oh-my-codex 0.15.2 → 0.16.0

package/plugins/oh-my-codex/skills/ask-gemini/SKILL.md

@@ -1,61 +0,0 @@
----
-name: ask-gemini
-description: Ask Gemini via local CLI and capture a reusable artifact
----
-
-# Ask Gemini (Local CLI)
-
-Use the locally installed Gemini CLI as a direct external advisor for brainstorming, design feedback, and second opinions.
-
-## Usage
-
-```bash
-/ask-gemini <question or task>
-```
-
-## Routing
-
-### Preferred: Local CLI execution
-Run Gemini through the canonical OMX CLI command path (no MCP routing):
-
-```bash
-omx ask gemini "{{ARGUMENTS}}"
-```
-
-Exact non-interactive Gemini CLI command from `gemini --help`:
-
-```bash
-gemini -p "{{ARGUMENTS}}"
-# equivalent: gemini --prompt "{{ARGUMENTS}}"
-```
-
-If needed, adapt to the user's installed Gemini CLI variant while keeping local execution as the default path.
-
-Legacy compatibility entrypoints (`./scripts/ask-gemini.sh`, `npm run ask:gemini -- ...`) are transitional wrappers.
-
-### Missing binary behavior
-If `gemini` is not found, do **not** switch to MCP.
-Instead:
-1. Explain that local Gemini CLI is required for this skill.
-2. Ask the user to install/configure Gemini CLI.
-3. Provide a quick verification command:
-
-```bash
-gemini --version
-```
-
-## Artifact requirement
-After local execution, save a markdown artifact to:
-
-```text
-.omx/artifacts/gemini-<slug>-<timestamp>.md
-```
-
-Minimum artifact sections:
-1. Original user task
-2. Final prompt sent to Gemini CLI
-3. Gemini output (raw)
-4. Concise summary
-5. Action items / next steps
-
-Task: {{ARGUMENTS}}

package/plugins/oh-my-codex/skills/help/SKILL.md

@@ -1,202 +0,0 @@
----
-name: help
-description: Guide on using oh-my-codex plugin
----
-
-# How OMX Works
-
-Plain English works as best-effort guidance — OMX inspects each prompt and may add advisory routing context to steer the model toward a suitable lane. This is **advisory prompt-routing context**: it does not activate a skill or workflow by itself. Explicit keywords remain the deterministic control surface when you want exact, guaranteed routing.
-
-**Triage lanes** (when no keyword matches): complex/multi-step prompts may receive HEAVY guidance (autopilot-shaped); repo-local read-only lookups receive LIGHT/explore guidance; implementation work receives LIGHT/executor guidance; UI work receives LIGHT/designer guidance; external official-doc/reference/source-backed lookup receives LIGHT/researcher guidance; simple conversational prompts receive no injection (PASS). To opt out per prompt, include a phrase such as `no workflow`, `just chat`, or `plain answer`.
-
-## What Happens Automatically
-
-| When You... | I Automatically... |
-|-------------|-------------------|
-| Give me a complex task | Parallelize and delegate to specialist agents |
-| Ask me to plan something | Start a planning interview |
-| Need something done completely | Persist until verified complete |
-| Work on UI/frontend | Activate design sensibility |
-| Say "stop" or "cancel" | Intelligently stop current operation |
-
-## Magic Keywords (Optional Shortcuts)
-
-You can include these words naturally in your request for explicit control:
-
-| Keyword | Effect | Example |
-|---------|--------|---------|
-| **ralph** | Persistence mode | "ralph: fix all the bugs" |
-| **ralplan** | Iterative planning | "ralplan this feature" |
-| **ulw** | Max parallelism | "ulw refactor the API" |
-| **plan** | Planning interview | "plan the new endpoints" |
-
-**ralph includes ultrawork:** When you activate ralph mode, it automatically includes ultrawork's parallel execution. No need to combine keywords.
