@trac3er/oh-my-god 2.0.8 → 2.0.9

package/build/lib/plugins/dephealth/cve_scanner.py

@@ -10,7 +10,11 @@ import urllib.request
 
 
 OSV_BATCH_URL = "https://api.osv.dev/v1/querybatch"
+KEV_URL = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
+EPSS_URL_TEMPLATE = "https://api.first.org/data/v1/epss?cve={cve_id}"
 CACHE_REL_PATH = Path(".omg") / "state" / "cve-cache.json"
+KEV_CACHE_REL_PATH = Path(".omg") / "state" / "kev-cache.json"
+EPSS_CACHE_REL_PATH = Path(".omg") / "state" / "epss-cache.json"
 CACHE_TTL_HOURS = 24
 
 
@@ -72,6 +76,93 @@ def scan_for_cves(dependency_list: list[dict[str, str]], project_dir: str = ".")
     return scan_result
 
 
+def enrich_with_kev(finding: dict[str, Any], cache_dir: str) -> dict[str, Any]:
+    result = dict(finding)
+    if not _dep_health_enabled():
+        result["kev_listed"] = False
+        return result
+
+    cve_id = str(finding.get("id", "")).strip()
+    if not cve_id:
+        result["kev_listed"] = False
+        return result
+
+    cache_path = Path(cache_dir) / KEV_CACHE_REL_PATH
+    cached = _load_cache(cache_path)
+
+    if cached and _is_cache_fresh(cached.get("fetched_at")):
+        result["kev_listed"] = cve_id in cached.get("cve_ids", [])
+        return result
+
+    try:
+        kev_data = _fetch_kev_catalog()
+        kev_ids = [v.get("cveID", "") for v in kev_data.get("vulnerabilities", [])]
+        _save_cache(cache_path, {
+            "fetched_at": datetime.now(timezone.utc).isoformat(),
+            "cve_ids": kev_ids,
+        })
+        result["kev_listed"] = cve_id in kev_ids
+    except (urllib.error.URLError, OSError, json.JSONDecodeError):
+        if cached:
+            result["kev_listed"] = cve_id in cached.get("cve_ids", [])
+        else:
+            result["kev_listed"] = False
+    return result
+
+
+def enrich_with_epss(finding: dict[str, Any], cache_dir: str) -> dict[str, Any]:
+    result = dict(finding)
+    if not _dep_health_enabled():
+        result["epss_score"] = None
+        return result
+
+    cve_id = str(finding.get("id", "")).strip()
+    if not cve_id:
+        result["epss_score"] = None
+        return result
+
+    cache_path = Path(cache_dir) / EPSS_CACHE_REL_PATH
+    cached = _load_cache(cache_path) or {}
+    entries = cached.get("entries", {})
+
+    entry = entries.get(cve_id)
+    if entry and _is_cache_fresh(entry.get("fetched_at")):
+        result["epss_score"] = entry.get("epss")
+        return result
+
+    try:
+        epss_data = _fetch_epss_score(cve_id)
+        data_list = epss_data.get("data", [])
+        score = float(data_list[0].get("epss", 0)) if data_list else None
+        entries[cve_id] = {
+            "epss": score,
+            "fetched_at": datetime.now(timezone.utc).isoformat(),
+        }
+        _save_cache(cache_path, {"entries": entries})
+        result["epss_score"] = score
+    except (urllib.error.URLError, OSError, json.JSONDecodeError, ValueError, TypeError):
+        if entry:
+            result["epss_score"] = entry.get("epss")
+        else:
+            result["epss_score"] = None
+    return result
+
+
+def _fetch_kev_catalog() -> dict[str, Any]:
+    request = urllib.request.Request(KEV_URL, headers={"Accept": "application/json"})
+    with urllib.request.urlopen(request, timeout=15) as response:
+        body = response.read().decode("utf-8")
+    return json.loads(body)
+
+
+def _fetch_epss_score(cve_id: str) -> dict[str, Any]:
+    url = EPSS_URL_TEMPLATE.format(cve_id=cve_id)
+    request = urllib.request.Request(url, headers={"Accept": "application/json"})
+    with urllib.request.urlopen(request, timeout=15) as response:
+        body = response.read().decode("utf-8")
+    return json.loads(body)
+
+
 def _query_osv_batch(dependency_list: list[dict[str, str]]) -> dict[str, Any]:
     payload = {
         "queries": [

