@trac3er/oh-my-god 2.0.8 → 2.0.9

package/build/lib/runtime/repro_pack.py

@@ -0,0 +1,292 @@
+from __future__ import annotations
+
+from datetime import datetime, timezone
+import hashlib
+import json
+from pathlib import Path
+from typing import cast
+
+from runtime.evidence_query import (
+    JsonObject,
+    JsonValue,
+    get_eval,
+    get_evidence_pack,
+    get_lineage,
+    get_trace,
+    get_verification_state,
+)
+
+
+def _now() -> str:
+    return datetime.now(timezone.utc).isoformat()
+
+
+def _load_json(path: Path) -> JsonObject | None:
+    try:
+        payload: object = json.loads(path.read_text(encoding="utf-8"))  # pyright: ignore[reportAny]
+    except (OSError, json.JSONDecodeError):
+        return None
+    if not isinstance(payload, dict):
+        return None
+    return cast(JsonObject, payload)
+
+
+def _hash_path(path: Path) -> str:
+    if not path.exists() or not path.is_file():
+        return ""
+    digest = hashlib.sha256()
+    with path.open("rb") as handle:
+        while True:
+            chunk = handle.read(8192)
+            if not chunk:
+                break
+            digest.update(chunk)
+    return digest.hexdigest()
+
+
+def _rel(path: Path, root: Path) -> str:
+    try:
+        return path.resolve().relative_to(root.resolve()).as_posix()
+    except ValueError:
+        return path.as_posix()
+
+
+def _as_object_list(value: JsonValue | None) -> list[JsonObject]:
+    if not isinstance(value, list):
+        return []
+    return [item for item in value if isinstance(item, dict)]
+
+
+def _as_string_list(value: JsonValue | None) -> list[str]:
+    if not isinstance(value, list):
+        return []
+    return [item for item in value if isinstance(item, str)]
+
+
+def _string_field(payload: JsonObject, key: str) -> str:
+    value = payload.get(key)
+    return value if isinstance(value, str) else ""
+
+
+def _artifact_ref(*, kind: str, path: str, sha256: str = "", extras: JsonObject | None = None) -> JsonObject:
+    artifact: JsonObject = {
+        "kind": kind,
+        "path": path,
+        "sha256": sha256,
+    }
+    if extras:
+        artifact.update(extras)
+    return artifact
+
+
+def _trace_reference(root: Path, trace_ids: list[str]) -> JsonObject | None:
+    trace_path = root / ".omg" / "tracebank" / "events.jsonl"
+    if not trace_path.exists():
+        return None
+
+    requested = sorted({trace_id for trace_id in trace_ids if trace_id})
+    matched: list[str] = []
+    matched_count = 0
+    try:
+        for line in trace_path.read_text(encoding="utf-8").splitlines():
+            line = line.strip()
+            if not line:
+                continue
+            try:
+                row: object = json.loads(line)  # pyright: ignore[reportAny]
+            except json.JSONDecodeError:
+                continue
+            if not isinstance(row, dict):
+                continue
+            row_payload = cast(JsonObject, row)
+            trace_id = _string_field(row_payload, "trace_id")
+            if trace_id in requested:
+                matched_count += 1
+                if trace_id not in matched:
+                    matched.append(trace_id)
+    except OSError:
+        return None
+
+    return _artifact_ref(
+        kind="trace_events",
+        path=".omg/tracebank/events.jsonl",
+        sha256=_hash_path(trace_path),
+        extras=cast(JsonObject, {"trace_ids": sorted(matched), "event_count": matched_count}),
+    )
+
+
+def _find_lineage_path(root: Path, lineage_id: str) -> str:
+    if not lineage_id:
+        return ""
+    lineage_dir = root / ".omg" / "lineage"
+    if not lineage_dir.exists():
+        return ""
+
+    for path in sorted(lineage_dir.glob("*.json")):
+        payload = _load_json(path)
+        if payload is None:
+            continue
+        if _string_field(payload, "lineage_id") == lineage_id:
+            return _rel(path, root)
+    return ""
+
+
+def _security_artifacts(root: Path, scans: JsonValue | None) -> list[JsonObject]:
+    artifacts: list[JsonObject] = []
+    for item in _as_object_list(scans):
+        path = _string_field(item, "path").strip()
+        if not path:
+            continue
+        artifacts.append(
+            _artifact_ref(
+                kind="security_evidence",
+                path=path,
+                sha256=_hash_path(root / path),
+                extras={"schema": _string_field(item, "schema")},
+            )
+        )
+    return artifacts
+
+
+def _browser_artifacts(root: Path, records: JsonValue | None) -> list[JsonObject]:
+    artifacts: list[JsonObject] = []
+    for item in _as_object_list(records):
+        if _string_field(item, "kind") != "browser_trace":
+            continue
+        path = _string_field(item, "path").strip()
+        if not path:
+            continue
+        artifacts.append(
+            _artifact_ref(
+                kind="browser_trace",
+                path=path,