-
-## Stopping Things
-
-Just say:
-- "stop"
-- "cancel"
-- "abort"
-
-I'll figure out what to stop based on context.
-
-## First Time Setup
-
-If you haven't configured OMX yet:
-
-```
-/omx-setup
-```
-
-This is the primary setup command for full OMX runtime wiring. Codex plugin install/discovery can expose packaged skills/workflows plus plugin-scoped companion metadata for MCP servers and apps, while native/runtime hooks remain setup-owned; it is not a replacement for `npm install -g oh-my-codex` plus `omx setup`. Legacy setup mode installs native agents/prompts; plugin setup mode archives stale legacy prompt/native-agent files and keeps config/hooks/optional AGENTS.md/HUD/runtime wiring current, including native `.codex/hooks.json` coverage. Plugin caches may appear under `${CODEX_HOME:-~/.codex}/plugins/cache/$MARKETPLACE_NAME/oh-my-codex/$VERSION/` (or `local` for local installs).
-
-If you only need lightweight directory guidance scaffolding for `AGENTS.md` files, use:
-
-```bash
-omx agents-init .
-```
-
-That command is intentionally narrower than full setup: it only bootstraps `AGENTS.md` files for the target directory and its immediate child directories.
-
-## For 2.x Users
-
-Your old commands still work! `/ralph`, `/ultrawork`, `/plan`, etc. all function exactly as before.
-
-But now you don't NEED them - everything is automatic.
-
----
-
-## Usage Analysis
-
-Analyze your oh-my-codex usage and get tailored recommendations to improve your workflow.
-
-> Note: This replaces the former `/learn-about-omc` skill.
-
-### What It Does
-
-1. Reads token tracking from `~/.omx/state/token-tracking.jsonl`
-2. Reads session history from `.omx/state/session-history.json`
-3. Analyzes agent usage patterns
-4. Identifies underutilized features
-5. Recommends configuration changes
-
-### Step 1: Gather Data
-
-```bash
-# Check for token tracking data
-TOKEN_FILE="$HOME/.omx/state/token-tracking.jsonl"
-SESSION_FILE=".omx/state/session-history.json"
-CONFIG_FILE="$HOME/.codex/.omx-config.json"
-
-echo "Analyzing OMX Usage..."
-echo ""
-
-# Check what data is available
-HAS_TOKENS=false
-HAS_SESSIONS=false
-HAS_CONFIG=false
-
-if [[ -f "$TOKEN_FILE" ]]; then
-  HAS_TOKENS=true
-  TOKEN_COUNT=$(wc -l < "$TOKEN_FILE")
-  echo "Token records found: $TOKEN_COUNT"
-fi
-
-if [[ -f "$SESSION_FILE" ]]; then
-  HAS_SESSIONS=true
-  SESSION_COUNT=$(cat "$SESSION_FILE" | jq '.sessions | length' 2>/dev/null || echo "0")
-  echo "Sessions found: $SESSION_COUNT"
-fi
-
-if [[ -f "$CONFIG_FILE" ]]; then
-  HAS_CONFIG=true
-  DEFAULT_MODE=$(cat "$CONFIG_FILE" | jq -r '.defaultExecutionMode // "not set"')
-  echo "Default execution mode: $DEFAULT_MODE"
-fi
-```
-
-### Step 2: Analyze Agent Usage (if token data exists)
-
-```bash
-if [[ "$HAS_TOKENS" == "true" ]]; then
-  echo ""
-  echo "TOP AGENTS BY USAGE:"
-  cat "$TOKEN_FILE" | jq -r '.agentName // "main"' | sort | uniq -c | sort -rn | head -10
-
-  echo ""
-  echo "MODEL DISTRIBUTION:"
-  cat "$TOKEN_FILE" | jq -r '.modelName' | sort | uniq -c | sort -rn
-fi
-```
-
-### Step 3: Generate Recommendations
-
-Based on patterns found, output recommendations:
-
-**If high Opus usage (>40%) and no ecomode:**
-- "Consider using ecomode for routine tasks to save tokens"
-
-**If no team usage:**
-- "Try /team for coordinated review workflows"
