🧠 OmniNode AI — Full Stack Multi-Agent Deployment Guide

[codegen-sh]

Overview

Complete multi-agent full-stack deployment system for the entire OmniNode AI platform — single-command deployment of 8 repositories, 54 AI agents, 90+ skills, 21 intelligence nodes, Kafka event bus, semantic memory, live dashboard, and Claude Code operator integration.

What's Included

Deployment Scripts

File	Purpose
deploy.sh	🚀 Main deployment (8-step, CLI flags, idempotent)
validate.sh	🔍 50+ automated validation checks with JSON output
docker-compose.yml	🐳 Infrastructure: PostgreSQL 16, Redpanda, Qdrant, Valkey
setup-claude-operator.sh	🤖 Claude Code hooks, agents, skills deployment
postgres-init.sh	🗄️ Database schema initialization (4 databases)
create-kafka-topics.sh	📨 22+ Kafka event topics
create-qdrant-collections.sh	🔍 5 vector collections for semantic memory
.env.example	⚙️ 30+ configuration variables
README.md	📖 Comprehensive deployment guide with architecture diagrams

Repositories Deployed

All 8 OmniNode-ai repositories in dependency order:

L1: omnibase_spi (180+ protocols)
L2: omnibase_core (Pydantic models, DI container, 4-node arch)
L3: omnibase_infra (Kafka + PostgreSQL adapters)
L4: omniintelligence (21 nodes) + omnimemory (semantic retrieval)
L5: omniclaude (54 agents, 90+ skills, 5 hooks)
L6: omnidash (React dashboard) + onex_change_control (governance)

Quick Start

cd omninode-deploy
chmod +x deploy.sh validate.sh config/*.sh scripts/*.sh
./deploy.sh            # Full deployment
./validate.sh          # Verify everything

Sandbox Test Results

✅ All 8 repositories cloned successfully
✅ Python virtual environment with uv created
✅ Core packages installed and importable: omnibase_spi (v0.15.0), omnibase_core (v0.23.0), omniintelligence, omniclaude
✅ All scripts pass shellcheck / bash syntax
⚠️ Docker infrastructure requires host Docker (sandbox limitation)

---

💻 View my work • 👤 Initiated by @Zeeeepa • About Codegen
⛔ Remove Codegen from PR • 🚫 Ban action checks

---

Summary by cubic

Streamlined CI and docs, removed legacy examples/architecture, and added a quick-start guide for telemetry logging. Adopted Ty type checks, simplified releases, and tightened workflow reliability.

• CI and Release

  • Replaced mypy with Ty via a new ty.yml workflow.
  • Simplified release to build a single pure-Python wheel on Ubuntu with cached uv.
  • Removed obsolete changelog/docs generators and disabled OSS repo setup; fixed deploy by dropping the old changelog step.
  • Updated actions (Slack v2.1.0, Codecov v5.4.3) and added a bot check in tests; paused auto-commit in pre-commit to avoid loops.

• Docs and Cleanup

  • Added QUICK_START_LOGGING.md and refreshed README headline.
  • Removed Dockerfile plus legacy architecture and example projects to reduce maintenance surface.
  • Extended .gitignore (including omninode-deploy/deploy.log).
  • Added .claude/settings.local.json to allow Linear MCP permissions.

^{Written for commit e899739. Summary will update on new commits.}

[sourcery-ai]

Sorry, we are unable to review this pull request

The GitHub API does not allow us to fetch diffs exceeding 300 files, and this pull request has 1930

[cubic-dev-ai]

20 issues found across 1930 files

Note: This PR contains a large number of files. cubic only reviews up to 75 files per PR, so some files may not have been reviewed.