+                sha256=_hash_path(root / path),
+                extras={"trace_id": _string_field(item, "trace_id")},
+            )
+        )
+    return artifacts
+
+
+def _incident_artifacts(root: Path, records: JsonValue | None) -> list[JsonObject]:
+    artifacts: list[JsonObject] = []
+    for item in _as_object_list(records):
+        kind = _string_field(item, "kind")
+        if "incident" not in kind:
+            continue
+        path = _string_field(item, "path").strip()
+        if not path:
+            continue
+        artifacts.append(
+            _artifact_ref(
+                kind=kind,
+                path=path,
+                sha256=_hash_path(root / path),
+                extras={"trace_id": _string_field(item, "trace_id")},
+            )
+        )
+    return artifacts
+
+
+def _dedupe_artifacts(artifacts: list[JsonObject]) -> list[JsonObject]:
+    seen: set[tuple[str, str, str]] = set()
+    deduped: list[JsonObject] = []
+    sorted_items = sorted(artifacts, key=lambda item: (_string_field(item, "kind"), _string_field(item, "path")))
+    for artifact in sorted_items:
+        key = (
+            _string_field(artifact, "kind"),
+            _string_field(artifact, "path"),
+            _string_field(artifact, "sha256"),
+        )
+        if key in seen:
+            continue
+        seen.add(key)
+        deduped.append(artifact)
+    return deduped
+
+
+def build_repro_pack(project_dir: str, run_id: str) -> dict[str, str]:
+    root = Path(project_dir)
+    evidence_pack = get_evidence_pack(project_dir, run_id)
+    if evidence_pack is None:
+        return {
+            "status": "error",
+            "run_id": run_id,
+            "reason": "evidence_pack_not_found",
+        }
+
+    evidence_pack_path = f".omg/evidence/{run_id}.json"
+    artifacts: list[JsonObject] = [
+        _artifact_ref(kind="evidence_pack", path=evidence_pack_path, sha256=_hash_path(root / evidence_pack_path))
+    ]
+
+    trace_ids = sorted(set(_as_string_list(evidence_pack.get("trace_ids"))))
+    trace_file = root / ".omg" / "tracebank" / "events.jsonl"
+    for trace_id in trace_ids:
+        if get_trace(project_dir, trace_id) is None:
+            continue
+        artifacts.append(
+            _artifact_ref(
+                kind="trace",
+                path=".omg/tracebank/events.jsonl",
+                sha256=_hash_path(trace_file),
+                extras={"trace_id": trace_id},
+            )
+        )
+    trace_reference = _trace_reference(root, trace_ids)
+    if trace_reference is not None:
+        artifacts.append(trace_reference)
+
+    eval_path = root / ".omg" / "evals" / "latest.json"
+    if get_eval(project_dir) is not None and eval_path.exists():
+        artifacts.append(_artifact_ref(kind="eval", path=".omg/evals/latest.json", sha256=_hash_path(eval_path)))
+
+    lineage_payload = evidence_pack.get("lineage")
+    lineage_id = ""
+    if isinstance(lineage_payload, dict):
+        lineage_payload_obj = cast(JsonObject, lineage_payload)
+        lineage_id = _string_field(lineage_payload_obj, "lineage_id")
+    if lineage_id and get_lineage(project_dir, lineage_id) is not None:
+        lineage_path = _find_lineage_path(root, lineage_id)
+        if lineage_path:
+            artifacts.append(
+                _artifact_ref(
+                    kind="lineage",
+                    path=lineage_path,
+                    sha256=_hash_path(root / lineage_path),
+                    extras={"lineage_id": lineage_id},
+                )
+            )
+
+    artifacts.extend(_security_artifacts(root, evidence_pack.get("security_scans")))
+    artifacts.extend(_browser_artifacts(root, evidence_pack.get("artifacts")))
+    artifacts.extend(_incident_artifacts(root, evidence_pack.get("artifacts")))
+
+    verification_path = root / ".omg" / "state" / "background-verification.json"
+    if get_verification_state(project_dir) is not None and verification_path.exists():
+        artifacts.append(
+            _artifact_ref(
+                kind="verification_state",
+                path=".omg/state/background-verification.json",
+                sha256=_hash_path(verification_path),
+            )
+        )
+
+    unresolved_risks = _as_string_list(evidence_pack.get("unresolved_risks"))
+    manifest: dict[str, object] = {
+        "schema": "ReproPack",
+        "schema_version": 1,
+        "run_id": run_id,
+        "evidence_pack_path": evidence_pack_path,
+        "artifacts": _dedupe_artifacts(artifacts),
+        "unresolved_risks": unresolved_risks,
+        "assembled_at": _now(),
+    }
+
+    out_path = root / ".omg" / "evidence" / f"repro-pack-{run_id}.json"
+    out_path.parent.mkdir(parents=True, exist_ok=True)
+    _ = out_path.write_text(json.dumps(manifest, indent=2, ensure_ascii=True) + "\n", encoding="utf-8")
+    return {
+        "status": "ok",
+        "run_id": run_id,
+        "path": _rel(out_path, root),
+    }