-
-**If no security-reviewer usage:**
-- "Use security-reviewer after auth/API changes"
-
-**If defaultExecutionMode not set:**
-- "Set defaultExecutionMode in /omx-setup for consistent behavior"
-
-### Step 4: Output Report
-
-Format a summary with:
-- Token summary (total, by model)
-- Top agents used
-- Underutilized features
-- Personalized recommendations
-
-### Example Output
-
-```
-📊 Your OMX Usage Analysis
-
-TOKEN SUMMARY:
-- Total records: 1,234
-- By Reasoning Effort: high 45%, medium 40%, low 15%
-
-TOP AGENTS:
-1. executor (234 uses)
-2. architect (89 uses)
-3. explore (67 uses)
-
-UNDERUTILIZED FEATURES:
-- ecomode: 0 uses (could save ~30% on routine tasks)
-- team: 0 uses (great for coordinated workflows)
-
-RECOMMENDATIONS:
-1. Set defaultExecutionMode: "ecomode" to save tokens
-2. Try /team for PR review workflows
-3. Use explore agent before architect to save context
-```
-
-### Graceful Degradation
-
-If no data found:
-
-```
-📊 Limited Usage Data Available
-
-No token tracking found. To enable tracking:
-1. Ensure ~/.omx/state/ directory exists
-2. Run any OMX command to start tracking
-
-Tip: Run /omx-setup to configure OMX properly.
-```
-
-## Need More Help?
-
-- **README**: https://github.com/Yeachan-Heo/oh-my-codex
-- **Issues**: https://github.com/Yeachan-Heo/oh-my-codex/issues
-
----
-
-*Version: 4.2.3*

package/plugins/oh-my-codex/skills/note/SKILL.md

@@ -1,62 +0,0 @@
----
-name: note
-description: Save notes to notepad.md for compaction resilience
----
-
-# Note Skill
-
-Save important context to `.omx/notepad.md` that survives conversation compaction.
-
-## Usage
-
-| Command | Action |
-|---------|--------|
-| `/note <content>` | Add to Working Memory with timestamp |
-| `/note --priority <content>` | Add to Priority Context (always loaded) |
-| `/note --manual <content>` | Add to MANUAL section (never pruned) |
-| `/note --show` | Display current notepad contents |
-| `/note --prune` | Remove entries older than 7 days |
-| `/note --clear` | Clear Working Memory (keep Priority + MANUAL) |
-
-## Sections
-
-### Priority Context (500 char limit)
-- **Always** injected on session start
-- Use for critical facts: "Project uses pnpm", "API in src/api/client.ts"
-- Keep it SHORT - this eats into your context budget
-
-### Working Memory
-- Timestamped session notes
-- Auto-pruned after 7 days
-- Good for: debugging breadcrumbs, temporary findings
-
-### MANUAL
-- Never auto-pruned
-- User-controlled permanent notes
-- Good for: team contacts, deployment info
-
-## Examples
-
-```
-/note Found auth bug in UserContext - missing useEffect dependency
-/note --priority Project uses TypeScript strict mode, all files in src/
-/note --manual Contact: api-team@company.com for backend questions
-/note --show
-/note --prune
-```
-
-## Behavior
-
-1. Creates `.omx/notepad.md` if it doesn't exist
-2. Parses the argument to determine section
-3. Appends content with timestamp (for Working Memory)
-4. Warns if Priority Context exceeds 500 chars
-5. Confirms what was saved
-
-## Integration
-
-Notepad content is automatically loaded on session start:
-- Priority Context: ALWAYS loaded
-- Working Memory: Loaded if recent entries exist
-
-This helps survive conversation compaction without losing critical context.