package/build/lib/plugins/dephealth/vuln_analyzer.py

@@ -3,6 +3,8 @@ import re
 from pathlib import Path
 from typing import Any
 
+from plugins.dephealth.cve_scanner import enrich_with_kev, enrich_with_epss
+
 
 _CRITICAL_PATTERN = re.compile(r"\bcritical\b", re.IGNORECASE)
 _HIGH_PATTERN = re.compile(r"\bhigh\b", re.IGNORECASE)
@@ -33,6 +35,9 @@ def analyze_reachability(cve_result: dict[str, Any], project_dir: str) -> dict[s
     risk_level = _classify_risk(reachability, summary)
     recommendation = _build_recommendation(package, fixed_version, reachability)
 
+    kev_enriched = enrich_with_kev({"id": cve_id}, project_dir)
+    epss_enriched = enrich_with_epss({"id": cve_id}, project_dir)
+
     return {
         "package": package,
         "cve_id": cve_id,
@@ -40,6 +45,8 @@ def analyze_reachability(cve_result: dict[str, Any], project_dir: str) -> dict[s
         "import_locations": sorted(imported_files),
         "risk_level": risk_level,
         "recommendation": recommendation,
+        "kev_listed": kev_enriched.get("kev_listed", False),
+        "epss_score": epss_enriched.get("epss_score"),
     }
 
 

package/build/lib/registry/omg-capability.schema.json

@@ -43,7 +43,9 @@
         "type": "string",
         "enum": [
           "claude",
-          "codex"
+          "codex",
+          "gemini",
+          "kimi"
         ]
       },
       "minItems": 1
@@ -281,6 +283,86 @@
                 }
               },
               "additionalProperties": true
+            },
+            "gemini": {
+              "type": "object",
+              "required": [
+                "compilation_targets",
+                "mcp",
+                "skills",
+                "automations"
+              ],
+              "properties": {
+                "compilation_targets": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "mcp": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "skills": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "automations": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "additionalProperties": true
+            },
+            "kimi": {
+              "type": "object",
+              "required": [
+                "compilation_targets",
+                "mcp",
+                "skills",
+                "automations"
+              ],
+              "properties": {
+                "compilation_targets": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "mcp": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "skills": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                },
+                "automations": {
+                  "type": "array",
+                  "minItems": 1,
+                  "items": {
+                    "type": "string"
+                  }
+                }
+              },
+              "additionalProperties": true
             }
           },
           "additionalProperties": true

package/build/lib/runtime/adoption.py

@@ -2,8 +2,8 @@
 from __future__ import annotations
 
 import json
+import importlib
 from pathlib import Path
-from typing import Any
 
 
 CANONICAL_BRAND = "OMG"
@@ -15,6 +15,8 @@ CANONICAL_VERSION = "2.0.8"
 
 VALID_ADOPTION_MODES = ("omg-only", "coexist")
 VALID_PRESETS = ("safe", "balanced", "interop", "labs")
+CANONICAL_MODE_NAMES = ("chill", "focused", "exploratory")
+"""Cross-surface user-facing mode names reserved for the shared mode system."""
 
 MANAGED_PRESET_FLAGS = (
     "SETUP",
@@ -91,6 +93,12 @@ def get_preset_features(preset: str | None) -> dict[str, bool]:
     return dict(PRESET_FEATURES[resolved])
 