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name="src/codegen/cli/commands/claude/config/claude_session_active_hook.py">

<violation number="1" location="src/codegen/cli/commands/claude/config/claude_session_active_hook.py:25">
P1: Duplicate code: `read_session_file()` function is copied with identical implementation in both `claude_session_active_hook.py` and `claude_session_stop_hook.py`</violation>
</file>

<file name="src/codegen/agents/README.md">

<violation number="1" location="src/codegen/agents/README.md:22">
P3: The example passes org_id as a string, but the documented signature specifies `org_id: Optional[int]`. Use an integer in the example to match the API contract.</violation>
</file>

<file name="docs/introduction/overview.mdx">

<violation number="1" location="docs/introduction/overview.mdx:59">
P2: The "Leave PR Reviews" card reuses integration copy, so it documents the wrong capability and misleads users.</violation>
</file>

<file name="omninode-deploy/docker-compose.yml">

<violation number="1" location="omninode-deploy/docker-compose.yml:43">
P1: Avoid shipping a known default database password. Require POSTGRES_PASSWORD to be explicitly set (or load it from a secret) so deployments don’t accidentally run with a weak default.</violation>

<violation number="2" location="omninode-deploy/docker-compose.yml:118">
P2: Remove the default Valkey password and require VALKEY_PASSWORD to be explicitly set (and update the healthcheck accordingly) to avoid running with a known credential.</violation>
</file>

<file name="docs/self-update.md">

<violation number="1" location="docs/self-update.md:279">
P1: The docs incorrectly claim pip/pipx/uv verify package signatures by default, which overstates security guarantees.</violation>
</file>

<file name="docs/settings/agent-permissions.mdx">

<violation number="1" location="docs/settings/agent-permissions.mdx:39">
P2: The repository rules link points to a localhost URL, which breaks navigation for users in published docs.</violation>
</file>

<file name="docs/sandboxes/setup-commands.mdx">

<violation number="1" location="docs/sandboxes/setup-commands.mdx:24">
P3: The URL template uses `{arepo_name}`, which looks like a typo and will mislead users. Use `{repo_name}` to match the actual repository placeholder.</violation>
</file>

<file name="docs/sandboxes/base-image.mdx">

<violation number="1" location="docs/sandboxes/base-image.mdx:87">
P2: Avoid piping remote install scripts directly to the shell without integrity verification; a compromised script would execute during the image build.</violation>

<violation number="2" location="docs/sandboxes/base-image.mdx:95">
P2: Avoid executing remote install scripts via curl | sh without checksum/signature verification to reduce supply-chain risk in the base image build.</violation>
</file>

<file name="docs/introduction/sdk.mdx">

<violation number="1" location="docs/introduction/sdk.mdx:10">
P2: Use the canonical token URL (`codegen.com/token`) to avoid sending users to an inconsistent domain.</violation>
</file>

<file name="omninode-deploy/config/create-kafka-topics.sh">

<violation number="1" location="omninode-deploy/config/create-kafka-topics.sh:63">
P2: The topic creation command suppresses all errors and reports them as "already exists," so real failures (e.g., container not running) are silently ignored while the script reports success.</violation>
</file>

<file name="docs/api-reference/github-actions.mdx">

<violation number="1" location="docs/api-reference/github-actions.mdx:76">
P2: `time.sleep` is used but `time` is never imported, causing a NameError at runtime.</violation>

<violation number="2" location="docs/api-reference/github-actions.mdx:90">
P2: `GITHUB_EVENT_PATH` is a file path, not the PR number. The prompt will include the path instead of the PR ID. Parse the event JSON and extract `pull_request.number` to get the correct PR number.</violation>
</file>

<file name="src/codegen/__init__.py">

<violation number="1" location="src/codegen/__init__.py:11">
P1: This change removes multiple previously exported top-level symbols, introducing a breaking public API regression for existing `from codegen import ...` users.</violation>
</file>

<file name=".github/workflows/ty.yml">

<violation number="1" location=".github/workflows/ty.yml:34">
P2: Changed file paths are parsed with shell word-splitting, which breaks filenames containing spaces and can cause `ty` to miss or mis-handle changed Python files.</violation>

<violation number="2" location=".github/workflows/ty.yml:45">
P2: Pass changed file arguments after `--` to prevent filenames from being interpreted as CLI flags.</violation>
</file>

<file name="omninode-deploy/deploy.sh">

<violation number="1" location="omninode-deploy/deploy.sh:97">
P2: Missing argument validation for `--workspace`: if no value follows (or next arg is another flag), the script either crashes with an opaque 'unbound variable' error or silently uses a flag as the workspace path. Validate `$2` before using it.</violation>