package/plugins/oh-my-codex/skills/security-review/SKILL.md

@@ -1,300 +0,0 @@
----
-name: security-review
-description: Run a comprehensive security review on code
----
-
-# Security Review Skill
-
-Conduct a thorough security audit checking for OWASP Top 10 vulnerabilities, hardcoded secrets, and unsafe patterns.
-
-## When to Use
-
-This skill activates when:
-- User requests "security review", "security audit"
-- After writing code that handles user input
-- After adding new API endpoints
-- After modifying authentication/authorization logic
-- Before deploying to production
-- After adding external dependencies
-
-## What It Does
-
-## GPT-5.5 Guidance Alignment
-
-- Default to outcome-first progress and completion reporting: state the target result, evidence, validation status, and stop condition before adding process detail.
-- Treat newer user task updates as local overrides for the active workflow branch while preserving earlier non-conflicting constraints.
-- If correctness depends on additional inspection, retrieval, execution, or verification, keep using the relevant tools until the security review is grounded; stop once enough evidence exists.
-- Continue through clear, low-risk, reversible next steps automatically; ask only when the next step is materially branching, destructive, credentialed, external-production, or preference-dependent.
-
-Delegates to the `security-reviewer` agent (THOROUGH tier) for deep security analysis:
-
-1. **OWASP Top 10 Scan**
-   - A01: Broken Access Control
-   - A02: Cryptographic Failures
-   - A03: Injection (SQL, NoSQL, Command, XSS)
-   - A04: Insecure Design
-   - A05: Security Misconfiguration
-   - A06: Vulnerable and Outdated Components
-   - A07: Identification and Authentication Failures
-   - A08: Software and Data Integrity Failures
-   - A09: Security Logging and Monitoring Failures
-   - A10: Server-Side Request Forgery (SSRF)
-
-2. **Secrets Detection**
-   - Hardcoded API keys
-   - Passwords in source code
-   - Private keys in repo
-   - Tokens and credentials
-   - Connection strings with secrets
-
-3. **Input Validation**
-   - All user inputs sanitized
-   - SQL/NoSQL injection prevention
-   - Command injection prevention
-   - XSS prevention (output escaping)
-   - Path traversal prevention
-
-4. **Authentication/Authorization**
-   - Proper password hashing (bcrypt, argon2)
-   - Session management security
-   - Access control enforcement
-   - JWT implementation security
-
-5. **Dependency Security**
-   - Run `npm audit` for known vulnerabilities
-   - Check for outdated dependencies
-   - Identify high-severity CVEs
-
-## Agent Delegation
-
-```
-delegate(
-  role="security-reviewer",
-  tier="THOROUGH",
-  prompt="SECURITY REVIEW TASK
-
-Conduct comprehensive security audit of codebase.
-
-Scope: [specific files or entire codebase]
-
-Security Checklist:
-1. OWASP Top 10 scan
-2. Hardcoded secrets detection
-3. Input validation review
-4. Authentication/authorization review
-5. Dependency vulnerability scan (npm audit)
-
-Output: Security review report with:
-- Summary of findings by severity (CRITICAL, HIGH, MEDIUM, LOW)
-- Specific file:line locations
-- CVE references where applicable
-- Remediation guidance for each issue
-- Overall security posture assessment"
-)
-```
-
-## External Model Consultation (Preferred)
-
-The security-reviewer agent SHOULD consult Codex for cross-validation.
-
-### Protocol
-1. **Form your OWN security analysis FIRST** - Complete the review independently
-2. **Consult for validation** - Cross-check findings with Codex
-3. **Critically evaluate** - Never blindly adopt external findings
-4. **Graceful fallback** - Never block if tools unavailable
-
-### When to Consult
-- Authentication/authorization code
-- Cryptographic implementations
-- Input validation for untrusted data
-- High-risk vulnerability patterns
-- Production deployment code
-
-### When to Skip
-- Low-risk utility code
-- Well-audited patterns
-- Time-critical security assessments
-- Code with existing security tests
-
-### Tool Usage
-Before first MCP tool use, call `ToolSearch("mcp")` to discover deferred MCP tools.
