstance(findings, list):
|
|
1610
|
+
continue
|
|
1611
|
+
for finding in findings:
|
|
1612
|
+
if not isinstance(finding, dict):
|
|
1613
|
+
continue
|
|
1614
|
+
severity = str(finding.get("severity", "")).lower()
|
|
1615
|
+
if severity in {"high", "critical"} and not _has_waiver(finding):
|
|
1616
|
+
blockers.append("security_blocker_unwaived: high-risk security finding without waiver evidence")
|
|
1617
|
+
return blockers
|
|
1618
|
+
return blockers
|
|
1619
|
+
|
|
1620
|
+
|
|
651
1621
|
def build_release_readiness(
|
|
652
1622
|
*,
|
|
653
1623
|
root_dir: str | Path | None = None,
|
|
@@ -684,6 +1654,10 @@ def build_release_readiness(
|
|
|
684
1654
|
continue
|
|
685
1655
|
if _sha256_file(artifact_path) != expected_sha:
|
|
686
1656
|
manifest_errors.append(f"{required_channel}: sha mismatch for {rel_path}")
|
|
1657
|
+
manifest_paths = {str(a.get("path", "")) for a in manifest.get("artifacts", []) if isinstance(a, dict)}
|
|
1658
|
+
for req_path in REQUIRED_ADVANCED_PLUGIN_ARTIFACTS:
|
|
1659
|
+
if req_path not in manifest_paths:
|
|
1660
|
+
manifest_errors.append(f"{required_channel}: advanced_plugin_missing {req_path}")
|
|
687
1661
|
if manifest_errors:
|
|
688
1662
|
blockers.extend(manifest_errors)
|
|
689
1663
|
manifest["integrity_errors"] = manifest_errors
|
|
@@ -719,20 +1693,59 @@ def build_release_readiness(
|
|
|
719
1693
|
checks["evidence"] = evidence_check
|
|
720
1694
|
blockers.extend(evidence_check.get("blockers", []))
|
|
721
1695
|
|
|
1696
|
+
doctor_check = _check_doctor_output(output)
|
|
1697
|
+
checks["doctor"] = doctor_check
|
|
1698
|
+
blockers.extend(doctor_check.get("blockers", []))
|
|
1699
|
+
|
|
722
1700
|
eval_check = _check_eval_gate(output)
|
|
723
1701
|
checks["eval_gate"] = eval_check
|
|
724
1702
|
blockers.extend(eval_check.get("blockers", []))
|
|
725
1703
|
|
|
1704
|
+
proof_chain_check = _check_proof_chain(output)
|
|
1705
|
+
checks["proof_chain"] = proof_chain_check
|
|
1706
|
+
blockers.extend(proof_chain_check.get("blockers", []))
|
|
1707
|
+
|
|
1708
|
+
security_blockers = [
|
|
1709
|
+
blocker
|
|
1710
|
+
for blocker in evidence_check.get("blockers", [])
|
|
1711
|
+
if isinstance(blocker, str) and blocker.startswith("security_blocker_unwaived:")
|
|
1712
|
+
]
|
|
1713
|
+
checks["security_blocker_unwaived"] = {
|
|
1714
|
+
"status": "ok" if not security_blockers else "error",
|
|
1715
|
+
"blockers": security_blockers,
|
|
1716
|
+
}
|
|
1717
|
+
|
|
1718
|
+
proof_surface_check = _check_proof_surface(root)
|
|
1719
|
+
checks["proof_surface"] = proof_surface_check
|
|
1720
|
+
blockers.extend(proof_surface_check.get("blockers", []))
|
|
1721
|
+
|
|
1722
|
+
same_machine_scope = _check_same_machine_scope(root, output)
|
|
1723
|
+
checks["same_machine_scope"] = same_machine_scope
|
|
1724
|
+
blockers.extend(same_machine_scope.get("blockers", []))
|
|
1725
|
+
|
|
726
1726
|
package_check = _check_packaged_install_smoke(root)
|
|
727
1727
|
checks["package_smoke"] = package_check
|
|
728
1728
|
blockers.extend(package_check.get("blockers", []))
|
|
729
1729
|
|
|
1730
|
+
version_drift_check = _check_version_identity_drift(root)
|
|
1731
|
+
checks["version_identity_drift"] = version_drift_check
|
|
1732
|
+
blockers.extend(version_drift_check.get("blockers", []))