<violation number="2" location="omninode-deploy/deploy.sh:236">
P2: Weak password fallback: if `openssl` is unavailable, the generated password is `omninode-dev-<unix_timestamp>`, which is trivially guessable. Since `python3` is already a verified prerequisite, use it as the fallback for secure random generation.</violation>
</file>

<file name="docs/integrations/slack.mdx">

<violation number="1" location="docs/integrations/slack.mdx:96">
P2: The documented Slack scope for reading DM/group DM messages is incorrect; `mpim:read` does not grant message history access.</violation>
</file>

_{Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.}

[cubic-dev-ai]

P1: Duplicate code: read_session_file() function is copied with identical implementation in both claude_session_active_hook.py and claude_session_stop_hook.py

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/codegen/cli/commands/claude/config/claude_session_active_hook.py, line 25:

<comment>Duplicate code: `read_session_file()` function is copied with identical implementation in both `claude_session_active_hook.py` and `claude_session_stop_hook.py`</comment>

<file context>
@@ -0,0 +1,67 @@
+    update_claude_session_status = None
+
+
+def read_session_file() -> dict:
+    """Read session data written by the SessionStart hook, if available."""
+    session_path = Path.home() / ".codegen" / "claude-session.json"
</file context>

[cubic-dev-ai]

P1: Avoid shipping a known default database password. Require POSTGRES_PASSWORD to be explicitly set (or load it from a secret) so deployments don’t accidentally run with a weak default.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At omninode-deploy/docker-compose.yml, line 43:

<comment>Avoid shipping a known default database password. Require POSTGRES_PASSWORD to be explicitly set (or load it from a secret) so deployments don’t accidentally run with a weak default.</comment>

<file context>
@@ -0,0 +1,164 @@
+    container_name: omninode-postgres
+    environment:
+      POSTGRES_USER: ${POSTGRES_USER:-postgres}
+      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-omninode-dev-password}
+      POSTGRES_DB: postgres
+      # Multiple databases created by init script
</file context>

[cubic-dev-ai]

P1: The docs incorrectly claim pip/pipx/uv verify package signatures by default, which overstates security guarantees.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/self-update.md, line 279:

<comment>The docs incorrectly claim pip/pipx/uv verify package signatures by default, which overstates security guarantees.</comment>

<file context>
@@ -0,0 +1,293 @@
+## Security
+
+- Updates are fetched over HTTPS from PyPI
+- Package signatures are verified by pip/pipx/uv
+- Pre-release versions are filtered out automatically
+- Major version updates require confirmation
</file context>

[cubic-dev-ai]

P1: This change removes multiple previously exported top-level symbols, introducing a breaking public API regression for existing from codegen import ... users.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/codegen/__init__.py, line 11:

<comment>This change removes multiple previously exported top-level symbols, introducing a breaking public API regression for existing `from codegen import ...` users.</comment>

<file context>
@@ -1,11 +1,11 @@
+    __version_tuple__ = version_tuple = (0, 0, 0, "unknown")
 
-__all__ = ["CodeAgent", "Codebase", "CodegenApp", "Function", "ProgrammingLanguage", "function"]
+__all__ = ["__version__", "__version_tuple__", "version", "version_tuple", "Agent"]
</file context>

[cubic-dev-ai]

P2: The "Leave PR Reviews" card reuses integration copy, so it documents the wrong capability and misleads users.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/introduction/overview.mdx, line 59:

<comment>The "Leave PR Reviews" card reuses integration copy, so it documents the wrong capability and misleads users.</comment>

<file context>
@@ -1,159 +1,154 @@
+    href="/integrations/integrations"
   >
-    Create high-quality training data for fine-tuning LLMs on your codebase.
+    Connect with Slack, Linear, Figma, databases, and extend capabilities with
+    custom MCP tools.
+  </Card>
</file context>

Suggested change

	Connect with Slack, Linear, Figma, databases, and extend capabilities with
	custom MCP tools.
	Review pull requests, leave actionable comments, catch regressions early,
	and suggest code improvements automatically.

