oh-my-super-agent 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (461) hide show
  1. package/.agents/agents/advisor.md +15 -0
  2. package/.agents/agents/conductor.md +32 -0
  3. package/.agents/agents/dreamer.md +13 -0
  4. package/.agents/agents/executor.md +17 -0
  5. package/.agents/agents/grader.md +15 -0
  6. package/.agents/config/endurance-policy.json +8 -0
  7. package/.agents/config/oms-config.json +119 -0
  8. package/.agents/config/release-policy.json +12 -0
  9. package/.agents/config/secret-scan-policy.json +7 -0
  10. package/.agents/config/verification-plan.json +33 -0
  11. package/.agents/registry.json +11 -0
  12. package/.agents/rules/constitution.md +7 -0
  13. package/.agents/skills/conductor/SKILL.md +23 -0
  14. package/.agents/skills/dream/SKILL.md +14 -0
  15. package/.agents/skills/executor/SKILL.md +13 -0
  16. package/.agents/skills/oms/SKILL.md +52 -0
  17. package/.agents/skills/quota-aware/SKILL.md +12 -0
  18. package/.agents/skills/schedule/SKILL.md +13 -0
  19. package/.agents/skills/team-protocol/SKILL.md +20 -0
  20. package/LICENSE +21 -0
  21. package/README.md +146 -0
  22. package/dist/src/audit/run-ledger.d.ts +183 -0
  23. package/dist/src/audit/run-ledger.js +1655 -0
  24. package/dist/src/audit/run-ledger.js.map +1 -0
  25. package/dist/src/cli.d.ts +61 -0
  26. package/dist/src/cli.js +2096 -0
  27. package/dist/src/cli.js.map +1 -0
  28. package/dist/src/commands/github-queue-probe.d.ts +26 -0
  29. package/dist/src/commands/github-queue-probe.js +51 -0
  30. package/dist/src/commands/github-queue-probe.js.map +1 -0
  31. package/dist/src/commands/trace-fixture.d.ts +20 -0
  32. package/dist/src/commands/trace-fixture.js +72 -0
  33. package/dist/src/commands/trace-fixture.js.map +1 -0
  34. package/dist/src/conductor/activity.d.ts +46 -0
  35. package/dist/src/conductor/activity.js +224 -0
  36. package/dist/src/conductor/activity.js.map +1 -0
  37. package/dist/src/conductor/bridge.d.ts +53 -0
  38. package/dist/src/conductor/bridge.js +652 -0
  39. package/dist/src/conductor/bridge.js.map +1 -0
  40. package/dist/src/conductor/notifications.d.ts +59 -0
  41. package/dist/src/conductor/notifications.js +381 -0
  42. package/dist/src/conductor/notifications.js.map +1 -0
  43. package/dist/src/conductor/recovery.d.ts +29 -0
  44. package/dist/src/conductor/recovery.js +198 -0
  45. package/dist/src/conductor/recovery.js.map +1 -0
  46. package/dist/src/conductor/start.d.ts +73 -0
  47. package/dist/src/conductor/start.js +519 -0
  48. package/dist/src/conductor/start.js.map +1 -0
  49. package/dist/src/conductor/waiter.d.ts +88 -0
  50. package/dist/src/conductor/waiter.js +427 -0
  51. package/dist/src/conductor/waiter.js.map +1 -0
  52. package/dist/src/config.d.ts +9 -0
  53. package/dist/src/config.js +40 -0
  54. package/dist/src/config.js.map +1 -0
  55. package/dist/src/dispatch/advice-source.d.ts +61 -0
  56. package/dist/src/dispatch/advice-source.js +198 -0
  57. package/dist/src/dispatch/advice-source.js.map +1 -0
  58. package/dist/src/dispatch/advice-store.d.ts +41 -0
  59. package/dist/src/dispatch/advice-store.js +201 -0
  60. package/dist/src/dispatch/advice-store.js.map +1 -0
  61. package/dist/src/dispatch/advice.d.ts +34 -0
  62. package/dist/src/dispatch/advice.js +371 -0
  63. package/dist/src/dispatch/advice.js.map +1 -0
  64. package/dist/src/dispatch/authority.d.ts +124 -0
  65. package/dist/src/dispatch/authority.js +1202 -0
  66. package/dist/src/dispatch/authority.js.map +1 -0
  67. package/dist/src/dispatch/intent.d.ts +66 -0
  68. package/dist/src/dispatch/intent.js +71 -0
  69. package/dist/src/dispatch/intent.js.map +1 -0
  70. package/dist/src/dispatch/runtime-authority.d.ts +42 -0
  71. package/dist/src/dispatch/runtime-authority.js +52 -0
  72. package/dist/src/dispatch/runtime-authority.js.map +1 -0
  73. package/dist/src/doctor.d.ts +20 -0
  74. package/dist/src/doctor.js +85 -0
  75. package/dist/src/doctor.js.map +1 -0
  76. package/dist/src/domain/records.d.ts +44 -0
  77. package/dist/src/domain/records.js +138 -0
  78. package/dist/src/domain/records.js.map +1 -0
  79. package/dist/src/domain/role-policy.d.ts +67 -0
  80. package/dist/src/domain/role-policy.js +547 -0
  81. package/dist/src/domain/role-policy.js.map +1 -0
  82. package/dist/src/events/bus.d.ts +32 -0
  83. package/dist/src/events/bus.js +115 -0
  84. package/dist/src/events/bus.js.map +1 -0
  85. package/dist/src/events/kinds.d.ts +126 -0
  86. package/dist/src/events/kinds.js +14 -0
  87. package/dist/src/events/kinds.js.map +1 -0
  88. package/dist/src/evidence/immutable-file.d.ts +12 -0
  89. package/dist/src/evidence/immutable-file.js +141 -0
  90. package/dist/src/evidence/immutable-file.js.map +1 -0
  91. package/dist/src/evidence/store.d.ts +125 -0
  92. package/dist/src/evidence/store.js +1189 -0
  93. package/dist/src/evidence/store.js.map +1 -0
  94. package/dist/src/evidence/verdict.d.ts +17 -0
  95. package/dist/src/evidence/verdict.js +23 -0
  96. package/dist/src/evidence/verdict.js.map +1 -0
  97. package/dist/src/generation/agent.d.ts +5 -0
  98. package/dist/src/generation/agent.js +34 -0
  99. package/dist/src/generation/agent.js.map +1 -0
  100. package/dist/src/generation/frontmatter.d.ts +7 -0
  101. package/dist/src/generation/frontmatter.js +33 -0
  102. package/dist/src/generation/frontmatter.js.map +1 -0
  103. package/dist/src/github/adapter.d.ts +44 -0
  104. package/dist/src/github/adapter.js +592 -0
  105. package/dist/src/github/adapter.js.map +1 -0
  106. package/dist/src/github/dispatch-eligibility.d.ts +9 -0
  107. package/dist/src/github/dispatch-eligibility.js +94 -0
  108. package/dist/src/github/dispatch-eligibility.js.map +1 -0
  109. package/dist/src/github/projector.d.ts +23 -0
  110. package/dist/src/github/projector.js +181 -0
  111. package/dist/src/github/projector.js.map +1 -0
  112. package/dist/src/github/review.d.ts +39 -0
  113. package/dist/src/github/review.js +1450 -0
  114. package/dist/src/github/review.js.map +1 -0
  115. package/dist/src/github/sync.d.ts +21 -0
  116. package/dist/src/github/sync.js +518 -0
  117. package/dist/src/github/sync.js.map +1 -0
  118. package/dist/src/github/types.d.ts +134 -0
  119. package/dist/src/github/types.js +11 -0
  120. package/dist/src/github/types.js.map +1 -0
  121. package/dist/src/goals/artifact-store.d.ts +31 -0
  122. package/dist/src/goals/artifact-store.js +241 -0
  123. package/dist/src/goals/artifact-store.js.map +1 -0
  124. package/dist/src/goals/authority.d.ts +112 -0
  125. package/dist/src/goals/authority.js +621 -0
  126. package/dist/src/goals/authority.js.map +1 -0
  127. package/dist/src/goals/native-snapshot.d.ts +12 -0
  128. package/dist/src/goals/native-snapshot.js +53 -0
  129. package/dist/src/goals/native-snapshot.js.map +1 -0
  130. package/dist/src/goals/runtime-authority.d.ts +7 -0
  131. package/dist/src/goals/runtime-authority.js +20 -0
  132. package/dist/src/goals/runtime-authority.js.map +1 -0
  133. package/dist/src/health/release-assessment.d.ts +11 -0
  134. package/dist/src/health/release-assessment.js +83 -0
  135. package/dist/src/health/release-assessment.js.map +1 -0
  136. package/dist/src/health/release-policy.d.ts +16 -0
  137. package/dist/src/health/release-policy.js +40 -0
  138. package/dist/src/health/release-policy.js.map +1 -0
  139. package/dist/src/hooks/native.d.ts +30 -0
  140. package/dist/src/hooks/native.js +495 -0
  141. package/dist/src/hooks/native.js.map +1 -0
  142. package/dist/src/hooks/provider-runtime.d.ts +55 -0
  143. package/dist/src/hooks/provider-runtime.js +479 -0
  144. package/dist/src/hooks/provider-runtime.js.map +1 -0
  145. package/dist/src/hooks/provider.d.ts +102 -0
