@trac3r/oh-my-god 2.2.11

package/agents/reviewer.md

@@ -0,0 +1,83 @@
+---
+name: reviewer
+description: Code review agent — security, performance, quality, best practices, test coverage
+model: claude-opus-4-5
+tools: Read, Grep, Glob
+bundled: true
+---
+
+# Agent: Reviewer
+
+## Role
+
+Thorough code review agent. Reviews from multiple perspectives and produces actionable, specific feedback. Never says "LGTM" without evidence.
+
+## Model
+
+`slow` (claude-opus-4-5) — careful, deliberate analysis for deep code review.
+
+## Capabilities
+
+- Security review (injection, auth flaws, secret exposure, CORS, XSS, CSRF)
+- Performance analysis (N+1 queries, unnecessary re-renders, memory leaks, blocking I/O)
+- Code quality (readability, naming, complexity, duplication, dead code)
+- Best practices (error handling, input validation, logging, observability)
+- Test coverage (missing cases, brittle tests, test quality)
+- Architecture fit (does this change fit the existing system design?)
+- Dependency review (new packages, license, security advisories)
+
+## Instructions
+
+You are a code review agent. You find problems and explain how to fix them.
+
+**Core rules:**
+- NEVER write "LGTM", "Looks good", or "No issues" without specific evidence
+- NEVER modify code — read-only access only
+- ALWAYS provide file:line references for every finding
+- ALWAYS categorize findings by severity: CRITICAL, HIGH, MEDIUM, LOW, INFO
+
+**Review process:**
+1. Read the changed files completely
+2. Check security: auth, input validation, secret handling, injection vectors
+3. Check performance: database queries, loops, caching, async patterns
+4. Check quality: naming, complexity, duplication, error handling
+5. Check tests: coverage gaps, brittle assertions, missing edge cases
+6. Produce structured report
+
+**Report format:**
+```
+## Summary
+[1-2 sentences on overall quality]
+
+## Findings
+
+### CRITICAL
+- `file.ts:42` — [description] — [fix recommendation]
+
+### HIGH
+- `file.ts:87` — [description] — [fix recommendation]
+
+### MEDIUM / LOW / INFO
+- ...
+
+## Test Coverage Gaps
+- [Missing test scenarios]
+
+## Recommendations
+- [Prioritized action items]
+```
+
+**Severity guide:**
+- CRITICAL: Security vulnerability, data loss risk, production crash
+- HIGH: Logic error, missing error handling, significant performance issue
+- MEDIUM: Code quality, maintainability, minor performance
+- LOW: Style, naming, minor improvements
+- INFO: Observations, suggestions, questions
+
+## Example Prompts
+
+- "Review the new authentication middleware for security issues"
+- "Check the database query layer for N+1 problems"
+- "Review the payment processing code before we ship"
+- "What's missing from the test suite for the user service?"
+- "Review this PR diff for code quality and best practices"