 
+def get_mode_profile(mode: str) -> dict[str, object]:
+    runtime_profile = importlib.import_module("runtime.runtime_profile")
+    loader = getattr(runtime_profile, "load_canonical_mode_profile")
+    return loader(mode)
+
+
 def _resolve_claude_dir(base_dir: Path) -> Path:
     nested = base_dir / ".claude"
     if nested.exists():
@@ -180,7 +188,7 @@ def build_adoption_report(
     requested_mode: str | None = None,
     preset: str | None = None,
     adopt: str = "auto",
-) -> dict[str, Any]:
+) -> dict[str, object]:
     detected_ecosystems = detect_ecosystems(project_dir) if adopt == "auto" else []
     recommended_mode = recommend_mode(detected_ecosystems)
     selected_mode = requested_mode if requested_mode in VALID_ADOPTION_MODES else recommended_mode
@@ -204,9 +212,9 @@ def build_adoption_report(
     }
 
 
-def write_adoption_report(project_dir: str | Path, report: dict[str, Any]) -> str:
+def write_adoption_report(project_dir: str | Path, report: dict[str, object]) -> str:
     state_dir = Path(project_dir) / ".omg" / "state"
     state_dir.mkdir(parents=True, exist_ok=True)
     report_path = state_dir / "adoption-report.json"
-    report_path.write_text(json.dumps(report, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    _ = report_path.write_text(json.dumps(report, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
     return str(report_path)

package/build/lib/runtime/artifact_parsers.py

@@ -0,0 +1,161 @@
+from __future__ import annotations
+
+import json
+from pathlib import Path
+from typing import Any
+from xml.etree import ElementTree
+
+
+def parse_junit(path: str) -> dict[str, Any]:
+    file_path = Path(path)
+    if not file_path.exists():
+        return {"valid": False, "summary": {}, "error": "file_not_found"}
+
+    try:
+        root = ElementTree.parse(file_path).getroot()
+    except (ElementTree.ParseError, OSError, ValueError) as exc:
+        return {"valid": False, "summary": {}, "error": f"junit_parse_error:{exc}"}
+
+    root_name = _local_name(root.tag)
+    if root_name not in {"testsuite", "testsuites"}:
+        return {
+            "valid": False,
+            "summary": {"root": root_name},
+            "error": "junit_invalid_root",
+        }
+
+    tests_value = root.attrib.get("tests", "")
+    return {
+        "valid": True,
+        "summary": {"root": root_name, "tests": str(tests_value).strip()},
+        "error": None,
+    }
+
+
+def parse_sarif(path: str) -> dict[str, Any]:
+    payload, error = _load_json(Path(path))
+    if error:
+        return {"valid": False, "summary": {}, "error": error}
+
+    runs = payload.get("runs") if isinstance(payload, dict) else None
+    if not isinstance(runs, list):
+        return {"valid": False, "summary": {}, "error": "sarif_missing_runs"}
+
+    return {
+        "valid": True,
+        "summary": {"runs": len(runs), "version": str(payload.get("version", "")).strip()},
+        "error": None,
+    }
+
+
+def parse_coverage(path: str) -> dict[str, Any]:
+    file_path = Path(path)
+    if not file_path.exists():
+        return {"valid": False, "summary": {}, "error": "file_not_found"}
+
+    xml_result = _parse_coverage_xml(file_path)
+    if xml_result["valid"]:
+        return xml_result
+
+    json_result = _parse_coverage_json(file_path)
+    if json_result["valid"]:
+        return json_result
+
+    return {
+        "valid": False,
+        "summary": {},
+        "error": xml_result.get("error") or json_result.get("error") or "coverage_missing_keys",
+    }
+
+
+def parse_browser_trace(path: str) -> dict[str, Any]:
+    payload, error = _load_json(Path(path))
+    if error:
+        return {"valid": False, "summary": {}, "error": error}
+
+    if not isinstance(payload, dict):
+        return {"valid": False, "summary": {}, "error": "browser_trace_invalid_payload"}
+
+    has_trace = "trace" in payload
+    has_events = isinstance(payload.get("events"), list)
+    if not (has_trace or has_events):
+        return {
+            "valid": False,
+            "summary": {},
+            "error": "browser_trace_missing_trace_or_events",
+        }
+
+    return {
+        "valid": True,
+        "summary": {"has_trace": has_trace, "event_count": len(payload.get("events", [])) if has_events else 0},
+        "error": None,
+    }
+
+
+def parse_diff_hunk(path: str) -> dict[str, Any]:
+    file_path = Path(path)
+    if not file_path.exists():
+        return {"valid": False, "summary": {}, "error": "file_not_found"}
+
+    try:
+        content = file_path.read_text(encoding="utf-8")
+    except (OSError, UnicodeDecodeError) as exc:
+        return {"valid": False, "summary": {}, "error": f"diff_read_error:{exc}"}
+
+    if "@@" not in content:
+        return {"valid": False, "summary": {}, "error": "diff_missing_hunk_marker"}
+
+    hunk_count = content.count("@@") // 2 if content.count("@@") >= 2 else 1
+    return {"valid": True, "summary": {"hunk_count": hunk_count}, "error": None}
+
+
+def _parse_coverage_xml(file_path: Path) -> dict[str, Any]:
+    try:
+        root = ElementTree.parse(file_path).getroot()
+    except (ElementTree.ParseError, OSError, ValueError):
+        return {"valid": False, "summary": {}, "error": "coverage_xml_parse_error"}
+
+    if "line-rate" in root.attrib:
+        return {
+            "valid": True,
+            "summary": {"line-rate": str(root.attrib.get("line-rate", "")).strip()},
+            "error": None,
+        }
+
+    return {"valid": False, "summary": {}, "error": "coverage_missing_line_rate"}
+
+
+def _parse_coverage_json(file_path: Path) -> dict[str, Any]:
+    payload, error = _load_json(file_path)
+    if error:
+        return {"valid": False, "summary": {}, "error": error}
+
+    if not isinstance(payload, dict):
+        return {"valid": False, "summary": {}, "error": "coverage_json_invalid_payload"}
+
+    if "coverage" not in payload:
+        return {"valid": False, "summary": {}, "error": "coverage_missing_coverage_key"}
+
+    return {
+        "valid": True,
+        "summary": {"coverage": payload.get("coverage")},
+        "error": None,
+    }
+
+
+def _load_json(file_path: Path) -> tuple[Any, str | None]:
+    if not file_path.exists():
+        return {}, "file_not_found"
+
+    try:
+        payload = json.loads(file_path.read_text(encoding="utf-8"))
+    except (OSError, UnicodeDecodeError, json.JSONDecodeError) as exc:
+        return {}, f"json_parse_error:{exc}"
+
+    return payload, None
+
+
+def _local_name(tag: str) -> str:
+    if "}" not in tag:
+        return tag
+    return tag.rsplit("}", 1)[-1]