  146. package/dist/src/hooks/provider.js +358 -0
  147. package/dist/src/hooks/provider.js.map +1 -0
  148. package/dist/src/live/contact-journal.d.ts +73 -0
  149. package/dist/src/live/contact-journal.js +439 -0
  150. package/dist/src/live/contact-journal.js.map +1 -0
  151. package/dist/src/live-probes/gh-adapter.d.ts +28 -0
  152. package/dist/src/live-probes/gh-adapter.js +188 -0
  153. package/dist/src/live-probes/gh-adapter.js.map +1 -0
  154. package/dist/src/live-probes/github-queue.d.ts +1 -0
  155. package/dist/src/live-probes/github-queue.js +2 -0
  156. package/dist/src/live-probes/github-queue.js.map +1 -0
  157. package/dist/src/notifications/slack-request.d.ts +13 -0
  158. package/dist/src/notifications/slack-request.js +40 -0
  159. package/dist/src/notifications/slack-request.js.map +1 -0
  160. package/dist/src/outbox/processor.d.ts +27 -0
  161. package/dist/src/outbox/processor.js +63 -0
  162. package/dist/src/outbox/processor.js.map +1 -0
  163. package/dist/src/outbox/store.d.ts +158 -0
  164. package/dist/src/outbox/store.js +834 -0
  165. package/dist/src/outbox/store.js.map +1 -0
  166. package/dist/src/package-root.d.ts +1 -0
  167. package/dist/src/package-root.js +26 -0
  168. package/dist/src/package-root.js.map +1 -0
  169. package/dist/src/project.d.ts +12 -0
  170. package/dist/src/project.js +60 -0
  171. package/dist/src/project.js.map +1 -0
  172. package/dist/src/projection/generated-file.d.ts +15 -0
  173. package/dist/src/projection/generated-file.js +72 -0
  174. package/dist/src/projection/generated-file.js.map +1 -0
  175. package/dist/src/projection/project-workspace.d.ts +11 -0
  176. package/dist/src/projection/project-workspace.js +94 -0
  177. package/dist/src/projection/project-workspace.js.map +1 -0
  178. package/dist/src/projection/registry.d.ts +15 -0
  179. package/dist/src/projection/registry.js +59 -0
  180. package/dist/src/projection/registry.js.map +1 -0
  181. package/dist/src/projection/safe-path.d.ts +4 -0
  182. package/dist/src/projection/safe-path.js +106 -0
  183. package/dist/src/projection/safe-path.js.map +1 -0
  184. package/dist/src/providers/claude-interactive.d.ts +38 -0
  185. package/dist/src/providers/claude-interactive.js +287 -0
  186. package/dist/src/providers/claude-interactive.js.map +1 -0
  187. package/dist/src/providers/claude-structured-bridge.d.ts +32 -0
  188. package/dist/src/providers/claude-structured-bridge.js +215 -0
  189. package/dist/src/providers/claude-structured-bridge.js.map +1 -0
  190. package/dist/src/providers/claude-structured-completion.d.ts +23 -0
  191. package/dist/src/providers/claude-structured-completion.js +229 -0
  192. package/dist/src/providers/claude-structured-completion.js.map +1 -0
  193. package/dist/src/providers/claude-structured-pane.d.ts +23 -0
  194. package/dist/src/providers/claude-structured-pane.js +156 -0
  195. package/dist/src/providers/claude-structured-pane.js.map +1 -0
  196. package/dist/src/providers/claude-structured-store.d.ts +48 -0
  197. package/dist/src/providers/claude-structured-store.js +212 -0
  198. package/dist/src/providers/claude-structured-store.js.map +1 -0
  199. package/dist/src/providers/claude-structured.d.ts +56 -0
  200. package/dist/src/providers/claude-structured.js +250 -0
  201. package/dist/src/providers/claude-structured.js.map +1 -0
  202. package/dist/src/providers/codex-exec.d.ts +29 -0
  203. package/dist/src/providers/codex-exec.js +127 -0
  204. package/dist/src/providers/codex-exec.js.map +1 -0
  205. package/dist/src/providers/grading.d.ts +2 -0
  206. package/dist/src/providers/grading.js +20 -0
  207. package/dist/src/providers/grading.js.map +1 -0
  208. package/dist/src/providers/native-dispatch.d.ts +24 -0
  209. package/dist/src/providers/native-dispatch.js +34 -0
  210. package/dist/src/providers/native-dispatch.js.map +1 -0
  211. package/dist/src/providers/preflight.d.ts +65 -0
  212. package/dist/src/providers/preflight.js +256 -0
  213. package/dist/src/providers/preflight.js.map +1 -0
  214. package/dist/src/providers/process.d.ts +18 -0
  215. package/dist/src/providers/process.js +21 -0
  216. package/dist/src/providers/process.js.map +1 -0
  217. package/dist/src/queue/model.d.ts +37 -0
  218. package/dist/src/queue/model.js +51 -0
  219. package/dist/src/queue/model.js.map +1 -0
  220. package/dist/src/queue/service.d.ts +1 -0
  221. package/dist/src/queue/service.js +2 -0
  222. package/dist/src/queue/service.js.map +1 -0
  223. package/dist/src/reflections/store.d.ts +21 -0
  224. package/dist/src/reflections/store.js +60 -0
  225. package/dist/src/reflections/store.js.map +1 -0
  226. package/dist/src/reports/daily-trust.d.ts +11 -0
  227. package/dist/src/reports/daily-trust.js +98 -0
  228. package/dist/src/reports/daily-trust.js.map +1 -0
  229. package/dist/src/runs/controller.d.ts +187 -0
  230. package/dist/src/runs/controller.js +1182 -0
  231. package/dist/src/runs/controller.js.map +1 -0
  232. package/dist/src/runtime/composition.d.ts +9 -0
  233. package/dist/src/runtime/composition.js +35 -0
  234. package/dist/src/runtime/composition.js.map +1 -0
  235. package/dist/src/runtime/endurance-authorities.d.ts +44 -0
  236. package/dist/src/runtime/endurance-authorities.js +101 -0
  237. package/dist/src/runtime/endurance-authorities.js.map +1 -0
  238. package/dist/src/runtime/endurance-policy.d.ts +12 -0
  239. package/dist/src/runtime/endurance-policy.js +13 -0
  240. package/dist/src/runtime/endurance-policy.js.map +1 -0
  241. package/dist/src/runtime/lock.d.ts +63 -0
  242. package/dist/src/runtime/lock.js +577 -0
  243. package/dist/src/runtime/lock.js.map +1 -0
  244. package/dist/src/runtime/process-identity.d.ts +10 -0
  245. package/dist/src/runtime/process-identity.js +43 -0
  246. package/dist/src/runtime/process-identity.js.map +1 -0
  247. package/dist/src/runtime/quota.d.ts +130 -0
  248. package/dist/src/runtime/quota.js +590 -0
  249. package/dist/src/runtime/quota.js.map +1 -0
  250. package/dist/src/runtime/record-store.d.ts +45 -0
  251. package/dist/src/runtime/record-store.js +272 -0
  252. package/dist/src/runtime/record-store.js.map +1 -0
  253. package/dist/src/runtime/schema.d.ts +28 -0
  254. package/dist/src/runtime/schema.js +194 -0
  255. package/dist/src/runtime/schema.js.map +1 -0
  256. package/dist/src/runtime/stable-id.d.ts +3 -0
  257. package/dist/src/runtime/stable-id.js +27 -0
  258. package/dist/src/runtime/stable-id.js.map +1 -0
  259. package/dist/src/runtime/system-clock.d.ts +8 -0
  260. package/dist/src/runtime/system-clock.js +35 -0
  261. package/dist/src/runtime/system-clock.js.map +1 -0
  262. package/dist/src/schedule/service-plan.d.ts +58 -0
  263. package/dist/src/schedule/service-plan.js +327 -0
  264. package/dist/src/schedule/service-plan.js.map +1 -0
  265. package/dist/src/schedule/user-installation.d.ts +62 -0
  266. package/dist/src/schedule/user-installation.js +701 -0
  267. package/dist/src/schedule/user-installation.js.map +1 -0
  268. package/dist/src/schedule/user-plan.d.ts +47 -0
  269. package/dist/src/schedule/user-plan.js +286 -0
  270. package/dist/src/schedule/user-plan.js.map +1 -0
  271. package/dist/src/scheduler/minute.d.ts +31 -0
  272. package/dist/src/scheduler/minute.js +441 -0
  273. package/dist/src/scheduler/minute.js.map +1 -0
  274. package/dist/src/schemas/registry.d.ts +10 -0
  275. package/dist/src/schemas/registry.js +36 -0
  276. package/dist/src/schemas/registry.js.map +1 -0
  277. package/dist/src/security/secret-scan.d.ts +50 -0
  278. package/dist/src/security/secret-scan.js +384 -0
  279. package/dist/src/security/secret-scan.js.map +1 -0
  280. package/dist/src/sessions/registry.d.ts +89 -0
  281. package/dist/src/sessions/registry.js +443 -0