|
|
1733
|
+
|
|
1734
|
+
if channel == "dual":
|
|
1735
|
+
bundle_promotion_parity = _check_bundle_promotion_parity(root, output)
|
|
1736
|
+
checks["bundle_promotion_parity"] = bundle_promotion_parity
|
|
1737
|
+
blockers.extend(bundle_promotion_parity.get("blockers", []))
|
|
1738
|
+
|
|
730
1739
|
providers = _provider_statuses()
|
|
731
1740
|
checks["providers"] = providers
|
|
732
1741
|
for provider_name, status in providers.items():
|
|
733
1742
|
if not status.get("ready"):
|
|
734
1743
|
blockers.append(f"provider not ready: {provider_name}")
|
|
735
1744
|
|
|
1745
|
+
provider_parity = _check_provider_host_parity(output, providers)
|
|
1746
|
+
checks["provider_host_parity"] = provider_parity
|
|
1747
|
+
blockers.extend(provider_parity.get("blockers", []))
|
|
1748
|
+
|
|
736
1749
|
worktree_ready = shutil.which("git") is not None and (root / ".git").exists()
|
|
737
1750
|
checks["worktree"] = {"ready": worktree_ready}
|
|
738
1751
|
if not worktree_ready:
|
|
@@ -779,8 +1792,16 @@ def _check_recent_evidence(output_root: Path) -> dict[str, Any]:
|
|
|
779
1792
|
blockers.append("cosmetic evidence: security_scans is empty")
|
|
780
1793
|
if not payload.get("provenance"):
|
|
781
1794
|
blockers.append("cosmetic evidence: provenance is empty")
|
|
1795
|
+
if not payload.get("timestamp") and not payload.get("created_at"):
|
|
1796
|
+
blockers.append("missing_attribution: evidence missing timestamp")
|
|
1797
|
+
if not payload.get("executor"):
|
|
1798
|
+
blockers.append("missing_attribution: evidence missing executor")
|
|
1799
|
+
if not payload.get("environment"):
|
|
1800
|
+
blockers.append("missing_attribution: evidence missing environment")
|
|
782
1801
|
if not payload.get("trace_ids"):
|
|
783
1802
|
blockers.append("missing trace ids in evidence")
|
|
1803
|
+
if not payload.get("trace_id") and not payload.get("trace_ids"):
|
|
1804
|
+
blockers.append("missing trace_id in evidence")
|
|
784
1805
|
if not payload.get("lineage"):
|
|
785
1806
|
blockers.append("missing lineage in evidence")
|
|
786
1807
|
tests = payload.get("tests", [])
|
|
@@ -789,6 +1810,8 @@ def _check_recent_evidence(output_root: Path) -> dict[str, Any]:
|
|
|
789
1810
|
if isinstance(item, dict) and item.get("name") == "worker_implementation" and not item.get("passed", False):
|
|
790
1811
|
blockers.append("simulated worker evidence detected")
|
|
791
1812
|
break
|
|
1813
|
+
blockers.extend(_check_test_intent_claims(payload))
|
|
1814
|
+
blockers.extend(_check_high_risk_security_waivers(payload))
|
|
792
1815
|
return {
|
|
793
1816
|
"status": "ok" if not blockers else "error",
|
|
794
1817
|
"evidence_file": str(evidence_path.relative_to(output_root)),
|
|
@@ -796,6 +1819,37 @@ def _check_recent_evidence(output_root: Path) -> dict[str, Any]:
|
|
|
796
1819
|
}
|
|
797
1820
|
|
|
798
1821
|
|
|
1822
|
+
def _check_test_intent_claims(payload: dict[str, Any]) -> list[str]:
|
|
1823
|
+
test_delta = payload.get("test_delta")
|
|
1824
|
+
claims = payload.get("claims", [])
|
|
1825
|
+
if not isinstance(claims, list):
|
|
1826
|
+
return []
|
|
1827
|
+
|
|
1828
|
+
from runtime.test_intent_lock import evaluate_test_delta
|
|
1829
|
+
|
|
1830
|
+
blockers: list[str] = []
|
|
1831
|
+