-Use `mcp__x__ask_codex` with `agent_role: "security-reviewer"`.
-If ToolSearch finds no MCP tools, fall back to the `security-reviewer` agent.
-
-**Note:** Security second opinions are high-value. Consider consulting for CRITICAL/HIGH findings.
-
-## Output Format
-
-```
-SECURITY REVIEW REPORT
-======================
-
-Scope: Entire codebase (42 files scanned)
-Scan Date: 2026-01-24T14:30:00Z
-
-CRITICAL (2)
-------------
-1. src/api/auth.ts:89 - Hardcoded API Key
-   Finding: AWS API key hardcoded in source code
-   Impact: Credential exposure if code is public or leaked
-   Remediation: Move to environment variables, rotate key immediately
-   Reference: OWASP A02:2021 – Cryptographic Failures
-
-2. src/db/query.ts:45 - SQL Injection Vulnerability
-   Finding: User input concatenated directly into SQL query
-   Impact: Attacker can execute arbitrary SQL commands
-   Remediation: Use parameterized queries or ORM
-   Reference: OWASP A03:2021 – Injection
-
-HIGH (5)
---------
-3. src/auth/password.ts:22 - Weak Password Hashing
-   Finding: Passwords hashed with MD5 (cryptographically broken)
-   Impact: Passwords can be reversed via rainbow tables
-   Remediation: Use bcrypt or argon2 with appropriate work factor
-   Reference: OWASP A02:2021 – Cryptographic Failures
-
-4. src/components/UserInput.tsx:67 - XSS Vulnerability
-   Finding: User input rendered with dangerouslySetInnerHTML
-   Impact: Cross-site scripting attack vector
-   Remediation: Sanitize HTML or use safe rendering
-   Reference: OWASP A03:2021 – Injection (XSS)
-
-5. src/api/upload.ts:34 - Path Traversal Vulnerability
-   Finding: User-controlled filename used without validation
-   Impact: Attacker can read/write arbitrary files
-   Remediation: Validate and sanitize filenames, use allowlist
-   Reference: OWASP A01:2021 – Broken Access Control
-
-...
-
-MEDIUM (8)
-----------
-...
-
-LOW (12)
---------
-...
-
-DEPENDENCY VULNERABILITIES
---------------------------
-Found 3 vulnerabilities via npm audit:
-
-CRITICAL: axios@0.21.0 - Server-Side Request Forgery (CVE-2021-3749)
-  Installed: axios@0.21.0
-  Fix: npm install axios@0.21.2
-
-HIGH: lodash@4.17.19 - Prototype Pollution (CVE-2020-8203)
-  Installed: lodash@4.17.19
-  Fix: npm install lodash@4.17.21
-
-...
-
-OVERALL ASSESSMENT
-------------------
-Security Posture: POOR (2 CRITICAL, 5 HIGH issues)
-
-Immediate Actions Required:
-1. Rotate exposed AWS API key
-2. Fix SQL injection in db/query.ts
-3. Upgrade password hashing to bcrypt
-4. Update vulnerable dependencies
-
-Recommendation: DO NOT DEPLOY until CRITICAL and HIGH issues resolved.