  282. package/dist/src/sessions/registry.js.map +1 -0
  283. package/dist/src/state.d.ts +27 -0
  284. package/dist/src/state.js +235 -0
  285. package/dist/src/state.js.map +1 -0
  286. package/dist/src/status/hud.d.ts +37 -0
  287. package/dist/src/status/hud.js +88 -0
  288. package/dist/src/status/hud.js.map +1 -0
  289. package/dist/src/team/plan.d.ts +31 -0
  290. package/dist/src/team/plan.js +184 -0
  291. package/dist/src/team/plan.js.map +1 -0
  292. package/dist/src/team/projection.d.ts +24 -0
  293. package/dist/src/team/projection.js +79 -0
  294. package/dist/src/team/projection.js.map +1 -0
  295. package/dist/src/tickets/admission.d.ts +34 -0
  296. package/dist/src/tickets/admission.js +169 -0
  297. package/dist/src/tickets/admission.js.map +1 -0
  298. package/dist/src/tickets/materializer.d.ts +1 -0
  299. package/dist/src/tickets/materializer.js +2 -0
  300. package/dist/src/tickets/materializer.js.map +1 -0
  301. package/dist/src/tickets/runtime-authority.d.ts +32 -0
  302. package/dist/src/tickets/runtime-authority.js +46 -0
  303. package/dist/src/tickets/runtime-authority.js.map +1 -0
  304. package/dist/src/tickets/store.d.ts +221 -0
  305. package/dist/src/tickets/store.js +2025 -0
  306. package/dist/src/tickets/store.js.map +1 -0
  307. package/dist/src/tracer/one-ticket.d.ts +58 -0
  308. package/dist/src/tracer/one-ticket.js +578 -0
  309. package/dist/src/tracer/one-ticket.js.map +1 -0
  310. package/dist/src/trust/assessment.d.ts +24 -0
  311. package/dist/src/trust/assessment.js +124 -0
  312. package/dist/src/trust/assessment.js.map +1 -0
  313. package/dist/src/trust/runs.d.ts +13 -0
  314. package/dist/src/trust/runs.js +46 -0
  315. package/dist/src/trust/runs.js.map +1 -0
  316. package/dist/src/types.d.ts +6 -0
  317. package/dist/src/types.js +2 -0
  318. package/dist/src/types.js.map +1 -0
  319. package/dist/src/utils/fs.d.ts +13 -0
  320. package/dist/src/utils/fs.js +188 -0
  321. package/dist/src/utils/fs.js.map +1 -0
  322. package/dist/src/verification/authority.d.ts +28 -0
  323. package/dist/src/verification/authority.js +153 -0
  324. package/dist/src/verification/authority.js.map +1 -0
  325. package/dist/src/verification/grade-source.d.ts +17 -0
  326. package/dist/src/verification/grade-source.js +30 -0
  327. package/dist/src/verification/grade-source.js.map +1 -0
  328. package/dist/src/verification/plan.d.ts +20 -0
  329. package/dist/src/verification/plan.js +128 -0
  330. package/dist/src/verification/plan.js.map +1 -0
  331. package/dist/src/verification/protected-runner.d.ts +50 -0
  332. package/dist/src/verification/protected-runner.js +171 -0
  333. package/dist/src/verification/protected-runner.js.map +1 -0
  334. package/dist/src/verification/result-gate-store.d.ts +72 -0
  335. package/dist/src/verification/result-gate-store.js +193 -0
  336. package/dist/src/verification/result-gate-store.js.map +1 -0
  337. package/dist/src/verification/result-gate.d.ts +41 -0
  338. package/dist/src/verification/result-gate.js +731 -0
  339. package/dist/src/verification/result-gate.js.map +1 -0
  340. package/dist/src/verification/runner.d.ts +38 -0
  341. package/dist/src/verification/runner.js +143 -0
  342. package/dist/src/verification/runner.js.map +1 -0
  343. package/dist/src/verification/sandbox.d.ts +16 -0
  344. package/dist/src/verification/sandbox.js +199 -0
  345. package/dist/src/verification/sandbox.js.map +1 -0
  346. package/dist/src/verify.d.ts +8 -0
  347. package/dist/src/verify.js +35 -0
  348. package/dist/src/verify.js.map +1 -0
  349. package/dist/src/watchdog/reconcile.d.ts +42 -0
  350. package/dist/src/watchdog/reconcile.js +440 -0
  351. package/dist/src/watchdog/reconcile.js.map +1 -0
  352. package/dist/src/workers/bridge.d.ts +35 -0
  353. package/dist/src/workers/bridge.js +426 -0
  354. package/dist/src/workers/bridge.js.map +1 -0
  355. package/dist/src/workers/delivery.d.ts +31 -0
  356. package/dist/src/workers/delivery.js +876 -0
  357. package/dist/src/workers/delivery.js.map +1 -0
  358. package/dist/src/workers/panes.d.ts +32 -0
  359. package/dist/src/workers/panes.js +212 -0
  360. package/dist/src/workers/panes.js.map +1 -0
  361. package/dist/src/workers/registry.d.ts +80 -0
  362. package/dist/src/workers/registry.js +351 -0
  363. package/dist/src/workers/registry.js.map +1 -0
  364. package/dist/src/workers/runtime.d.ts +44 -0
  365. package/dist/src/workers/runtime.js +21 -0
  366. package/dist/src/workers/runtime.js.map +1 -0
  367. package/dist/src/worktrees/manager.d.ts +35 -0
  368. package/dist/src/worktrees/manager.js +315 -0
  369. package/dist/src/worktrees/manager.js.map +1 -0
  370. package/docs/ARCHITECTURE.md +323 -0
  371. package/docs/PLAN.md +216 -0
  372. package/docs/REFERENCES.md +42 -0
  373. package/docs/ROADMAP.md +327 -0
  374. package/docs/SECURITY.md +242 -0
  375. package/docs/adr/0001-tracer-first-file-backed-certification.md +41 -0
  376. package/docs/adr/0002-conductor-first-typed-dispatch.md +102 -0
  377. package/docs/adr/0003-mandatory-pre-dispatch-advice.md +59 -0
  378. package/docs/compatibility/claude-code-2.1.207.md +25 -0
  379. package/loop/contract.md +102 -0
  380. package/package.json +54 -0
  381. package/schemas/advisor-evidence.schema.json +54 -0
  382. package/schemas/advisor-output.schema.json +31 -0
  383. package/schemas/conductor-activity-payload.schema.json +38 -0
  384. package/schemas/conductor-decision.schema.json +29 -0
  385. package/schemas/conductor-dispatch-intent.schema.json +71 -0
  386. package/schemas/conductor-dispatch-preparation.schema.json +46 -0
  387. package/schemas/conductor-dispatch-proposal.schema.json +82 -0
  388. package/schemas/conductor-goal-proposal.schema.json +30 -0
  389. package/schemas/conductor-manage-worker.schema.json +17 -0
  390. package/schemas/conductor-notification-payload.schema.json +39 -0
  391. package/schemas/conductor-process-result.schema.json +14 -0
  392. package/schemas/conductor-route.schema.json +51 -0
  393. package/schemas/conductor-start-team.schema.json +16 -0
  394. package/schemas/conductor-waiter-payload.schema.json +68 -0
  395. package/schemas/deterministic-check.schema.json +107 -0
  396. package/schemas/dispatch-acknowledgement.schema.json +15 -0
  397. package/schemas/dispatch-advice-payload.schema.json +64 -0
  398. package/schemas/dispatch-payload.schema.json +131 -0
  399. package/schemas/dispatch-result.schema.json +28 -0
  400. package/schemas/endurance-policy.schema.json +16 -0
  401. package/schemas/events/dispatch-delivery-requested.schema.json +17 -0
  402. package/schemas/events/github-observed.schema.json +28 -0
  403. package/schemas/events/native-hook-observed.schema.json +35 -0
  404. package/schemas/events/provider-observed.schema.json +64 -0
  405. package/schemas/events/run-heartbeat-due.schema.json +10 -0
  406. package/schemas/events/slack-notification-requested.schema.json +14 -0
  407. package/schemas/events/structured-role-completed.schema.json +54 -0
  408. package/schemas/events/ticket-resume-due.schema.json +28 -0
  409. package/schemas/events/watchdog-lease-expired.schema.json +14 -0
  410. package/schemas/events/watchdog-outbox-stalled.schema.json +12 -0
  411. package/schemas/events/watchdog-session-stalled.schema.json +11 -0
  412. package/schemas/evidence-record.schema.json +37 -0
  413. package/schemas/executor-result.schema.json +17 -0
  414. package/schemas/github-observation.schema.json +33 -0
  415. package/schemas/github-watermark.schema.json +66 -0
  416. package/schemas/goal-artifact.schema.json +19 -0
  417. package/schemas/goal-create-input.schema.json +14 -0
  418. package/schemas/goal-executor-result.schema.json +18 -0