guarded_claims = {"tests passed", "tests_passed", "bug fixed", "bug_fixed"}
|
|
1832
|
+
for claim in claims:
|
|
1833
|
+
if not isinstance(claim, dict):
|
|
1834
|
+
continue
|
|
1835
|
+
claim_type = str(claim.get("claim_type", "")).strip().lower()
|
|
1836
|
+
if claim_type not in guarded_claims:
|
|
1837
|
+
continue
|
|
1838
|
+
delta = claim.get("test_delta")
|
|
1839
|
+
if not isinstance(delta, dict):
|
|
1840
|
+
delta = test_delta if isinstance(test_delta, dict) else None
|
|
1841
|
+
if not isinstance(delta, dict):
|
|
1842
|
+
blockers.append(f"test_intent_lock_missing_delta: claim '{claim_type}' requires test_delta evidence")
|
|
1843
|
+
continue
|
|
1844
|
+
result = evaluate_test_delta(delta)
|
|
1845
|
+
if result.get("verdict") != "pass":
|
|
1846
|
+
reasons = result.get("reasons", [])
|
|
1847
|
+
reason_text = "; ".join(str(item) for item in reasons if str(item).strip())
|
|
1848
|
+
suffix = f": {reason_text}" if reason_text else ""
|
|
1849
|
+
blockers.append(f"test_intent_lock_blocked: claim '{claim_type}'{suffix}")
|
|
1850
|
+
return blockers
|
|
1851
|
+
|
|
1852
|
+
|
|
799
1853
|
def _check_eval_gate(output_root: Path) -> dict[str, Any]:
|
|
800
1854
|
latest_path = output_root / ".omg" / "evals" / "latest.json"
|
|
801
1855
|
if not latest_path.exists():
|
|
@@ -811,6 +1865,90 @@ def _check_eval_gate(output_root: Path) -> dict[str, Any]:
|
|
|
811
1865
|
}
|
|
812
1866
|
|
|
813
1867
|
|
|
1868
|
+
def _check_proof_chain(output_root: Path) -> dict[str, Any]:
|
|
1869
|
+
chain_module = importlib.import_module("runtime.proof_chain")
|
|
1870
|
+
gate_module = importlib.import_module("runtime.proof_gate")
|
|
1871
|
+
|
|
1872
|
+
gate_input = chain_module.build_proof_gate_input(str(output_root))
|
|
1873
|
+
chain = gate_input.get("proof_chain", {}) if isinstance(gate_input, dict) else {}
|
|
1874
|
+
chain_status = str(chain.get("status", "error"))
|
|
1875
|
+
raw_blockers = chain.get("blockers", [])
|
|
1876
|
+
blockers = [f"proof_chain_linkage: {item}" for item in raw_blockers] if isinstance(raw_blockers, list) else ["proof_chain_linkage: invalid blockers"]
|
|
1877
|
+
if chain_status == "ok":
|
|
1878
|
+
blockers = []
|
|
1879
|
+
|
|
1880
|
+
proof_gate = gate_module.evaluate_proof_gate(gate_input if isinstance(gate_input, dict) else {})
|
|
1881
|
+
if str(proof_gate.get("verdict", "fail")) != "pass":
|
|
1882
|
+
gate_blockers = proof_gate.get("blockers", [])
|
|
1883
|
+
if isinstance(gate_blockers, list) and gate_blockers:
|
|
1884
|
+
blockers.extend(f"proof_gate_blocked: {item}" for item in gate_blockers)
|
|
1885
|
+
else:
|
|
1886
|
+
blockers.append("proof_gate_blocked: verdict_fail")
|
|
1887
|
+
|
|
1888
|
+
return {
|
|
1889
|
+
"status": "ok" if not blockers else "error",
|
|
1890
|
+
"proof_chain": chain,
|
|
1891
|
+
"proof_gate": proof_gate,
|
|
1892
|
+
"blockers": blockers,
|
|
1893
|
+
}
|
|
1894
|
+
|
|
1895
|
+
|
|
1896
|
+
def _check_bundle_promotion_parity(root: Path, output_root: Path) -> dict[str, Any]:
|
|
1897
|
+
missing_settings_required_bundles: list[str] = []
|
|
1898
|
+
missing_dist_public: list[str] = []
|
|
1899
|
+
missing_dist_enterprise: list[str] = []
|
|
1900
|
+
missing_pyproject_data_files: list[str] = []
|
|
1901
|
+
|
|
1902
|
+
settings_path = output_root / "settings.json"