-```
-
-## Security Checklist
-
-The security-reviewer agent verifies:
-
-### Authentication & Authorization
-- [ ] Passwords hashed with strong algorithm (bcrypt/argon2)
-- [ ] Session tokens cryptographically random
-- [ ] JWT tokens properly signed and validated
-- [ ] Access control enforced on all protected resources
-- [ ] No authentication bypass vulnerabilities
-
-### Input Validation
-- [ ] All user inputs validated and sanitized
-- [ ] SQL queries use parameterization (no string concatenation)
-- [ ] NoSQL queries prevent injection
-- [ ] File uploads validated (type, size, content)
-- [ ] URLs validated to prevent SSRF
-
-### Output Encoding
-- [ ] HTML output escaped to prevent XSS
-- [ ] JSON responses properly encoded
-- [ ] No user data in error messages
-- [ ] Content-Security-Policy headers set
-
-### Secrets Management
-- [ ] No hardcoded API keys
-- [ ] No passwords in source code
-- [ ] No private keys in repo
-- [ ] Environment variables used for secrets
-- [ ] Secrets not logged or exposed in errors
-
-### Cryptography
-- [ ] Strong algorithms used (AES-256, RSA-2048+)
-- [ ] Proper key management
-- [ ] Random number generation cryptographically secure
-- [ ] TLS/HTTPS enforced for sensitive data
-
-### Dependencies
-- [ ] No known vulnerabilities in dependencies
-- [ ] Dependencies up to date
-- [ ] No CRITICAL or HIGH CVEs
-- [ ] Dependency sources verified
-
-## Severity Definitions
-
-**CRITICAL** - Exploitable vulnerability with severe impact (data breach, RCE, credential theft)
-**HIGH** - Vulnerability requiring specific conditions but serious impact
-**MEDIUM** - Security weakness with limited impact or difficult exploitation
-**LOW** - Best practice violation or minor security concern
-
-## Remediation Priority
-
-1. **Rotate exposed secrets** - Immediate (within 1 hour)
-2. **Fix CRITICAL** - Urgent (within 24 hours)
-3. **Fix HIGH** - Important (within 1 week)
-4. **Fix MEDIUM** - Planned (within 1 month)
-5. **Fix LOW** - Backlog (when convenient)
-
-
-## Scenario Examples
-
-**Good:** The user says `continue` after the workflow already has a clear next step. Continue the current branch of work instead of restarting or re-asking the same question.
-
-**Good:** The user changes only the output shape or downstream delivery step (for example `make a PR`). Preserve earlier non-conflicting workflow constraints and apply the update locally.
-
-**Bad:** The user says `continue`, and the workflow restarts discovery or stops before the missing verification/evidence is gathered.
-
-## Use with Other Skills
-
-**With Team:**
-```
-/team "run security review on authentication module"
-```
-Uses: explore → security-reviewer → executor → security-reviewer (re-verify)
-
-**With Swarm:**
-```
-/swarm 4:security-reviewer "audit all API endpoints"
-```
-Parallel security review across multiple endpoints.
-
-**With Ralph:**
-```
-/ralph security-review then fix all issues
-```
-Review, fix, re-review until all issues resolved.
-
-## Best Practices
-
-- **Review early** - Security by design, not afterthought
-- **Review often** - Every major feature or API change
-- **Automate** - Run security scans in CI/CD pipeline
-- **Fix immediately** - Don't accumulate security debt
-- **Educate** - Learn from findings to prevent future issues
-- **Verify fixes** - Re-run security review after remediation

package/plugins/oh-my-codex/skills/trace/SKILL.md

@@ -1,33 +0,0 @@
----
-name: trace
-description: Show agent flow trace timeline and summary
----
-
-# Agent Flow Trace
-
-[TRACE MODE ACTIVATED]
-
-## Objective
-
-Display the flow trace showing how hooks, keywords, skills, agents, and tools interacted during this session.
-
-## Instructions
-
-1. **Use `trace_timeline` MCP tool** to show the chronological event timeline
-   - Call with no arguments to show the latest session
-   - Use `filter` parameter to focus on specific event types (hooks, skills, agents, keywords, tools, modes)
-   - Use `last` parameter to limit output
-
-2. **Use `trace_summary` MCP tool** to show aggregate statistics
-   - Hook fire counts
-   - Keywords detected
-   - Skills activated
-   - Mode transitions
-   - Tool performance and bottlenecks
-
-## Output Format
-
-Present the timeline first, then the summary. Highlight:
-- **Mode transitions** (how execution modes changed)
-- **Bottlenecks** (slow tools or agents)
-- **Flow patterns** (keyword -> skill -> agent chains)