package/build/lib/runtime/runtime_profile.py

@@ -2,31 +2,93 @@
 from __future__ import annotations
 
 from pathlib import Path
-from typing import Any
+from typing import TypedDict, cast
 
 import yaml
 
+from .adoption import CANONICAL_MODE_NAMES
 
-PROFILE_PRESETS: dict[str, dict[str, Any]] = {
+
+class RuntimeProfile(TypedDict):
+    profile: str
+    max_workers: int
+    background_polling: bool
+
+
+class CanonicalModeProfile(TypedDict):
+    concurrency: int
+    background_verification: bool
+    context_window: str
+    noise_level: str
+
+
+PROFILE_PRESETS: dict[str, RuntimeProfile] = {
     "eco": {"profile": "eco", "max_workers": 2, "background_polling": False},
     "balanced": {"profile": "balanced", "max_workers": 3, "background_polling": False},
     "turbo": {"profile": "turbo", "max_workers": 5, "background_polling": True},
 }
 
+RUNTIME_CONCURRENCY_PROFILE_NAMES = tuple(PROFILE_PRESETS.keys())
+RESERVED_CANONICAL_MODE_NAMES = CANONICAL_MODE_NAMES
+
+_CANONICAL_MODE_PROFILES: dict[str, CanonicalModeProfile] = {
+    "chill": {
+        "concurrency": 1,
+        "background_verification": False,
+        "context_window": "minimal",
+        "noise_level": "quiet",
+    },
+    "focused": {
+        "concurrency": 2,
+        "background_verification": False,
+        "context_window": "standard",
+        "noise_level": "normal",
+    },
+    "exploratory": {
+        "concurrency": 4,
+        "background_verification": True,
+        "context_window": "extended",
+        "noise_level": "verbose",
+    },
+}
+
+
+def load_canonical_mode_profile(mode: str) -> dict[str, object]:
+    normalized_mode = mode.strip().lower()
+    profile = _CANONICAL_MODE_PROFILES.get(normalized_mode)
+    if profile is None:
+        raise ValueError(
+            f"Unknown canonical mode: {mode!r}. Valid: chill, focused, exploratory"
+        )
+    return dict(profile)
 