  419. package/schemas/goal-payload.schema.json +95 -0
  420. package/schemas/grader-output.schema.json +33 -0
  421. package/schemas/lease-expiry.schema.json +19 -0
  422. package/schemas/live-disclosure.schema.json +16 -0
  423. package/schemas/live-outcome.schema.json +52 -0
  424. package/schemas/native-goal-snapshot.schema.json +27 -0
  425. package/schemas/provider-observed.schema.json +64 -0
  426. package/schemas/quota-observation.schema.json +72 -0
  427. package/schemas/reflection-evidence.schema.json +61 -0
  428. package/schemas/reflection.schema.json +13 -0
  429. package/schemas/regression-request.schema.json +54 -0
  430. package/schemas/release-assessment.schema.json +34 -0
  431. package/schemas/release-policy.schema.json +30 -0
  432. package/schemas/result-gate-payload.schema.json +244 -0
  433. package/schemas/review-delivery-payload.schema.json +42 -0
  434. package/schemas/role-policy.schema.json +111 -0
  435. package/schemas/run-abort-input.schema.json +11 -0
  436. package/schemas/run-completion-proof.schema.json +62 -0
  437. package/schemas/run-ledger-entry.schema.json +78 -0
  438. package/schemas/run-manifest.schema.json +74 -0
  439. package/schemas/run-start-intent.schema.json +74 -0
  440. package/schemas/runtime-record.schema.json +111 -0
  441. package/schemas/service-plan.schema.json +35 -0
  442. package/schemas/session-payload.schema.json +80 -0
  443. package/schemas/structured-role-read-request.schema.json +14 -0
  444. package/schemas/structured-role-request.schema.json +44 -0
  445. package/schemas/structured-role-result.schema.json +38 -0
  446. package/schemas/structured-role-submit-result.schema.json +15 -0
  447. package/schemas/team-checkpoint.schema.json +42 -0
  448. package/schemas/team-plan.schema.json +30 -0
  449. package/schemas/ticket-content.schema.json +38 -0
  450. package/schemas/ticket-queue-payload.schema.json +191 -0
  451. package/schemas/trust-report.schema.json +68 -0
  452. package/schemas/trust-run.schema.json +47 -0
  453. package/schemas/ultragoal-checkpoint.schema.json +49 -0
  454. package/schemas/user-schedule-installation-v1.schema.json +32 -0
  455. package/schemas/user-schedule-installation.schema.json +38 -0
  456. package/schemas/user-schedule-plan.schema.json +39 -0
  457. package/schemas/verification-plan-evidence.schema.json +37 -0
  458. package/schemas/worker-acknowledge-dispatch.schema.json +12 -0
  459. package/schemas/worker-payload.schema.json +47 -0
  460. package/schemas/worker-read-dispatch.schema.json +11 -0
  461. package/schemas/worker-record-dispatch-result.schema.json +14 -0
@@ -0,0 +1,242 @@
1
+ # Security Model
2
+
3
+ ## Trust boundaries
4
+
5
+ OMS treats the following as untrusted input:
6
+
7
+ - GitHub issue titles, bodies, comments, labels, and branch suggestions;
8
+ - model, subagent, grader, and reflection output;
9
+ - tmux pane content and captured terminal output;
10
+ - raw native-hook input and external session metadata;
11
+ - repository content from a ticket branch;
12
+ - environment variables and runtime files not created through the current
13
+ validated authority.
14
+
15
+ Untrusted content is data, never command source or a tmux keystroke sequence.
16
+ Typed outbox events and canonical records become trusted only after exact schema,
17
+ identity, version, policy, path, and branded-authority checks.
18
+
19
+ ## Authentication and billing safety
20
+
21
+ Authentication mode, billing class, overage permission, and unattended
22
+ eligibility are explicitly declared per role. OMS fails closed when a value is
23
+ absent, unknown, or incompatible with an operation.
24
+
25
+ - Interactive panes must not be used to evade provider billing or automation
26
+ restrictions.
27
+ - Subscription credentials are used only through provider-supported native
28
+ application workflows.
29
+ - Programmatic or unattended traffic requires the provider-supported
30
+ credential and policy for that surface.
31
+ - Secrets are supplied at runtime and are never committed to `.agents/`, logs,
32
+ evidence, ticket files, Slack request events, or generated service plans.
33
+ - Local verification, tests, HUD, release assessment, and the trace fixture make
34
+ no paid or live model call.
35
+
36
+ Provider policy changes over time. Operators must confirm current official
37
+ guidance before a live run; the existence of a local adapter or launch plan is
38
+ not authorization to contact a provider.
39
+
40
+ ## Implemented side-effect boundary
41
+
42
+ The human starts the read-only conductor with bare `oms`. On the first live run,
43
+ the CLI displays the inferred repository and exact side-effect boundary, then
44
+ requires one matching typed confirmation before initialization or provider
45
+ contact. That repository confirmation creates
46
+ two immutable, session-scoped authorities: the live-delivery authorization and
47
+ a separate pre-dispatch-advice authorization bound to the first authorization,
48
+ conductor session, and repository. Neither can be added to or widened on an
49
+ already-running conductor; the human must exit and run bare `oms` again.
50
+
51
+ Before that session can commit an accepted dispatch, OMS canonicalizes the
52
+ exact intent, journals the fresh Codex contact, and requires immutable protected
53
+ evidence approving that digest. Revision, veto, missing, tampered, stale, or
54
+ cross-ticket evidence creates no dispatch, worker reservation, delivery event,
55
+ provider probe, or pane. After an approved unchanged dispatch is committed, OMS
56
+ may launch its configured interactive Claude or Codex Goal worker in the
57
+ verified worktree. Lifecycle controls are typed OMS tools; raw tmux is not
58
+ exposed to the conductor.
59
+
60
+ OMS uses only fixed internal tmux input for provider workspace trust, dispatch-ID
61
+ activation, and native Codex `/goal pause` or `/goal resume`. Ticket text, model
62
+ output, and pane text never enter tmux input. Pane capture and sentinels are
63
+ diagnostic only and cannot acknowledge a dispatch or complete a ticket.
64
+
65
+ Schedule lifecycle is explicit and user-scoped: OMS can generate, install,
66
+ inspect, or remove only the exact two-job cron, systemd, or launchd plan after
67
+ state/workspace validation. It does not install a daemon or accept arbitrary
68
+ scheduled commands.
69
+ Slack support records a typed notification request only; there is no URL, token,
70
+ HTTP sender, retry worker, or provider delivery receipt. Automatic merge is
71
+ disabled and has no positive enabling state.
72
+
73
+ Provider launch still requires the operator-originated, repository-authorized
74
+ conductor, an accepted
75
+ dispatch, current policy and subscription eligibility, exact ticket/lease and
76
+ worktree authority, and a reviewed provider argument array. Unknown eligibility
77
+ parks before launch. No worker, Team manifest, or lifecycle tool grants
78
+ verification, trust, merge, or release authority.
79
+
80
+ GitHub polling has no admission authority. `prepare_dispatch` requires an
81
+ active repository-scoped goal, exact `github:label=oms:ready` membership,
82
+ authorized repository match when live delivery is enabled, selected ticket
83
+ version and content digest, and a subscription executor role. It writes an
84
+ immutable request before worktree/lease mutation and an immutable derived
85
+ intent afterward. Exact replay may recover the gap; nonce reuse, stale ticket
86
+ versions, changed requests, or a conflicting accepted dispatch fail before a
87
+ second advisor contact.
88
+
89
+ Claude executor panes receive only repository read/edit tools and the
90
+ session-bound OMS worker bridge; Bash, web, subagents, and raw tmux are denied.