package/agents/task.md

@@ -0,0 +1,71 @@
+---
+name: task
+description: General task execution agent — implement features, fix bugs, write tests
+model: claude-opus-4-5
+tools: Read, Grep, Glob, Bash, Write, Edit
+bundled: true
+---
+
+# Agent: Task
+
+## Role
+
+General-purpose task execution agent. Implements features, fixes bugs, writes tests, and follows instructions precisely. Balanced between speed and capability.
+
+## Model
+
+`default` (claude-opus-4-5) — standard capability for most implementation tasks.
+
+## Capabilities
+
+- Feature implementation across frontend and backend
+- Bug investigation and fixing
+- Test writing (unit, integration, E2E)
+- Refactoring and code cleanup
+- Documentation writing
+- Configuration changes
+- Multi-file changes with consistent style
+- Following existing patterns and conventions
+
+## Instructions
+
+You are a general task execution agent. You implement what's asked, no more, no less.
+
+**Core rules:**
+- Read existing code before writing new code — match the style and patterns
+- NEVER claim completion without running verification (tests, linter, build)
+- ALWAYS make the smallest change that solves the problem
+- ALWAYS run tests after changes to confirm nothing broke
+- If a task is ambiguous, state your interpretation before proceeding
+
+**Execution process:**
+1. Read the relevant existing code to understand context
+2. Understand what "done" looks like (what test would pass?)
+3. Make the change
+4. Run tests/linter to verify
+5. Report what changed and what evidence confirms it works
+
+**Quality gates (must pass before claiming done):**
+- [ ] Tests pass (run the test command, check exit code)
+- [ ] Linter clean (no new errors introduced)
+- [ ] Build succeeds (if applicable)
+- [ ] Original behavior preserved (no regressions)
+
+**When to escalate:**
+- Security-sensitive changes → recommend `/OMG:escalate codex`
+- Complex UI/visual work → recommend `/OMG:escalate gemini`
+- Stuck after 2 attempts → recommend `/OMG:escalate codex`
+
+**Anti-patterns to avoid:**
+- Don't add features not asked for
+- Don't refactor code unrelated to the task
+- Don't change test assertions to make tests pass
+- Don't skip verification because "it should work"
+
+## Example Prompts
+
+- "Add pagination to the users list endpoint"
+- "Fix the bug where the modal doesn't close on Escape key"
+- "Write unit tests for the `calculateDiscount` function"
+- "Refactor the auth middleware to use the new token format"
+- "Add error handling to the file upload route"

package/bin/omg

@@ -0,0 +1,41 @@
+#!/usr/bin/env node
+'use strict';
+
+const { spawnSync } = require('child_process');
+const path = require('path');
+
+const platform = process.platform;
+if (platform !== 'linux' && platform !== 'darwin') {
+  process.stderr.write(`omg: unsupported platform ${platform}. Use macOS or Linux.\n`);
+  process.exitCode = 1;
+  return;
+}
+
+function findPython() {
+  for (const cmd of ['python3', 'python']) {
+    const r = spawnSync(cmd, ['--version'], { encoding: 'utf8', shell: false });
+    if (r.status === 0) return cmd;
+  }
+  return null;
+}
+
+if (process.argv.includes('--version')) {
+  const pkg = require(path.join(__dirname, '..', 'package.json'));
+  process.stdout.write(`omg ${pkg.version}\n`);
+  process.exitCode = 0;
+} else {
+  const pythonBin = findPython();
+  if (!pythonBin) {
+    process.stderr.write(
+      'omg requires Python 3.10 or higher. Install Python and re-run.\nSee: https://python.org\n'
+    );
+    process.exitCode = 1;
+  } else {
+    const omgPath = path.join(__dirname, '..', 'scripts', 'omg.py');
+    const result = spawnSync(pythonBin, [omgPath, ...process.argv.slice(2)], {
+      shell: false,
+      stdio: 'inherit',
+    });
+    process.exitCode = result.status ?? 1;
+  }
+}

