Security News
The Code You Didn't Write Is Still Yours to Defend
AI agents are pulling packages into environments no scanner is watching, creating exposure before security teams can see it.
By Brad Arkin - Jun 23, 2026
🚀 Socket Launch Week Day 5:Introducing Repository Access Permissions and Custom Roles.Learn more →
oh-my-customcode
Advanced tools
oh-my-customcode
Your AI Agent Stack. Compiled, Not Configured.
49 agents. 117 skills. 23 rules. One command.
npm install -g oh-my-customcode && cd your-project && omcustom init
Philosophy
oh-my-customcode is built on two ideas:
1. Agent systems are compiled, not configured.
| Compile Concept | oh-my-customcode |
|---|---|
| Source code | .claude/skills/ — reusable knowledge and workflows |
| Build artifacts | .claude/agents/ — executable specialists assembled from skills |
| Compiler | mgr-sauron (R017) — structural verification and integrity |
| Spec | .claude/rules/ — constraints and build rules |
| Linker | Routing skills — connect agents to tasks |
| Standard library | guides/ — shared reference documentation |
Skills are source. Agents are compiled output. Sauron verifies the build. This separation means skills evolve independently of agents, and agents can be recompiled from updated skills at any time.
2. If it can't be done, make it work.
When no specialist exists for a task, oh-my-customcode does not fail. It creates one.
User: "Review this Terraform module"
→ Routing: no terraform expert found
→ mgr-creator discovers: infra-aws-expert skills + docker-best-practices guide
→ Creates: infra-terraform-expert.md
→ Executes the review immediately
→ Agent persists for future use
This is not a fallback. It is the design. The system treats missing expertise as a build problem — find the right skills, compile a new agent, execute.
How It Works
Orchestration
The main conversation acts as a singleton orchestrator (R010). It never writes files directly. Every action is delegated through routing skills to specialized agents.
User (natural language)
→ Routing skill (intent detection, confidence scoring)
→ Specialized agent (isolated execution)
→ Result returned to orchestrator
→ Response to user
Four routing skills cover the full domain:
| Routing Skill | Routes To |
|---|---|
| secretary-routing | Manager agents (mgr-), system agents (sys-) |
| dev-lead-routing | Language, backend, frontend, tooling, DB, infra, arch agents |
| de-lead-routing | Data engineering agents (de-*) |
| qa-lead-routing | QA team (qa-planner, qa-writer, qa-engineer) |
Model Selection
Each agent runs on the model optimized for its task:
| Model | When | Examples |
|---|---|---|
opus | Complex reasoning, architecture | Design review, research synthesis |
sonnet | Implementation, general tasks | Code generation, agent creation |
haiku | Fast validation, search | File search, count verification |
The reasoning-sandwich pattern formalizes this: opus for pre-analysis, sonnet for implementation, haiku for post-verification.
Parallel Execution
Independent tasks run in parallel (R009). Up to 4 concurrent agents per message:
Agent(lang-golang-expert):sonnet ┐
Agent(lang-python-expert):sonnet ├─ All spawned in one message
Agent(qa-engineer):sonnet │
Agent(arch-documenter):haiku ┘
Agents (49)
| Category | Count | Agents |
|---|---|---|
| Languages | 6 | lang-golang, lang-python, lang-rust, lang-kotlin, lang-typescript, lang-java21 |
| Backend | 6 | be-fastapi, be-springboot, be-go-backend, be-express, be-nestjs, be-django |
| Frontend | 5 | fe-vercel, fe-vuejs, fe-svelte, fe-flutter, fe-design |
| Data Engineering | 6 | de-airflow, de-dbt, de-spark, de-kafka, de-snowflake, de-pipeline |
| Database | 4 | db-supabase, db-postgres, db-redis, db-alembic |
| Tooling | 4 | tool-npm, tool-optimizer, tool-bun, slack-cli |
| Architecture | 2 | arch-documenter, arch-speckit |
| Infrastructure | 2 | infra-docker, infra-aws |
| QA | 3 | qa-planner, qa-writer, qa-engineer |
| Security | 1 | sec-codeql |
| Managers | 6 | mgr-creator, mgr-updater, mgr-supplier, mgr-gitnerd, mgr-sauron, mgr-claude-code-bible |
| System | 3 | sys-memory-keeper, sys-naggy, tracker-checkpoint |
Each agent declares its tools, model, memory scope, and limitations in YAML frontmatter. Tool budgets are enforced per agent type for accuracy.