-def load_runtime_profile(project_dir: str) -> dict[str, Any]:
+
+def load_runtime_profile(project_dir: str) -> RuntimeProfile:
     runtime_path = Path(project_dir) / ".omg" / "runtime.yaml"
     profile_name = "balanced"
     if runtime_path.exists():
         try:
-            payload = yaml.safe_load(runtime_path.read_text(encoding="utf-8")) or {}
+            raw_payload: object = yaml.safe_load(runtime_path.read_text(encoding="utf-8")) or {}
         except Exception:
-            payload = {}
-        if isinstance(payload, dict):
-            candidate = str(payload.get("profile", profile_name)).strip()
-            if candidate in PROFILE_PRESETS:
+            raw_payload = {}
+        if isinstance(raw_payload, dict):
+            payload_map = cast(dict[object, object], raw_payload)
+            payload: dict[str, object] = {}
+            for key, value in payload_map.items():
+                if isinstance(key, str):
+                    payload[key] = value
+            candidate_obj = payload.get("profile", profile_name)
+            candidate = candidate_obj.strip() if isinstance(candidate_obj, str) else profile_name
+            if candidate in RUNTIME_CONCURRENCY_PROFILE_NAMES:
                 profile_name = candidate
-    return dict(PROFILE_PRESETS[profile_name])
+
+    preset = PROFILE_PRESETS[profile_name]
+    result: RuntimeProfile = {
+        "profile": preset["profile"],
+        "max_workers": preset["max_workers"],
+        "background_polling": preset["background_polling"],
+    }
+    return result
 
 
 def resolve_parallel_workers(project_dir: str, *, requested_workers: int) -> int:
@@ -43,19 +105,29 @@ def _load_cli_parallel_cap(project_dir: str) -> int | None:
     if not config_path.exists():
         return None
     try:
-        payload = yaml.safe_load(config_path.read_text(encoding="utf-8")) or {}
+        raw_payload: object = yaml.safe_load(config_path.read_text(encoding="utf-8")) or {}
     except Exception:
         return None
-    if not isinstance(payload, dict):
+    if not isinstance(raw_payload, dict):
         return None
-    cli_configs = payload.get("cli_configs", {})
-    if not isinstance(cli_configs, dict):
+
+    payload_map = cast(dict[object, object], raw_payload)
+    payload: dict[str, object] = {}
+    for key, value in payload_map.items():
+        if isinstance(key, str):
+            payload[key] = value
+
+    cli_configs_obj = payload.get("cli_configs")
+    if not isinstance(cli_configs_obj, dict):
         return None
-    caps = []
+
+    cli_configs = cast(dict[object, object], cli_configs_obj)
+    caps: list[int] = []
     for config in cli_configs.values():
         if not isinstance(config, dict):
             continue
-        value = config.get("max_parallel_agents")
+        config_map = cast(dict[object, object], config)
+        value = config_map.get("max_parallel_agents")
         if isinstance(value, int) and value > 0:
             caps.append(value)
     return min(caps) if caps else None

package/build/lib/runtime/security_check.py

@@ -8,6 +8,7 @@ from hashlib import sha256
 import json
 from pathlib import Path
 import re
+import shutil
 import subprocess
 from typing import Any
 
@@ -128,6 +129,8 @@ def run_security_check(
             "severity": finding.get("severity"),
             "exploitability": finding.get("exploitability", "unknown"),
             "reachability": finding.get("reachability", "unknown"),
+            "kev_listed": finding.get("kev_listed", False),
+            "epss_score": finding.get("epss_score"),
             "waived": bool(finding.get("waived")),
             "waiver_justification": finding.get("waiver_justification", ""),
             "message": finding.get("message", ""),
@@ -267,9 +270,89 @@ def _scan_python_ast(scope_path: Path) -> list[dict[str, Any]]:
             continue
         findings.extend(_scan_python_file(py_file, source))
     findings.extend(_run_bandit_if_available(scope_path))
+    findings.extend(_scan_semgrep(scope_path))
     return findings
 