package/commands/OMG:ai-commit.md

@@ -0,0 +1,113 @@
+---
+description: "Analyze uncommitted git changes and propose logical atomic commits grouped by concern."
+allowed-tools: Read, Bash(python*:*), Grep, Glob
+argument-hint: "[optional: working directory path]"
+---
+
+# /OMG:ai-commit — AI Commit Splitter
+
+Analyze uncommitted git changes and propose logical atomic commits grouped by concern.
+
+## Usage
+
+```
+/OMG:ai-commit
+```
+
+## What It Does
+
+1. Reads hunk-level git diffs via `git_hunk()` from `tools/git_inspector.py`
+2. Groups hunks by file type/category (python, javascript, config, docs, tests, etc.)
+3. Separates test files from source code automatically
+4. Generates conventional commit messages: `{type}({scope}): {description}`
+5. Displays a human-readable preview of proposed commits
+
+## Feature Flag
+
+- **Flag name**: `OMG_AI_COMMIT_ENABLED`
+- **Default**: `False` (disabled)
+- **Enable**: `export OMG_AI_COMMIT_ENABLED=1`
+
+Or set in `settings.json`:
+
+```json
+{
+  "_omg": {
+    "features": {
+      "ai_commit": true
+    }
+  }
+}
+```
+
+## Output Example
+
+```
+============================================================
+  OMG AI Commit Splitter — Proposed Commit Plan
+============================================================
+
+  Total proposed commits: 3
+
+  Commit 1: feat(tools): update commit_splitter.py
+  ──────────────────────────────────────────────────
+    • tools/commit_splitter.py
+    (2 hunks)
+
+  Commit 2: test(tests): update 2 test files
+  ──────────────────────────────────────────────────
+    • tests/tools/test_commit_splitter.py
+    • tests/tools/test_git_inspector.py
+    (4 hunks)
+
+  Commit 3: docs(commands): update ai-commit.md
+  ──────────────────────────────────────────────────
+    • commands/ai-commit.md
+    (1 hunk)
+
+============================================================
+  NOTE: This is a preview only. No commits were made.
+============================================================
+```
+
+## Commit Type Mapping
+
+| Category   | Default Type | Description              |
+|------------|-------------|--------------------------|
+| python     | `feat`      | Python source files      |
+| javascript | `feat`      | JS/TS source files       |
+| tests      | `test`      | Test files (any language) |
+| docs       | `docs`      | Documentation files      |
+| config     | `chore`     | Configuration files      |
+| shell      | `chore`     | Shell scripts            |
+| styles     | `style`     | CSS/SCSS/LESS files      |
+| markup     | `feat`      | HTML/XML/SVG files       |
+| other      | `chore`     | Unclassified files       |
+
+## CLI Usage
+
+```bash
+# Preview commit plan from terminal
+python3 tools/commit_splitter.py --dry-run
+```
+
+## Safety
+
+- **Read-only**: Never executes `git commit` or modifies the working tree
+- **Feature-gated**: Returns empty results when disabled
+- **Non-destructive**: Safe to run at any time
+
+## API
+
+```python
+from tools.commit_splitter import analyze_changes, generate_commit_plan, preview_commit_plan
+
+# Get grouped hunks
+groups = analyze_changes(cwd=".")
+
+# Get full commit plan with messages
+plan = generate_commit_plan(cwd=".")
+
+# Get human-readable preview string
+preview = preview_commit_plan(cwd=".")
+```

package/commands/OMG:api-twin.md

@@ -0,0 +1,22 @@
+---
+description: "Contract replay and fixture-based API simulation with fidelity tracking and live verification requirements."
+allowed-tools: Read, Write, Edit, MultiEdit, Grep, Glob, Bash(python3:*), Bash(rg:*)
+argument-hint: "[ingest|record|serve|verify]"
+---
+
+# /OMG:api-twin — Contract Replay
+
+Build a local API twin from contracts and recorded fixtures without treating simulation as final proof.
+
+## Verbs
+
+- `ingest`: load OpenAPI, Swagger, Postman, or example JSON into OMG state
+- `record`: store approved request/response fixtures and tag fidelity
+- `serve`: replay a fixture locally with optional latency, failure, or schema drift
+- `verify`: compare a twin fixture against a live response before release proof
+
+## Rules
+
+- every fixture carries a fidelity tag such as `schema-only`, `recorded`, `recorded-validated`, or `stale`
+- simulated endpoints are useful for development, not release signoff
+- release proof still requires a final live verification pass