Skills (117)
| Category | Count | Includes |
|---|---|---|
| Best Practices | 24 | Go, Python, TypeScript, Kotlin, Rust, React, FastAPI, Spring Boot, Django, Flutter, Docker, AWS, Postgres, Redis, Kafka, dbt, Spark, Snowflake, Airflow, pipeline-architecture-patterns, alembic, and more |
| Routing | 4 | secretary, dev-lead, de-lead, qa-lead |
| Workflow | 14 | structured-dev-cycle, deep-plan, research, evaluator-optimizer, dag-orchestration, worker-reviewer-pipeline, reasoning-sandwich, pipeline, fsd, and more |
| Development | 8 | dev-review, dev-refactor, analysis, create-agent, intent-detection, web-design-guidelines, omcustom-takeover, skill-extractor |
| Operations | 9 | update-docs, audit-agents, sauron-watch, monitoring-setup, fix-refs, release-notes, and more |
| Memory | 3 | memory-save, memory-recall, memory-management |
| Package | 3 | npm-publish, npm-version, npm-audit |
| Optimization | 3 | optimize-analyze, optimize-bundle, optimize-report |
| Security | 3 | adversarial-review, cve-triage, jinja2-prompts |
| Other | 7 | claude-native, vercel-deploy, skills-sh-search, result-aggregation, writing-clearly-and-concisely, and more |
Skills use a 3-tier scope system: core (universal), harness (agent/skill maintenance), package (project-specific).
Commands
All commands are invoked inside the Claude Code conversation.
Development
| Command | What it does |
|---|---|
/dev-review | Code review against best practices |
/dev-refactor | Refactor for structure and patterns |
/structured-dev-cycle | 6-stage development: plan → verify → implement → verify → compound → done |
/deep-plan | Research-validated planning |
/research | 10-team parallel analysis with cross-verification |
/sdd-dev | Spec-Driven Development workflow |
/ambiguity-gate | Pre-routing ambiguity analysis |
/adversarial-review | Attacker-mindset security code review |
/pipeline | Execute YAML-defined pipelines |
/pipeline resume | Resume a halted pipeline from last failure point |
Agent Management
| Command | What it does |
|---|---|
/omcustom:analysis | Analyze project, auto-configure agents and skills |
/omcustom:create-agent | Create a new agent |
/omcustom-takeover | Extract canonical spec from existing agent or skill |
/omcustom:audit-agents | Audit agent dependencies |
/omcustom:update-docs | Sync project structure and documentation |
/omcustom:sauron-watch | Full structural verification (5+3 rounds) |
/omcustom-feedback | Submit feedback as GitHub issue |
Web UI
| Command | What it does |
|---|---|
/omcustom:web | Control built-in Web UI (start, stop, status, open) |
Package & Release
| Command | What it does |
|---|---|
/omcustom:npm-publish | Publish to npm |
/omcustom:npm-version | Semantic versioning |
/omcustom:npm-audit | Dependency security audit |
/omcustom-release-notes | Generate release notes from git history |
Memory & System
| Command | What it does |
|---|---|
/omcustom:monitoring-setup | OTel monitoring toggle |
/omcustom:loop | Auto-continue background agent workflows (3-continue safety limit) |
/omcustom:lists | Show all commands |
/omcustom:status | System health check |
Rules (23)
| Priority | Count | Purpose |
|---|---|---|
| MUST | 14 | Safety, permissions, agent design, identification, orchestration, verification, completion, enforcement |
| SHOULD | 8 | Interaction, error handling, memory, HUD, ecomode, ontology routing, wiki sync, verification ladder |
| MAY | 1 | Optimization |
Key rules: R010 (orchestrator never writes files), R009 (parallel execution mandatory), R017 (sauron verification before push), R020 (completion verification before declaring done), R021 (advisory-first enforcement model).