 
+def run_semgrep_scan(project_dir: str, rules: str = "auto") -> dict[str, Any]:
+    unavailable = {"status": "unavailable", "findings": [], "error": "semgrep not found"}
+    if shutil.which("semgrep") is None:
+        return unavailable
+
+    cmd = ["semgrep", "--json", "--config", rules, project_dir]
+    try:
+        proc = subprocess.run(cmd, capture_output=True, text=True, check=False, timeout=60)
+    except Exception:
+        return unavailable
+
+    if proc.returncode not in {0, 1}:
+        return unavailable
+
+    try:
+        payload = json.loads(proc.stdout or "{}")
+    except Exception:
+        return unavailable
+
+    findings: list[dict[str, Any]] = []
+    for item in payload.get("results", []):
+        extra = item.get("extra") if isinstance(item.get("extra"), dict) else {}
+        start = item.get("start") if isinstance(item.get("start"), dict) else {}
+        findings.append(
+            {
+                "severity": _normalize_semgrep_severity(str(extra.get("severity", "WARNING"))),
+                "rule": str(item.get("check_id", "semgrep")),
+                "path": str(item.get("path", "")),
+                "line": _safe_int(start.get("line", 1), default=1),
+                "message": str(extra.get("message", "Semgrep finding")),
+            }
+        )
+    return {"status": "ok", "findings": findings, "error": ""}
+
+
+def _normalize_semgrep_severity(raw: str) -> str:
+    lowered = raw.lower()
+    if lowered in {"error", "critical"}:
+        return "high"
+    if lowered in {"warning", "warn"}:
+        return "medium"
+    if lowered in {"info", "note", "low"}:
+        return "low"
+    return _normalize_severity(lowered)
+
+
+def _scan_semgrep(scope_path: Path) -> list[dict[str, Any]]:
+    result = run_semgrep_scan(str(scope_path))
+    if result.get("status") != "ok":
+        return []
+
+    findings: list[dict[str, Any]] = []
+    for item in result.get("findings", []):
+        if not isinstance(item, dict):
+            continue
+        file_path = Path(str(item.get("path", "")))
+        findings.append(
+            _finding(
+                rule_id=str(item.get("rule", "semgrep")),
+                source_name="semgrep-ce",
+                category="python_ast",
+                severity=_normalize_severity(str(item.get("severity", "medium"))),
+                path=file_path,
+                line=_safe_int(item.get("line", 1), default=1),
+                message=str(item.get("message", "Semgrep finding")),
+                recommendation="Review Semgrep finding and apply the suggested remediation.",
+                snippet="",
+            )
+        )
+    return findings
+
+
+def _safe_int(value: Any, *, default: int) -> int:
+    try:
+        return int(value)
+    except (TypeError, ValueError):
+        return default
+
+
 def _scan_secret_patterns(scope_path: Path) -> list[dict[str, Any]]:
     findings: list[dict[str, Any]] = []
     for candidate in _iter_text_candidates(scope_path):
@@ -488,9 +571,7 @@ def _run_bandit_if_available(scope_path: Path) -> list[dict[str, Any]]:
 
 
 def _command_exists(command: str) -> bool:
-    from shutil import which
-
-    return which(command) is not None
+    return shutil.which(command) is not None
 
 
 def _scan_dependency_health(scope_path: Path, include_live_enrichment: bool) -> list[dict[str, Any]]:
@@ -530,6 +611,8 @@ def _scan_dependency_health(scope_path: Path, include_live_enrichment: bool) ->
                     "severity": _normalize_severity(str(vuln.get("severity", "unknown"))),
                     "exploitability": _risk_to_exploitability(str(reachability.get("risk_level", ""))),
                     "reachability": _normalize_reachability(str(reachability.get("reachability", "unknown"))),
+                    "kev_listed": reachability.get("kev_listed", False),
+                    "epss_score": reachability.get("epss_score"),
                     "evidence": {
                         "package": package_name,
                         "version": dependency["version"],