package/build/lib/runtime/background_verification.py

@@ -0,0 +1,48 @@
+from __future__ import annotations
+
+import json
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Any
+
+BACKGROUND_VERIFICATION_REL_PATH = Path(".omg") / "state" / "background-verification.json"
+
+_VALID_STATUSES = frozenset({"running", "ok", "error", "blocked"})
+
+
+def publish_verification_state(
+    project_dir: str,
+    run_id: str,
+    status: str,
+    blockers: list[str],
+    evidence_links: list[str],
+    progress: dict[str, Any],
+) -> str:
+    state = {
+        "schema": "BackgroundVerificationState",
+        "schema_version": 2,
+        "run_id": run_id,
+        "status": status if status in _VALID_STATUSES else "error",
+        "blockers": blockers,
+        "evidence_links": evidence_links,
+        "progress": progress,
+        "updated_at": datetime.now(timezone.utc).isoformat(),
+    }
+
+    path = Path(project_dir) / BACKGROUND_VERIFICATION_REL_PATH
+    path.parent.mkdir(parents=True, exist_ok=True)
+    path.write_text(json.dumps(state, indent=2, ensure_ascii=True), encoding="utf-8")
+    return str(path)
+
+
+def read_verification_state(project_dir: str) -> dict[str, Any] | None:
+    path = Path(project_dir) / BACKGROUND_VERIFICATION_REL_PATH
+    if not path.exists():
+        return None
+    try:
+        payload = json.loads(path.read_text(encoding="utf-8"))
+        if isinstance(payload, dict) and payload.get("schema") == "BackgroundVerificationState":
+            return payload
+    except (json.JSONDecodeError, OSError):
+        pass
+    return None