Guides (57)
Reference documentation covering best practices, architecture decisions, and integration patterns. Located in guides/ at project root, covering topics from agent design to CI/CD to observability.
Safety
oh-my-customcode includes security and lifecycle hooks:
| Hook | Trigger | Action |
|---|---|---|
| secret-filter | Bash, Read output | Detects AWS keys, API tokens, private keys, bearer tokens |
| audit-log | Edit, Write, Bash, Agent | Append-only JSONL at ~/.claude/audit.jsonl |
| schema-validator | Write, Edit, Bash input | Validates tool inputs, flags dangerous patterns |
| PostCompact | Context compaction | Reinjects enforced rules (R007–R018, R021) — prevents rule amnesia |
Security hooks are advisory (exit 0). They warn but never block.
CLI
omcustom init # Interactive setup wizard (language, framework, team mode)
omcustom init --lang ko # Initialize with Korean
omcustom init --from-snapshot # Install from pre-configured team snapshot
omcustom sync # Detect drift between .claude/ state and lockfile
omcustom sync --check # Check for drift without applying changes
omcustom sync --export # Export current state as team snapshot
omcustom update # Update to latest
omcustom list # List components
omcustom doctor # Verify installation
omcustom doctor --fix # Auto-fix issues
omcustom security # Scan for security issues
omcustom projects # List managed projects with version status
omcustom update --all # Batch update all outdated projects
omcustom serve # Start built-in Web UI
omcustom serve-stop # Stop Web UI
Project Structure
your-project/
├── CLAUDE.md # Entry point
├── .claude/
│ ├── agents/ # 49 agent definitions
│ ├── skills/ # 117 skill modules
│ ├── rules/ # 23 governance rules (R000-R023)
│ ├── hooks/ # 15 lifecycle hook scripts
│ ├── schemas/ # Tool input validation schemas
│ ├── specs/ # Extracted canonical specs
│ ├── contexts/ # 4 shared context files
│ └── ontology/ # Knowledge graph for RAG
└── guides/ # 57 reference documents
External Tool Integrations
RTK is automatically installed during omcustom init for 60-90% token savings. Other tools are optional:
| Tool | Purpose | Install | Status |
|---|---|---|---|
| RTK | 60-90% token savings on CLI output | Auto-installed via omcustom init | Recommended |
| Codex CLI | OpenAI Codex hybrid workflows | npm i -g @openai/codex | Optional |
| Gemini CLI | Google Gemini hybrid workflows | npm i -g @google/gemini-cli | Optional |
When installed, each tool is auto-detected at session start and its features become available. When not installed, all commands gracefully fall back to Claude-native alternatives.
Development
bun install # Install dependencies
bun run dev # Development mode
bun test # Run tests
bun run build # Production build
Requirements: Node.js >= 18.0.0, Claude Code CLI.
License
No expert? Create one. Connect knowledge. Execute.
Made with care by baekenough
FAQs
Batteries-included agent harness for Claude Code
The npm package oh-my-customcode receives a total of 1,448 weekly downloads. As such, oh-my-customcode popularity was classified as popular.
We found that oh-my-customcode demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Package last updated on 23 Jun 2026
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
GitHub Actions Checkout Now Blocks Risky pull_request_target Checkouts
GitHub Actions checkout now blocks risky pull_request_target checkouts by default to help prevent pwn request supply chain attacks.
By Sarah Gooding - Jun 20, 2026
Product
Introducing Repository Access Permissions and Custom Roles
Socket now supports Custom Roles and Repository Access Permissions so organizations can control who can access specific repositories and actions.
By Joe Werle - Jun 19, 2026