package/build/lib/runtime/test_intent_lock.py

@@ -1,6 +1,47 @@
 from __future__ import annotations
 
+import json
+from pathlib import Path
 from typing import Any
+from uuid import uuid4
+
+
+def lock_intent(project_dir: str, intent: dict[str, Any]) -> dict[str, Any]:
+    lock_id = str(uuid4())
+    lock_dir = Path(project_dir) / ".omg" / "state" / "test-intent-lock"
+    lock_dir.mkdir(parents=True, exist_ok=True)
+
+    lock_path = lock_dir / f"{lock_id}.json"
+    payload = {"schema": "TestIntentLock", "lock_id": lock_id, "intent": intent}
+    lock_path.write_text(json.dumps(payload, indent=2, sort_keys=True), encoding="utf-8")
+
+    return {"lock_id": lock_id, "status": "locked", "path": str(lock_path)}
+
+
+def verify_intent(project_dir: str, lock_id: str, results: dict[str, Any]) -> dict[str, Any]:
+    lock_path = Path(project_dir) / ".omg" / "state" / "test-intent-lock" / f"{lock_id}.json"
+    if not lock_path.exists():
+        return {"status": "missing_lock", "lock_id": lock_id, "reasons": ["missing lock state"]}
+
+    try:
+        payload = json.loads(lock_path.read_text(encoding="utf-8"))
+    except (OSError, json.JSONDecodeError):
+        return {"status": "missing_lock", "lock_id": lock_id, "reasons": ["missing lock state"]}
+
+    intent = payload.get("intent") if isinstance(payload, dict) else {}
+    intent_tests = _normalize_string_list(intent.get("tests") if isinstance(intent, dict) else None)
+    result_tests = _normalize_string_list(results.get("tests"))
+    weakened_assertions = results.get("weakened_assertions")
+
+    reasons: list[str] = []
+    if isinstance(weakened_assertions, list) and weakened_assertions:
+        reasons.append("weakened_assertions_present")
+
+    if result_tests != intent_tests:
+        reasons.append("tests_mismatch")
+
+    status = "ok" if not reasons else "fail"
+    return {"status": status, "lock_id": lock_id, "reasons": reasons}
 
 
 def evaluate_test_delta(delta: dict[str, Any]) -> dict[str, Any]:
@@ -89,3 +130,9 @@ def _normalize_tests(value: Any) -> list[dict[str, Any]]:
             }
         )
     return tests
+
+
+def _normalize_string_list(value: Any) -> list[str]:
+    if not isinstance(value, list):
+        return []
+    return [str(item).strip() for item in value if str(item).strip()]

package/build/lib/runtime/tracebank.py

@@ -40,6 +40,7 @@ def record_trace(
     trace_type: str,
     route: str,
     status: str,
+    schema_version: int | None = None,
     plan: dict[str, Any] | None = None,
     patch: dict[str, Any] | None = None,
     verify: dict[str, Any] | None = None,
@@ -49,7 +50,7 @@ def record_trace(
 ) -> dict[str, Any]:
     trace_id = f"trace-{uuid4().hex}"
     timestamp = _now()
-    record = {
+    record: dict[str, Any] = {
         "schema": "TracebankRecord",
         "trace_id": trace_id,
         "timestamp": timestamp,
@@ -66,6 +67,10 @@ def record_trace(
         "rejections": rejections or [],
         "metadata": metadata or {},
     }
+    if schema_version is not None:
+        record["schema_version"] = schema_version
+    elif isinstance(metadata, dict) and metadata.get("schema_version") is not None:
+        record["schema_version"] = metadata.get("schema_version")
 
     path = Path(project_dir) / TRACEBANK_REL_PATH
     path.parent.mkdir(parents=True, exist_ok=True)
@@ -73,11 +78,34 @@ def record_trace(
         _ = handle.write(json.dumps(record, ensure_ascii=True) + "\n")
 
     record["path"] = TRACEBANK_REL_PATH.as_posix()
+
+    verification_status = (metadata or {}).get("verification_status")
+    if verification_status:
+        try:
+            from runtime.background_verification import publish_verification_state
+
+            publish_verification_state(
+                project_dir=project_dir,
+                run_id=trace_id,
+                status=str(verification_status),
+                blockers=(metadata or {}).get("verification_blockers", []),
+                evidence_links=(metadata or {}).get("verification_evidence_links", []),
+                progress=(metadata or {}).get("verification_progress", {}),
+            )
+        except Exception:
+            pass
+
     return record
 
 
-def link_evidence(project_dir: str, *, trace_id: str, evidence_path: str) -> dict[str, Any]:
-    link = {
+def link_evidence(
+    project_dir: str,
+    *,
+    trace_id: str,
+    evidence_path: str,
+    schema_version: int | None = None,
+) -> dict[str, Any]:
+    link: dict[str, Any] = {
         "schema": "TraceEvidenceLink",
         "trace_id": trace_id,
         "evidence_path": evidence_path,
@@ -85,6 +113,8 @@ def link_evidence(project_dir: str, *, trace_id: str, evidence_path: str) -> dic
         "executor": _executor(),
         "environment": _environment(),
     }
+    if schema_version is not None:
+        link["schema_version"] = schema_version
 
     path = Path(project_dir) / TRACEBANK_EVIDENCE_LINKS_REL_PATH
     path.parent.mkdir(parents=True, exist_ok=True)