[cubic-dev-ai]

P2: Weak password fallback: if openssl is unavailable, the generated password is omninode-dev-<unix_timestamp>, which is trivially guessable. Since python3 is already a verified prerequisite, use it as the fallback for secure random generation.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At omninode-deploy/deploy.sh, line 236:

<comment>Weak password fallback: if `openssl` is unavailable, the generated password is `omninode-dev-<unix_timestamp>`, which is trivially guessable. Since `python3` is already a verified prerequisite, use it as the fallback for secure random generation.</comment>

<file context>
@@ -0,0 +1,564 @@
+  log_substep "Creating .env from template..."
+  cp "${SCRIPT_DIR}/.env.example" "$ENV_FILE"
+  # Generate a random password for dev
+  DEV_PASSWORD=$(openssl rand -hex 16 2>/dev/null || echo "omninode-dev-$(date +%s)")
+  if [[ "$(uname)" == "Darwin" ]]; then
+    sed -i '' "s/omninode-dev-password/$DEV_PASSWORD/g" "$ENV_FILE"
</file context>

[cubic-dev-ai]

P2: Missing argument validation for --workspace: if no value follows (or next arg is another flag), the script either crashes with an opaque 'unbound variable' error or silently uses a flag as the workspace path. Validate $2 before using it.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At omninode-deploy/deploy.sh, line 97:

<comment>Missing argument validation for `--workspace`: if no value follows (or next arg is another flag), the script either crashes with an opaque 'unbound variable' error or silently uses a flag as the workspace path. Validate `$2` before using it.</comment>

<file context>
@@ -0,0 +1,564 @@
+    --skip-infra)   SKIP_INFRA=true; shift ;;
+    --skip-frontend) SKIP_FRONTEND=true; shift ;;
+    --skip-claude)  SKIP_CLAUDE=true; shift ;;
+    --workspace)    WORKSPACE="$2"; VENV_DIR="${WORKSPACE}/.venv"; shift 2 ;;
+    --help|-h)
+      echo "OmniNode AI Full Stack Deployment"
</file context>

[cubic-dev-ai]

P2: The documented Slack scope for reading DM/group DM messages is incorrect; mpim:read does not grant message history access.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/integrations/slack.mdx, line 96:

<comment>The documented Slack scope for reading DM/group DM messages is incorrect; `mpim:read` does not grant message history access.</comment>

<file context>
@@ -0,0 +1,170 @@
+
+- **View messages that mention @codegen** - To respond to direct mentions and requests
+- **Read message history in public and private channels** - To understand context and conversation flow
+- **Read direct messages and group chats** (`mpim:read`) - To enable private conversations with the agent in group DMs and multi-person direct messages
+- **Send messages** - To communicate responses and provide updates
+
</file context>

Suggested change

	- **Read direct messages and group chats** (`mpim:read`) - To enable private conversations with the agent in group DMs and multi-person direct messages
	- **Read direct and group DM message history** (`im:history`, `mpim:history`) - To enable private conversations with the agent in one-on-one and multi-person direct messages

[cubic-dev-ai]

P3: The example passes org_id as a string, but the documented signature specifies org_id: Optional[int]. Use an integer in the example to match the API contract.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At src/codegen/agents/README.md, line 22:

<comment>The example passes org_id as a string, but the documented signature specifies `org_id: Optional[int]`. Use an integer in the example to match the API contract.</comment>

<file context>
@@ -0,0 +1,124 @@
+
+# Initialize the Agent with your organization ID and API token
+agent = Agent(
+    org_id="11",  # Your organization ID
+    token="your_api_token_here",  # Your API authentication token
+    base_url="https://codegen-sh-rest-api.modal.run",  # Optional - defaults to this URL
</file context>

[cubic-dev-ai]

P3: The URL template uses {arepo_name}, which looks like a typo and will mislead users. Use {repo_name} to match the actual repository placeholder.

Prompt for AI agents

Check if this issue is valid — if so, understand the root cause and fix it. At docs/sandboxes/setup-commands.mdx, line 24:

<comment>The URL template uses `{arepo_name}`, which looks like a typo and will mislead users. Use `{repo_name}` to match the actual repository placeholder.</comment>

<file context>
@@ -0,0 +1,147 @@
+
+1.  Navigate to [codegen.com/repos](https://codegen.com/repos).
+2.  Click on the desired repository from the list.
+3.  You will be taken to the repository's settings page. The setup commands can be found at a URL similar to `https://www.codegen.com/repos/{arepo_name}/setup-commands` 
+
+<Frame caption="Set setup commands at codegen.com/repos">
</file context>