package/commands/OMG:arch.md

@@ -0,0 +1,313 @@
+---
+description: "Codebase visualization — dependency graphs and architecture diagrams."
+allowed-tools: Read, Bash(python*:*), Grep
+argument-hint: "[render|module-name|stats|--native]"
+---
+
+# /OMG:arch — Architecture Visualization
+
+Visualize project dependency graphs as Mermaid diagrams, render to PNG, zoom into specific modules, and inspect graph statistics.
+
+## Usage
+
+```
+/OMG:arch
+/OMG:arch render
+/OMG:arch <module-name>
+/OMG:arch stats
+/OMG:arch --native
+```
+
+## Sub-Commands
+
+### `/OMG:arch` (default)
+
+Full project dependency graph as Mermaid text output, embeddable in Markdown.
+
+Scans all Python (.py), JavaScript/TypeScript (.js/.jsx/.ts/.tsx), and Go (.go) files. Python files are parsed via AST; JS/TS/Go files use regex-based import detection (~70% accuracy).
+
+```python
+from plugins.viz.graph_builder import build_project_graph
+from plugins.viz.diagram_generator import generate_mermaid
+
+result = build_project_graph(".")
+graph = result.get("graph", {})
+
+mermaid_text = generate_mermaid(graph)
+if mermaid_text:
+    print("```mermaid")
+    print(mermaid_text)
+    print("```")
+else:
+    print("No dependencies detected.")
+```
+
+### `/OMG:arch render`
+
+Render the dependency graph to a PNG image via the mermaid.ink public API. Saves output to `.omg/state/arch-diagram.png`.
+
+Requires network access to `https://mermaid.ink`.
+
+```python
+import os
+from plugins.viz.graph_builder import build_project_graph
+from plugins.viz.diagram_generator import generate_mermaid, render_to_png
+
+result = build_project_graph(".")
+graph = result.get("graph", {})
+mermaid_text = generate_mermaid(graph)
+
+output_path = os.path.join(".omg", "state", "arch-diagram.png")
+os.makedirs(os.path.dirname(output_path), exist_ok=True)
+
+if render_to_png(mermaid_text, output_path):
+    print(f"Diagram rendered to {output_path}")
+else:
+    print("Render failed — check network access or graph size.")
+```
+
+### `/OMG:arch <module-name>`
+
+Zoomed subgraph for a specific module. Shows only the named module and its direct dependencies.
+
+Replace `<module-name>` with the dotted module path (e.g. `plugins.viz.graph_builder`).
+
+```python
+from plugins.viz.graph_builder import build_project_graph
+from plugins.viz.diagram_generator import generate_mermaid
+
+result = build_project_graph(".")
+graph = result.get("graph", {})
+
+# Zoom into a specific module
+module_name = "<module-name>"  # e.g. "plugins.viz.graph_builder"
+mermaid_text = generate_mermaid(graph, zoom=module_name)
+
+if mermaid_text:
+    print(f"Dependencies for: {module_name}")
+    print()
+    print("```mermaid")
+    print(mermaid_text)
+    print("```")
+else:
+    print(f"Module '{module_name}' not found in dependency graph.")
+    print()
+    print("Available modules:")
+    for mod in sorted(graph.keys()):
+        print(f"  - {mod}")
+```
+
+### `/OMG:arch stats`
+
+Graph statistics: module count, edge count, max depth, circular dependencies, and coupling score.
+
+```python
+from plugins.viz.graph_builder import build_project_graph
+
+result = build_project_graph(".")
+metrics = result.get("metrics", {})
+
+module_count = metrics.get("module_count", 0)
+edge_count = metrics.get("edge_count", 0)
+max_depth = metrics.get("max_depth", 0)
+circular_deps = metrics.get("circular_deps", [])
+coupling_score = metrics.get("coupling_score", 0.0)
+
+print(f"Modules:        {module_count}")
+print(f"Edges:          {edge_count}")
+print(f"Max depth:      {max_depth}")
+print(f"Circular deps:  {len(circular_deps)}")
+print(f"Coupling score: {coupling_score:.2f}")
+
+if circular_deps:
+    print()
+    print("Circular dependency cycles:")
+    for cycle in circular_deps:
+        print(f"  {' → '.join(cycle)}")
+```
+
+### `/OMG:arch --native`
+
+Use native language toolchains for higher-accuracy dependency parsing (~95% vs ~70% with regex).
+
+Supported toolchains:
+- **Go**: `go list -json ./...` — requires `go` on PATH
+- **TypeScript**: `tsc --listFiles --noEmit` — requires `tsc` on PATH
+- **Rust**: `cargo metadata --format-version=1 --no-deps` — requires `cargo` on PATH
+
+Falls back to regex parsing when a toolchain is not available.
+
+```python
+from plugins.viz.native_parsers import (
+    is_toolchain_available,
+    parse_go_native,
+    parse_typescript_native,
+    parse_rust_native,
+)
+from plugins.viz.graph_builder import build_project_graph
+from plugins.viz.diagram_generator import generate_mermaid
+
+# Check available toolchains
+toolchains = {
+    "go": is_toolchain_available("go"),
+    "tsc": is_toolchain_available("tsc"),
+    "cargo": is_toolchain_available("cargo"),
+}
+
+print("Toolchain availability:")
+for tc, available in toolchains.items():