91
+ The result tool creates a fixed local git commit with hooks and signing disabled.
92
+ Codex Goal workers keep the provider's native workspace-write sandbox. Each Goal
93
+ session uses a private, strict-config Codex home so unrelated user MCP servers,
94
+ plugins, apps, and configuration are not inherited. OMS does not copy the
95
+ subscription credential: it creates one validated session-private reference to
96
+ the provider's existing native auth file. Ambient `/tmp` and `TMPDIR` writable
97
+ roots are explicitly excluded, even when a test state root is temporary; only
98
+ the exact ticket worktree remains writable. Neither executor receives provider
99
+ credentials as task data or any merge/release tool.
100
+
101
+ ## Command and content safety
102
+
103
+ - Pass opaque ticket IDs and absolute file paths across subprocess and future
104
+ tmux boundaries.
105
+ - Never interpolate issue text, model output, pane content, or hook input into
106
+ `eval`, `sh -c`, command substitutions, branch names, paths, service-manager
107
+ directives, or tmux key sequences.
108
+ - Construct provider and verification subprocesses with executable-plus-argument
109
+ arrays and no shell.
110
+ - Require the accepted ticket worktree to match its root, branch, base commit,
111
+ and a clean tracked/untracked status immediately before provider launch.
112
+ - Use `--` before externally derived positional arguments where supported.
113
+ - Reject identifiers containing path separators, controls, shell
114
+ metacharacters, or values outside their exact schema.
115
+ - Bound stdin, file, payload, and log sizes and redact credential-shaped values.
116
+ - Do not execute repository-provided hooks or scripts merely because a ticket
117
+ requests them; verification commands come from reviewed tracked policy.
118
+
119
+ Prompt injection is an authorization problem: issue or model text cannot widen
120
+ filesystem, network, merge, credential, provider, service, or command authority.
121
+
122
+ Fresh advisor output is untrusted model data. It may contain only the exact
123
+ intent digest, verdict, summary, recommendations, and risks. OMS owns and binds
124
+ the provider request, fresh-session, contact-journal, and human-authorization
125
+ identities before its protected writer can mint advisor evidence.
126
+
127
+ ## Hook, event, session, and quota safety
128
+
129
+ `hook ingest` accepts one bounded JSON object from stdin and computes its source
130
+ digest internally. Callers cannot assert their own trusted digest. The projector
131
+ matches session role, engine, mode, run, ticket, native reference, pane ID,
132
+ version, state, timestamp, and event identity before mutation.
133
+
134
+ The stdin transport is not cryptographically authenticated to a provider in
135
+ this release. It is therefore a local operator/control-plane surface only and
136
+ does not establish live provider provenance or certification.
137
+
138
+ Event kinds have exact schemas. Immutable outbox events are idempotent per
139
+ identity and consumer receipts bind the operation nonce. A replay returns the
140
+ stored outcome; copied or foreign event buses and authorities are rejected.
141
+
142
+ Quota evidence is session-bound and freshness-bounded. A quota exhaustion event
143
+ must carry the active ticket's original version, attempt, actor, and lease
144
+ authority. Availability must be newer than the limiting observation and session
145
+ version. Stale, ambiguous, cross-policy, future-dated, or unrelated evidence
146
+ fails closed.
147
+
148
+ The watchdog can recover an expired lease, mark a missed-heartbeat session
149
+ stalled, supersede a dead waiter, repair the typed receipt/notification for an
150
+ exact waiting structured-role result, explicitly recover that request's exact
151
+ dead projector-lock generation, and resume the same proven dead conductor. It
152
+ may wake only a proven idle pane with an opaque notification ID;
153
+ it cannot interrupt working state, perform ordinary routing, send raw model
154
+ content, send Slack, or turn a stalled report into successful external
155
+ delivery.
156
+
157
+ ## Filesystem and concurrency safety
158
+
159
+ - Resolve and validate `OMS_STATE_ROOT` as an absolute path before use.
160
+ - Reject empty, root, home, repository-root, or otherwise unsafe state roots.
161
+ - Prevent traversal, no-follow violations, and symlink swaps at canonical runtime
162
+ paths. The sole deliberate runtime symlink is the private Codex auth reference;
163
+ its exact regular-file target is revalidated before launch and it is never read
164
+ as OMS state or evidence.
165
+ - Create sensitive runtime directories and files with restrictive permissions.
166
+ - Use same-filesystem temporary files, atomic rename, expected versions,
167
+ nonces, and exclusive locks for mutable state.
168
+ - Validate durable JSON against its schema before and after a transition.
169
+ - Write evidence, manifests, decisions, plans, and receipts immutably; a replay
170
+ must match existing bytes.
171
+ - Treat stale-lock recovery and lease expiry as explicit auditable operations.
172
+
173
+ Cleanup commands must prove that their target is below the validated state root
174
+ and must never follow an untrusted path recursively.
175
+
176
+ ## Git and worktree safety
177
+
178
+ - One traced ticket uses one dedicated opaque branch and worktree.
179
+ - Branch names derive from validated identifiers, not issue titles.
180
+ - Preserve unrelated workspace changes.
181
+ - Do not force-push, rewrite shared history, publish a remote, or merge without
182
+ explicit operator authority.
183
+ - Deterministic verification runs before supplemental grading.
184
+ - A completed local ticket remains `human_hold`; trust reporting cannot change
185
+ that disposition.
186
+
187
+ A future merge gate would require deterministic checks, provenance, trust
188
+ evidence, executor-group evidence, and an explicit
189
+ idempotent reviewed transition. None is inferred from local test success.
190
+
191
+ Passing live GitHub results may enter one fixed review-delivery authority. It
192
+ accepts only the exact protected result chain, validates the local `origin`,
193
+ runs pinned redacted Gitleaks scans over the commit range, tracked worktree,
194
+ immutable evidence, canonical issue content, fixed argv, and draft-PR content,
195
+ then pushes the verified commit without force and creates at most one draft PR.
196
+ Fresh GraphQL readback must show the exact remote branch and draft PR still bind
197
+ the verified commit; a typed check event must show the named deterministic check passed. Raw scanner
198
+ reports are always removed; durable scan and contact records retain digests,
199
+ not secrets or response bodies.
200
+
201
+ ## Doctor, probes, runs, and release evidence
202
+
203
+ Offline `doctor` checks local executables, configuration, schemas, paths,
204
+ permissions, and git prerequisites. Tests and `verify` remain deterministic and
205
+ network-free.
206
+
207
+ The GitHub queue probe remains a separately confirmed diagnostic contact. The
208
+ first normal live path is interactive bare `oms`. It infers the GitHub
209
+ repository when possible and requires the human to type the displayed
210
+ repository-scoped authorization phrase. That start creates both the immutable
211
+ live-delivery authorization and its separately validated pre-dispatch-advice
212
+ authorization. Later bare invocations reuse those session-scoped authorities;
213
+ no invocation widens a running session, and non-interactive bare invocation
214
+ contacts no provider. The explicit `oms conductor start` form remains an
215
+ advanced recovery/state-root override. Advisor, worker, grade, reflection,
216
+ GitHub sync, review-read,
217
+ branch-push, and draft-PR contacts each write a digest-only disclosure before
218
+ contact. None grants merge or release authority, and this repository still
219
+ contains no claimed completed live proof.
220
+
221
+ `run start --for 12h|24h` creates a non-certifying audit manifest; the label
222
+ does not prove elapsed runtime. Manifests freeze `provider_started: false`,
223
+ manual start required, `release: not_stable`, and human hold. `release status`
224
+ can express only the negative assessment and cannot ingest flags or evidence to
225
+ promote itself.
226
+
227
+ Run admission binds ticket content and policy, not only IDs. Native hooks,
228
+ scheduler resumes, watchdog recovery, and terminal operations serialize through
229
+ the controller lock and append continuity-aware audit events. Terminal status
230
+ is accepted only with the exact immutable controller payload and proof/reason
231
+ artifact. Timed close remains audit-only. Crashed controller-lock recovery is a
232
+ separate explicit command requiring the exact generation and refusing a live
233
+ owner process.
234
+
235
+ ## Incident posture
236
+
237
+ On invalid state, a lease conflict, stale authority, unknown authentication,
238
+ suspected injection, credential exposure, outbox conflict, goal mismatch, or
239
+ verification ambiguity, OMS stops the affected transition and preserves
240
+ evidence. Recovery uses a new audited operation or explicit reconciliation; it
241
+ does not rewrite history, fabricate completion, certify a canary, or mark the
242
+ release stable.
@@ -0,0 +1,41 @@
1
+ # ADR 0001: Tracer-first, file-backed certification
2
+
3
+ ## Status
4
+
5
+ Accepted; branch-protection requirements removed by operator decision on 2026-07-12.