|
|
1903
|
+
if settings_path.exists():
|
|
1904
|
+
settings = _load_json(settings_path)
|
|
1905
|
+
required_bundles = settings.get("_omg", {}).get("generated", {}).get("required_bundles", [])
|
|
1906
|
+
if not isinstance(required_bundles, list):
|
|
1907
|
+
required_bundles = []
|
|
1908
|
+
required_bundle_set = {str(item) for item in required_bundles}
|
|
1909
|
+
missing_settings_required_bundles = [
|
|
1910
|
+
bundle_id for bundle_id in TRUTH_COUNCIL_BUNDLES if bundle_id not in required_bundle_set
|
|
1911
|
+
]
|
|
1912
|
+
else:
|
|
1913
|
+
missing_settings_required_bundles = list(TRUTH_COUNCIL_BUNDLES)
|
|
1914
|
+
|
|
1915
|
+
for bundle_id in TRUTH_COUNCIL_BUNDLES:
|
|
1916
|
+
public_skill = output_root / "dist" / "public" / "bundle" / ".agents" / "skills" / "omg" / bundle_id / "SKILL.md"
|
|
1917
|
+
if not public_skill.exists():
|
|
1918
|
+
missing_dist_public.append(str(public_skill.relative_to(output_root)))
|
|
1919
|
+
|
|
1920
|
+
enterprise_skill = output_root / "dist" / "enterprise" / "bundle" / ".agents" / "skills" / "omg" / bundle_id / "SKILL.md"
|
|
1921
|
+
if not enterprise_skill.exists():
|
|
1922
|
+
missing_dist_enterprise.append(str(enterprise_skill.relative_to(output_root)))
|
|
1923
|
+
|
|
1924
|
+
pyproject_path = root / "pyproject.toml"
|
|
1925
|
+
if pyproject_path.exists():
|
|
1926
|
+
pyproject_content = pyproject_path.read_text(encoding="utf-8")
|
|
1927
|
+
for bundle_id in TRUTH_COUNCIL_BUNDLES:
|
|
1928
|
+
data_file_key = f'".agents/skills/omg/{bundle_id}" = '
|
|
1929
|
+
if data_file_key not in pyproject_content:
|
|
1930
|
+
missing_pyproject_data_files.append(bundle_id)
|
|
1931
|
+
else:
|
|
1932
|
+
missing_pyproject_data_files = list(TRUTH_COUNCIL_BUNDLES)
|
|
1933
|
+
|
|
1934
|
+
failed = any(
|
|
1935
|
+
(
|
|
1936
|
+
missing_settings_required_bundles,
|
|
1937
|
+
missing_dist_public,
|
|
1938
|
+
missing_dist_enterprise,
|
|
1939
|
+
missing_pyproject_data_files,
|
|
1940
|
+
)
|
|
1941
|
+
)
|
|
1942
|
+
return {
|
|
1943
|
+
"status": "ok" if not failed else "error",
|
|
1944
|
+
"blockers": ["bundle_promotion_parity"] if failed else [],
|
|
1945
|
+
"missing_settings_required_bundles": missing_settings_required_bundles,
|
|
1946
|
+
"missing_dist_public": missing_dist_public,
|
|
1947
|
+
"missing_dist_enterprise": missing_dist_enterprise,
|
|
1948
|
+
"missing_pyproject_data_files": missing_pyproject_data_files,
|
|
1949
|
+
}
|
|
1950
|
+
|
|
1951
|
+
|
|
814
1952
|
def _check_packaged_install_smoke(root: Path) -> dict[str, Any]:
|
|
815
1953
|
blockers: list[str] = []
|
|
816
1954
|
with tempfile.TemporaryDirectory(prefix="omg-wheel-") as tmp_dir:
|
|
@@ -840,6 +1978,10 @@ def _check_packaged_install_smoke(root: Path) -> dict[str, Any]:
|
|
|
840
1978
|
"plugins/dephealth/cve_scanner.py",
|
|
841
1979
|
"OMG_COMPAT_CONTRACT.md",
|
|
842
1980
|
".agents/skills/omg/security-check/SKILL.md",
|
|
1981
|
+
".agents/skills/omg/plan-council/SKILL.md",
|
|
1982
|
+
".agents/skills/omg/claim-judge/SKILL.md",
|
|
1983
|
+
".agents/skills/omg/test-intent-lock/SKILL.md",
|
|
1984
|
+
".agents/skills/omg/proof-gate/SKILL.md",
|
|
843
1985
|
)
|
|
844
1986
|
for suffix in required_suffixes:
|
|
845
1987
|
if not any(name.endswith(suffix) for name in names):
|