+    status = "available" if available else "not found"
+    print(f"  {tc}: {status}")
+print()
+
+# Parse with native toolchains where available
+native_graphs = {}
+if toolchains["go"]:
+    go_result = parse_go_native(".")
+    if "error" not in go_result:
+        native_graphs.update(go_result["graph"])
+        print(f"Go: {len(go_result['graph'])} packages (native-95% accuracy)")
+
+if toolchains["tsc"]:
+    ts_result = parse_typescript_native(".")
+    if "error" not in ts_result:
+        native_graphs.update(ts_result["graph"])
+        print(f"TypeScript: {len(ts_result['graph'])} modules (native-95% accuracy)")
+
+if toolchains["cargo"]:
+    rust_result = parse_rust_native(".")
+    if "error" not in rust_result:
+        native_graphs.update(rust_result["graph"])
+        print(f"Rust: {len(rust_result['graph'])} crates (native-95% accuracy)")
+
+# Fall back to regex-based graph for remaining files
+result = build_project_graph(".")
+graph = result.get("graph", {})
+
+# Merge: native results override regex results
+merged = {**graph, **native_graphs}
+
+mermaid_text = generate_mermaid(merged)
+if mermaid_text:
+    print()
+    print("```mermaid")
+    print(mermaid_text)
+    print("```")
+```
+
+## Feature Flag
+
+- **Flag name**: `OMG_CODEBASE_VIZ_ENABLED`
+- **Default**: `False` (disabled)
+- **Enable**: `export OMG_CODEBASE_VIZ_ENABLED=1`
+
+Or set in `settings.json`:
+
+```json
+{
+  "_omg": {
+    "features": {
+      "CODEBASE_VIZ": true
+    }
+  }
+}
+```
+
+## Output Example
+
+### `/OMG:arch` output
+
+````
+```mermaid
+graph TD
+    hooks_budget_governor["hooks.budget_governor"]
+    hooks__common["hooks._common"]
+    hooks__cost_ledger["hooks._cost_ledger"]
+    plugins_viz_graph_builder["plugins.viz.graph_builder"]
+    plugins_viz_ast_parser["plugins.viz.ast_parser"]
+    plugins_viz_regex_parser["plugins.viz.regex_parser"]
+    hooks_budget_governor --> hooks__common
+    hooks_budget_governor --> hooks__cost_ledger
+    plugins_viz_graph_builder --> plugins_viz_ast_parser
+    plugins_viz_graph_builder --> plugins_viz_regex_parser
+```
+````
+
+### `/OMG:arch stats` output
+
+```
+============================================================
+  OMG Architecture — Graph Statistics
+============================================================
+
+  Modules:        42
+  Edges:          87
+  Max depth:      6
+  Circular deps:  1
+  Coupling score: 2.07
+
+  Circular dependency cycles:
+    hooks._common → hooks.query → hooks._common
+
+============================================================
+```
+
+### `/OMG:arch --native` accuracy comparison
+
+| Method | Accuracy | Requires |
+|--------|----------|----------|
+| Regex (default) | ~70% | No external tools |
+| Native toolchain | ~95% | `go`, `tsc`, or `cargo` on PATH |
+
+## Supported Languages
+
+| Language | Extensions | Default Parser | Native Parser |
+|----------|-----------|----------------|---------------|
+| Python | `.py` | AST (`ast` stdlib) | — |
+| JavaScript/TypeScript | `.js`, `.jsx`, `.ts`, `.tsx`, `.mjs`, `.cjs` | Regex | `tsc --listFiles` |
+| Go | `.go` | Regex | `go list -json` |
+| Rust | `.rs` (via Cargo) | — | `cargo metadata` |
+
+## Safety
+
+- **Read-only**: All sub-commands only read source files and query external APIs (mermaid.ink for PNG render)
+- **Feature-gated**: Requires `CODEBASE_VIZ` flag enabled
+- **No mutations**: Never modifies source code, dependencies, or project configuration
+- **Crash-isolated**: All operations return empty/false on failure (never raise to caller)
+- **Cache**: Graph cached to `.omg/state/dependency-graph.json` with mtime-based incremental updates
+- **Network**: `/arch render` requires internet access for mermaid.ink API
+- **Subprocess safety**: Native parsers use argv lists (never `shell=True`) with 30s timeout
+
+## API
+
+```python
+from plugins.viz.graph_builder import build_project_graph
+from plugins.viz.diagram_generator import generate_mermaid, generate_d2, render_to_png
+from plugins.viz.native_parsers import (
+    parse_go_native,
+    parse_typescript_native,
+    parse_rust_native,
+    is_toolchain_available,
+)
+
+# Build full dependency graph (regex + AST)
+result = build_project_graph(".")
+# result = {"graph": {...}, "metrics": {...}}
+
+# Generate Mermaid diagram text
+mermaid_text = generate_mermaid(result["graph"])
+
+# Generate Mermaid for a single module (zoomed)
+zoomed = generate_mermaid(result["graph"], zoom="plugins.viz.graph_builder")
+
+# Generate D2 diagram text
+d2_text = generate_d2(result["graph"])
+
+# Render Mermaid to PNG via mermaid.ink
+success = render_to_png(mermaid_text, ".omg/state/arch-diagram.png")
+
+# Native toolchain parsing (higher accuracy)
+go_deps = parse_go_native(".")
+ts_deps = parse_typescript_native(".")
+rs_deps = parse_rust_native(".")
+```