6
+
7
+ ## Context
8
+
9
+ OMS must coordinate ticket work for long periods without becoming a second agent runtime. Its decisions must survive process restarts, remain auditable, and fail closed when execution, verification, quota, remote-identity, or provider evidence is missing. A background service or database would add another authority before the file-backed tracer has proved insufficient.
10
+
11
+ Release certification also needs evidence from real elapsed operation. Fast-forwarded clocks, mocked timers, and a model's claim that a run completed cannot certify endurance.
12
+
13
+ ## Decision
14
+
15
+ OMS is tracer-first. One ticket is followed through its durable lifecycle, and each consequential transition is justified by immutable, schema-validated evidence stored under the runtime root.
16
+
17
+ V1 uses tracked JSON policy and file-backed runtime records. It adds no daemon and no database. Native completion hooks and outbox events drive normal progress; the 15-minute heartbeat and watchdog are recovery mechanisms only. Recovery stops after two unsuccessful heartbeats and requires operator attention.
18
+
19
+ Merges remain human-held. Automatic merge is disabled and OMS exposes no merge or ready-for-review mutation. Server-side branch protection is not an OMS dependency; repository administrators remain responsible for any controls outside OMS.
20
+
21
+ Release certification requires manually attested, real elapsed canaries in this order: a 12-hour run, followed by a fresh 24-hour run. The 24-hour canary cannot reuse the 12-hour process, session, lease, or elapsed-time claim.
22
+
23
+ ## Alternatives
24
+
25
+ - A custom orchestration daemon was rejected because native hooks and one-shot commands cover normal flow while a heartbeat covers recovery.
26
+ - A database-backed queue was rejected because atomic, locked file records are sufficient for the current single-host boundary and are easier to audit and recover.
27
+ - Polling as the normal execution path was rejected because it duplicates native completion signals and makes latency and failure ownership less clear.
28
+ - Automatic merge after deterministic checks was rejected because verification success alone does not prove human review authority, provenance, or endurance certification.
29
+ - Simulated or accelerated canaries were rejected because they do not demonstrate real quota windows, process recovery, or elapsed-time stability.
30
+
31
+ ## Consequences
32
+
33
+ Runtime behavior remains inspectable with ordinary file and Git tools, and each release claim can be traced to immutable evidence. Normal operation does not depend on a resident OMS process. Deterministic recovery is deliberately bounded and may park work for human review instead of guessing.
34
+
35
+ This design accepts lower throughput and manual merge latency in exchange for a smaller authority surface. OMS itself refuses force-push and merge operations, but without server-side branch protection it cannot prevent repository administrators or other credentials from changing remote history. File-backed coordination remains limited to the reviewed single-host concurrency model; evidence compaction or distributed coordination would require a new decision.
36
+
37
+ ## Follow-ups
38
+
39
+ - Run and manually attest a real elapsed 12-hour canary.
40
+ - Start a fresh run and manually attest a real elapsed 24-hour canary only after the 12-hour canary passes.
41
+ - Revisit a daemon, database, or automatic merge only through a superseding ADR backed by observed tracer limitations and new deterministic gates.
@@ -0,0 +1,102 @@
1
+ # ADR: Conductor-First Typed Dispatch Authority
2
+
3
+ Status: Accepted on 2026-07-11; bridge counts and dispatch admission are superseded by ADR 0003.
4
+
5
+ ## Context
6
+
7
+ OMS already has a TypeScript, file-backed queue/control/evidence foundation, bounded provider hooks, reconciliation, worktrees, role policy, a local tracer, and a negative-only release assessment. It does not yet run the desired live product flow.
8
+
9
+ The required operator experience is one human-started persistent Claude Opus conductor in tmux. The human types the goal once; the read-only conductor then routes work across configured Claude and Codex lanes. OMS must observe provider and GitHub changes, survive restarts and quota pauses, and prepare verified pull requests without becoming a daemon or granting models merge/release authority.
10
+
11
+ The previous operator-first design required a human start ceremony for every worker and emitted product instructions for an external team runtime. That does not satisfy the desired OMS-owned conductor loop.
12
+
13
+ ## Decision
14
+
15
+ V1 uses a conductor-first, typed-dispatch architecture:
16
+
17
+ 1. A human runs interactive bare `oms` to create or resume an interactive read-only Claude Opus conductor in the OMS tmux session. On the first live run, the CLI obtains one exact repository-scoped human confirmation before state initialization or provider contact. The explicit `oms conductor start` form remains only for advanced recovery or a selected state root; non-interactive bare invocation prints help and contacts no provider.
18
+ 2. The human enters a freeform goal. CD-01 begins with exactly two proposal tools on the session-scoped local stdio `oms conductor bridge`: `mcp__oms__propose_goal` and `mcp__oms__propose_dispatch`. The goal tool validates and atomically commits durable objective, scope, stopping condition, horizon, and budget/policy state. The dispatch tool is initially advertised and schema-valid but deterministically returns `dispatch-not-enabled` with no mutation.
19
+ 3. CD-02 activates that same dispatch handler without adding tools or permissions. Every worker assignment then becomes a validated, persisted OMS envelope bound to exact goal, ticket, lease, attempt, role/model, provider eligibility, worktree, capabilities, budget, acceptance/evidence requirements, and nonce before delivery. Freeform content never enters argv, a shell, or file Write.
20
+ 4. CD-03 adds exactly two narrow control tools: `mcp__oms__manage_worker` for observe/park/resume/stop and `mcp__oms__start_team` for grouping already accepted dispatch IDs. The complete conductor bridge therefore has four tools: two proposal tools and two fixed-action controls. It exposes no generic shell, filesystem, tmux, provider, GitHub, verification, merge, or release authority.
21
+ 5. OMS provider adapters start and observe interactive Claude workers, resumable Codex Goal workers, and eligible fresh read-only exec roles. Worker sessions require an explicitly reviewed `operator_originated_oms_managed_interactive` policy; legacy per-worker human-start flags are not silently reinterpreted. Direct tmux operations are encapsulated; the conductor cannot invoke them.
22
+ 6. Provider hooks drive immediate session/activity/health/completion-observed/quota observations. Completion hooks cannot set `agent=done` or `ticket=verifying`; only one dispatch-bound typed result receipt can. A one-shot GitHub sync runs every 60 seconds by default. Projected events form opaque notification batches, and a version-pinned `asyncRewake` waiter wakes an idle conductor to re-read canonical state. Waiter generations are durable CAS records bound to conductor session/process identity. The 15-minute watchdog is the sole dead-waiter recovery owner: it may resume/respawn only a proven idle/dead conductor so `SessionStart` re-arms, never interrupt active work, and otherwise record visible stalled/blocked state.
23
+ 7. Deterministic verification is the final vote. Exactly one fresh opposite-engine grade is mandatory and supplemental. An unavailable/ineligible opposite engine parks or blocks visibly; bounded reflection/retry cannot bypass attempts or verification.
24
+ 8. OMS may push isolated branches, open/update draft pull requests, attach evidence, and report `READY_FOR_HUMAN`. Only a human may merge, tag, publish, or release.
25
+
26
+ ## Simplicity boundary
27
+
28
+ - Native primitives provide provider sessions, local stdio MCP tools, `asyncRewake` hooks, tmux, worktrees, GitHub access, and scheduling.
29
+ - Skills define conductor, worker, advisor, grader, reflection, quota, schedule, and team behavior.
30
+ - Small Node.js/TypeScript commands provide the four-tool session bridge, state, dispatch, adapters, event synchronization, generation-safe notification waiting, watchdog recovery, verification, and evidence.
31
+ - V1 adds no daemon, database, framework, webhook listener, custom mux library, tracked shell automation, or general workflow engine.
32
+ - A team is only a group of executor dispatches. V1 uses one deterministic review gate followed by one fresh structured cross-engine grade; teams add no second verifier/model-review lane.
33
+
34
+ ## Authority boundary
35
+
36
+ The conductor may prioritize eligible tickets, select configured roles/lanes, ask for advice or grading, launch/observe/park/resume/stop workers through OMS, and select a legal retry or escalation.
37
+
38
+ The conductor may not edit product code or canonical state, modify durable policy, widen goal scope silently, introduce providers/models/credentials/spend classes, issue raw tmux commands, override verification or stale authority, exceed attempts/budget, merge, publish, release, or claim stability. It has no Edit/Write permission. Freeform goal and task proposals use only the two proposal tools; worker lifecycle and team grouping use the two narrow control tools with opaque canonical IDs. All other access is read-only diagnostics.
39
+
40
+ Workers may mutate only their isolated ticket worktrees and may acknowledge/return results only for their dispatch. They cannot write goal, verification, trust, queue, merge, or release authority.