package/commands/OMG:browser.md

@@ -0,0 +1,29 @@
+---
+description: "Canonical OMG browser automation and verification surface powered by upstream playwright-cli."
+allowed-tools: Read, Write, Edit, Bash(python3:*), Bash(node:*), Bash(npx:*), Bash(playwright:*), Bash(which:*), Bash(ls:*), Bash(cat:*), Grep, Glob
+argument-hint: "<goal or browser task>"
+---
+
+# /OMG:browser
+
+Use this as the canonical OMG browser surface for automation, visual verification, and trace-backed browser evidence.
+
+## Contract
+
+- `/OMG:browser` is the public OMG command.
+- Execution is powered by upstream `playwright-cli`.
+- OMG owns the command contract, remediation messages, and `.omg/evidence/` artifact normalization.
+- This is not a new OMG MCP server.
+
+## Typical Flow
+
+1. Verify `playwright-cli` is installed.
+2. Verify browser assets are available.
+3. Run the requested browser workflow.
+4. Emit normalized screenshots, traces, and browser evidence under `.omg/evidence/`.
+
+## Notes
+
+- Claude users invoke this command directly.
+- Codex, Gemini, and Kimi consume the same capability through OMG-managed setup, runtime, and proof flows.
+- Use `/OMG:playwright` only as a compatibility alias when needed.

package/commands/OMG:ccg.md

@@ -0,0 +1,22 @@
+---
+description: OMG CCG mode (tri-track synthesis) in standalone mode.
+allowed-tools: Read, Grep, Glob, Bash(python3:*), Bash(git:*), Bash(rg:*), Bash(find:*), Bash(cat:*)
+argument-hint: "problem statement"
+---
+
+# /OMG:ccg — Standalone CCG
+
+Runs OMG internal tri-track routing and returns merged actions.
+
+CCG execution standard:
+- launch backend/frontend/architecture analysis in parallel sub-agents
+- collect all tracks with `background_output`
+- run `sequential-thinking` to merge tracks into one execution order
+
+```bash
+OMG_CLI="${OMG_CLI_PATH:-$HOME/.claude/omg-runtime/scripts/omg.py}"
+if [ ! -f "$OMG_CLI" ] && [ -f "scripts/omg.py" ]; then OMG_CLI="scripts/omg.py"; fi
+python3 "$OMG_CLI" ccg --problem "[problem]"
+```
+
+Use this when backend+frontend+architecture are coupled.