41
+
42
+ OMS owns durable goal, ticket, lease, dispatch, worker/session, event, quota, verification, evidence, attempt, audit, and human-hold state.
43
+
44
+ ## State semantics
45
+
46
+ - Agent activity: `idle | working | blocked | done`
47
+ - Agent health: `healthy | parked | stalled | stopped`
48
+ - Ticket lifecycle: `pending | leased | running | verifying | completed | retryable | parked | blocked`
49
+
50
+ `agent=done` means one schema-valid result receipt bound to the current goal, dispatch, attempt, lease, session, worktree, and commit arrived. It moves the ticket to `verifying`; only protected deterministic evidence plus the mandatory opposite-engine grade may complete it.
51
+
52
+ ## Security boundary
53
+
54
+ - Raw issue, comment, review, provider, hook, pane, and model text is untrusted content and never becomes a command or authority.
55
+ - Freeform goal/task text crosses only the two proposal tools. CD-01 can mutate only goal authority while dispatch remains `dispatch-not-enabled`; CD-02 activates dispatch; CD-03 adds two schema-bound lifecycle/team controls that accept canonical IDs and bounded control fields. The bridge rejects oversize/non-schema input, stale authority, capability expansion, changed identity, and replay before canonical mutation and exposes no ambient filesystem/shell/provider/GitHub/verification/merge/release capability.
56
+ - Dispatch, hook, event, result, and evidence identities are replay-safe and exact-version bound.
57
+ - One expected-version/nonce waiter generation is active per conductor session/process. Dead-waiter recovery is watchdog-owned; duplicate recovery, PID reuse, unsafe resume, or lost notification fails visible rather than widening authority.
58
+ - Hook completion is observational only. Missing/stale/cross-dispatch result receipts cannot create `done` or `verifying` state regardless of event order.
59
+ - Pane text and sentinels are diagnostic only.
60
+ - Candidate code cannot replace the installed verifier, frozen plan, policy snapshot, or evidence writer.
61
+ - Unknown provider/auth/billing/version eligibility, credential widening, stale authority, or deterministic failure stops the path.
62
+ - Hook/receipt evidence proves the documented local OMS continuity boundary, not cryptographic provider attestation.
63
+
64
+ ## Alternatives
65
+
66
+ ### Human starts every worker
67
+
68
+ Rejected. It preserves a narrow operator boundary but fails the intended experience that the human starts only the conductor.
69
+
70
+ ### Raw conductor-driven tmux commands
71
+
72
+ Rejected. It exposes brittle TUI transport and injection risk as public authority. OMS adapters may use tmux internally with typed validated inputs.
73
+
74
+ ### Path-scoped proposal files
75
+
76
+ Rejected. A session-scoped stdio bridge keeps Edit/Write entirely disabled and passes freeform proposal fields through native JSON tool input instead of relying on dynamic filesystem permissions.
77
+
78
+ ### Custom orchestration service
79
+
80
+ Rejected. Native CLIs, skills, one-shot commands, tmux, hooks, and user schedulers cover v1.
81
+
82
+ ### Webhook server
83
+
84
+ Deferred. Sixty-second polling with durable watermarks is sufficient for v1 and avoids a listener/secret/deployment boundary.
85
+
86
+ ### Automatic merge or release
87
+
88
+ Rejected for v1. It requires endurance evidence, explicit trust policy, and a separate reviewed ADR.
89
+
90
+ ## Consequences
91
+
92
+ - The first human action remains explicit and visible.
93
+ - The conductor can behave agentically without owning deterministic authority.
94
+ - OMS must keep the four-tool session bridge narrow, implement one generation-safe event waiter with watchdog-owned recovery, and retain small provider/pane and schedule boundaries.
95
+ - The operator-originated OMS-managed interactive worker policy must be checked against current official provider policy and CLI behavior; it remains distinct from headless/unattended eligibility and fails closed when uncertain.
96
+ - Long runs depend on durable state, hooks, polling, and recovery rather than model context.
97
+ - A successful run ends at a verified review-ready PR and negative-only release assessment.
98
+
99
+ ## Follow-ups
100
+
101
+ - Promote this ADR and add a regression test in CD-01.
102
+ - Consider webhooks, additional schedulers, automatic merge, package release, or unattended credential lanes only through separate reviewed changes after the 12-hour and fresh 24-hour proofs.
@@ -0,0 +1,59 @@
1
+ # ADR: Mandatory Pre-Dispatch Advice Authority
2
+
3
+ Status: Accepted on 2026-07-13.
4
+
5
+ ## Context
6
+
7
+ ADR 0002 established a read-only conductor and typed dispatch boundary, but an
8
+ instruction to request advice was only prompt policy. Prompt policy cannot prove
9
+ that a fresh advisor reviewed the exact executor-affecting intent, prevent advice
10
+ from being reused after a change, or stop direct dispatch when the advisor
11
+ recommends revision or vetoes the work.
12
+
13
+ OMS needs mandatory cross-engine advice without adding a daemon, a generic
14
+ command tool, or model-owned authority.
15
+
16
+ ## Decision
17
+
18
+ 1. The conductor bridge exposes version-bound `mcp__oms__prepare_dispatch`
19
+ followed by distinct `mcp__oms__advise_dispatch` before
20
+ `mcp__oms__propose_dispatch`. The complete bridge has seven narrow tools.
21
+ 2. Advice accepts the distinct dispatch-intent schema. OMS canonicalizes every
22
+ executor-affecting field, including the operation nonce, and computes the
23
+ exact SHA-256 digest.
24
+ 3. A fresh Codex contact requires a separate human-confirmed pre-dispatch-advice
25
+ authorization bound to the live-delivery authorization, conductor session,
26
+ and repository. OMS journals the contact before launching the provider.
27
+ 4. Model output contains only the intent digest, `approve | revise | veto`,
28
+ summary, recommendations, and risks. OMS owns provider-request,
29
+ fresh-session, contact-reference, and authorization identities and mints the
30
+ protected immutable evidence.
31
+ 5. Advice operations persist `prepared -> contacting -> completed | blocked`.
32
+ The contacting claim includes its OMS Linux process identity (PID, boot ID,
33
+ and process start ticks). A live owner remains in progress without mutation;
34
+ a dead, restarted, or PID-reused owner is ambiguous and never causes an
35
+ automatic second provider launch. At most three unique intents may be
36
+ advised for one ticket attempt. Only one intent for that ticket attempt and
37
+ lease may be prepared or contacting at a time.
38
+ A veto is terminal for the ticket attempt and lease. After `revise`, another
39
+ contact requires a substantive canonical-intent change; changing only the
40
+ operation nonce is not a revision.
41
+ 6. Dispatch admission recomputes the intent digest and requires exact immutable
42
+ `approve` evidence for the unchanged ticket and intent before creating a
43
+ dispatch record, worker reservation, or delivery event.
44
+ 7. The accepted dispatch stores the intent digest and evidence reference.
45
+ Worker delivery independently validates both before any provider probe or
46
+ pane creation. Historical resolved records remain readable; unresolved
47
+ historical records without this authority cannot advance.
48
+
49
+ ## Consequences
50
+
51
+ - Advice is mandatory authority, not an optional prompt convention.
52
+ - Any substantively revised intent requires fresh advice; veto, nonce-only
53
+ resubmission, missing evidence, tampering, replay ambiguity, or changed
54
+ authority fails closed.
55
+ - Deterministic verification remains the final vote after execution, and the
56
+ opposite-engine grader remains supplemental.
57
+ - The conductor remains read-only and agentic through seven narrow tools. OMS
58
+ still adds no daemon, generic workflow engine, shell tool, or merge/release
59
+ authority.
@@ -0,0 +1,25 @@
1
+ # Claude Code 2.1.207 conductor compatibility proof
2
+
3
+ Date: 2026-07-11
4
+ Scope: CD-01, human-started interactive conductor only
5
+
6
+ ## Environment
7
+
8
+ - Claude Code `2.1.207` using first-party Claude Max subscription auth
9
+ - tmux `3.6`
10
+ - OMS launched with `bin/oms conductor start`; no print/headless Claude mode
11
+ - Model resolved from policy to Opus; Fable was shown only as an optional Claude UI notice and was not selected
12
+
13
+ ## Observed results
14
+
15
+ 1. The command created the `oms:conductor` pane and attached an interactive TTY.
16
+ 2. `/mcp` showed exactly one server, `oms`, connected with two tools. The launch uses `--strict-mcp-config` and `--no-chrome`.
17
+ 3. `propose_goal` persisted a version-0 canonical goal containing repository/queue scope, stopping condition, `until-empty`, `subscription-only`, `default`, and a stable nonce.
18
+ 4. The literal objective text `$(touch /tmp/oms-conductor-injection)` remained data. The named file was not created.
19
+ 5. A schema-valid `propose_dispatch` call returned `{"status":"dispatch-not-enabled"}` and created no ticket, lease, worker, or worktree state.
20
+ 6. After killing and recreating the tmux session, `oms conductor start` reused the persisted Claude session UUID and resumed the prior conversation.
21
+ 7. The launch advertises only `Read`, `Glob`, `Grep`, `mcp__oms__propose_goal`, and `mcp__oms__propose_dispatch`; provider-plan tests reject Edit, Write, Bash, raw tmux, web, agent, print, and background authority.
22
+
23
+ The smoke exposed one real-client detail before passing: Claude Code includes an MCP `_meta` envelope on tool calls. OMS now accepts that protocol metadata while continuing to validate the tool payload against a closed schema.
24
+
25
+ This is compatibility evidence for the pinned version, not a general certification of later Claude Code versions, billing behavior, unattended execution, worker dispatch, merge, or release readiness.
@@ -0,0 +1,102 @@
1
+ # OMS Runtime Contract
2
+
3
+ This contract describes the implemented local TypeScript control plane. It does
4
+ not certify a live provider run, unattended endurance, or production readiness.
5
+
6
+ ## MUST
7
+
8
+ - Keep `.agents/` as the tracked source of truth and preserve user-owned text
9
+ around generated managed blocks.
10
+ - Keep runtime automation in Node.js/TypeScript; do not add tracked shell
11
+ automation scripts as an orchestration layer.
12
+ - Initialize runtime data only below one validated absolute state root with
13
+ restrictive permissions. Make `init` idempotent and read-only surfaces
14
+ non-creating.
15
+ - Keep `doctor`, `verify`, tests, HUD, release status, and the local trace fixture
16
+ offline and deterministic.
17
+ - Keep raw ticket content in immutable blobs and pass only opaque IDs or
18
+ absolute file paths across process and future tmux boundaries.
19
+ - Require expected versions, attempts, actors, operation nonces, and lease
20
+ tokens at ticket mutation boundaries.
21
+ - Validate exact event schemas and consume immutable outbox events through
22
+ idempotent per-consumer receipts.
23
+ - Bind session and quota changes to canonical hook events, session versions,
24
+ timestamps, policy identity, and active ticket authority.
25
+ - Let deterministic verification vote before and finally; treat grader output as
26
+ supplemental evidence only.
27
+ - Keep trust reports review-only and derive canonical trust runs only from live,
28
+ ticket-bound deterministic evidence.
29
+ - Keep one canonical OMS goal record; treat native goal, Team, Ultragoal, HUD,
30
+ and report state as checkpoint evidence or projections.
31
+ - Persist audit manifests, conductor decisions, goal artifacts, Team plans, and
32
+ service plans immutably and reject conflicting replay.
33
+ - Freeze complete ticket admission identity before starting an audit; require
34
+ immutable completion evidence, continuity-safe run events, and an explicit
35
+ exact-generation operation for crashed controller-lock recovery.
36
+ - Keep the initial conductor session human-started. Launch executor panes only
37
+ from accepted dispatch delivery after fresh policy, provider, ticket, and
38
+ worktree checks.
39
+ - Admit open ready GitHub tickets before notifying the conductor. Keep role,
40
+ model, task, and routing judgment in the conductor skill, not the admission
41
+ command.
42
+ - Journal every authorized provider/GitHub contact before contact. After a
43
+ protected pass, permit only the fixed secret-scanned non-force branch and
44
+ draft-PR handoff, then wait for typed PR/check events before
45
+ `READY_FOR_HUMAN`.
46
+ - Keep all merge dispositions on human hold and release status fixed to the
47
+ negative-only `not_stable` schema.
48
+ - Require a named live confirmation to persist contact/spend disclosure before
49
+ any provider or GitHub contact.
50
+
51
+ ## MUST NOT
52
+
53
+ - Contact a provider or GitHub from `doctor`, `verify`, tests, HUD, release
54
+ status, the trace fixture, or any command without an explicit named live
55
+ confirmation.
56
+ - Use interactive panes to evade metering, authentication, usage limits, or
57
+ provider policy.
58
+ - Evaluate untrusted text or send raw issue/model content as tmux keystrokes,
59
+ shell source, service-manager source, a branch name, or a path.
60
+ - Let an unaccepted conductor decision invoke a provider, pass untrusted content
61
+ through tmux keys, or claim delivery without a bound receipt.
62
+ - Install, enable, start, stop, or remove generated cron, systemd, or launchd
63
+ artifacts.
64
+ - Send Slack messages or interpret a request-only event as delivery evidence.
65
+ - Let the watchdog resume quota-parked work, retry an external provider, or
66
+ convert a stall report into success.
67
+ - Let a grader, trust assessment, HUD, Team plan, or goal projection grant queue,
68
+ execution, release, or merge authority.
69
+ - Claim a live GitHub ticket, elapsed canary, provider session, executor-group
70
+ checkpoint, or stable release without independent matching
71
+ evidence.
72
+ - Merge automatically, overwrite active queue state from GitHub, or parse a
73
+ positive release state in the current release.
74
+ - Mark a draft ready-for-review, merge, force-push, tag, publish, or release
75
+ through the review-delivery path.
76
+
77
+ ## IMPLEMENTATION DONE WHEN
78
+
79
+ - `make verify` passes from a clean checkout with no network or provider call.
80
+ - Unsafe state roots are rejected and read-only commands do not create missing
81
+ runtime state.
82
+ - Generated `AGENTS.md`, `CLAUDE.md`, native agents, and skills are idempotent
83
+ while preserving user-owned content.
84
+ - The offline ticket fixture reaches human-held completion with deterministic
85
+ evidence before supplemental grading and without tracked source mutation.
86
+ - Duplicate hook, outbox, queue, scheduler, watchdog, audit, goal, trust, and
87
+ Team operations replay or fail closed according to their authority.
88
+ - Service artifacts are generated immutably but never installed; audit runs and
89
+ conductor routes remain truthful about whether an accepted dispatch produced
90
+ a provider delivery receipt.
91
+ - HUD and release status remain read-only and report `not_stable`.
92
+ - Runtime, secret, temporary, and log files remain untracked.
93
+
94
+ ## RELEASE REMAINS BLOCKED UNTIL
95
+
96
+ - one real live GitHub ticket has reviewed evidence;
97
+ - an elapsed 12-hour canary and a fresh elapsed 24-hour canary have reviewed
98
+ evidence;
99
+ - a real executor-group delivery plus normal per-ticket deterministic checks and
100
+ opposite-engine grade are captured; and
101
+ - a future reviewed positive-release design, if one is wanted, explicitly
102
+ grants authority. The current implementation intentionally cannot do so.
package/package.json ADDED
@@ -0,0 +1,54 @@
1
+ {
2
+ "name": "oh-my-super-agent",
3
+ "version": "0.1.0",
4
+ "description": "A simple-first harness for supported Claude Code and Codex CLI ticket workflows.",
5
+ "type": "module",
6
+ "homepage": "https://www.npmjs.com/package/oh-my-super-agent",
7
+ "publishConfig": {
8
+ "access": "public"
9
+ },
10
+ "exports": {},
11
+ "bin": {
12
+ "oh-my-super-agent": "dist/src/cli.js",
13
+ "oms": "dist/src/cli.js"
14
+ },
15
+ "files": [
16
+ ".agents",
17
+ "dist",
18
+ "docs/ARCHITECTURE.md",
19
+ "docs/PLAN.md",
20
+ "docs/REFERENCES.md",
21
+ "docs/ROADMAP.md",
22
+ "docs/SECURITY.md",
23
+ "docs/adr",
24
+ "docs/compatibility",
25
+ "loop",
26
+ "schemas",
27
+ "LICENSE",
28
+ "README.md"
29
+ ],
30
+ "scripts": {
31
+ "build": "tsc -p tsconfig.json",
32
+ "typecheck": "tsc -p tsconfig.test.json --noEmit",
33
+ "test": "npm run build && vitest run",
34
+ "verify": "npm run typecheck && npm test && node dist/src/cli.js verify",
35
+ "prepack": "npm run build",
36
+ "prepublishOnly": "npm run verify"
37
+ },
38
+ "engines": {
39
+ "node": ">=20"
40
+ },
41
+ "keywords": [
42
+ "agents",
43
+ "claude-code",
44
+ "codex",
45
+ "orchestration",
46
+ "tmux"
47
+ ],
48
+ "license": "MIT",
49
+ "devDependencies": {
50
+ "@types/node": "^26.0.1",
51
+ "typescript": "^6.0.3",
52
+ "vitest": "^4.1.9"
53
+ }
54
+ }