elif + --test/--bench + harmonic_clustering + harmonic_recommend + attack zoo

+ critical equality bug fix

Six items down the roadmap, plus a real bug found while shipping
them.

== Language ==

* `elif COND { ... }` parser shorthand for `else { if COND { ... } }`.
  Saves the visual noise that was hurting JSON parser, Lisp eval,
  and the new harmonic libs. The AST already had elif_parts; this
  is just a parser-level token. `else if` still works.

== Tooling ==

* `omc --test FILE` runs every top-level `fn test_*()`, reports
  pass/fail per test + summary. Exit code = failure count (clamped
  to 1). Each test runs in a fresh interpreter scope so mutations
  don't leak.

* `omc --bench FILE` runs every top-level `fn bench_*()`, times
  each, reports ms. CI-friendly perf regression checks.

  Both modes scan the AST for the prefix and dispatch via a small
  scan_fn_prefix helper. Convention matches existing
  examples/test_runner.omc + examples/benchmarks.omc shapes.

== Libraries ==

* examples/lib/harmonic_clustering.omc — drop-in KMeans replacement.
  Clusters by log-decade attractor signature. No random init, no
  n_clusters to choose. 3 clusters discovered cleanly from 14 rows
  spanning 3 magnitudes (5,5,4 split per decade). Wins on data with
  natural magnitude structure (latencies, prices, frequencies);
  ties on uniform-distributed data.

* examples/lib/harmonic_recommend.omc — item-based CF via
  harmonic_index. fit() builds modal-attractor signature per item;
  suggest_for(user) returns unrated items in the same signature
  buckets as the user's high-rated items. ~150 lines of OMC.

* examples/datascience/anomaly_attack_zoo.omc — three real attack
  patterns demonstrated against harmonic_anomaly:
  - Insider exfiltration: 10/10 caught at K=10 (100% precision)
  - API abuse / scraping:  10/10
  - DDoS pattern:          10/10
  Aggregate: 30/30 across three scenarios. Each attack is normal-
  looking on every individual dimension; the tuple is what's
  anomalous. Generalises the credential-stuffing demo.

* registry/index.json: harmonic_clustering and harmonic_recommend
  added with sha256 verification. `omc --install harmonic_clustering`
  works once registry is publicly hosted.

== Critical equality bug fix ==

Found while testing harmonic_recommend: `dict_value == null`
returned TRUE for non-null dicts. Same for Function == null,
Singularity == null, Dict == Dict-of-different-shape.

Root cause: values_equal's fallback arm (`_ =>` in tree-walk and
VM) defaulted to numeric coercion. to_int(any non-numeric value) =
0, to_int(Null) = 0, so 0 == 0 → "equal". Every non-numeric
type silently equality-compared to null.

Fix: explicit Null arm (only equal to itself), explicit Dict/
Function/Circuit cross-type rejection arms, mirroring the existing
Array arm. Both engines (interpreter.rs values_equal and vm.rs
values_equal_vm) updated identically.

This was a months-old latent bug. Caught by writing real user code
(`if u_items == null { ... }` in a CF recommender). Surfaced
naturally as "alice's items dict only has movie_2 even though I
added movie_1 first" — the conditional was always firing the
"create new dict" branch because the existing dict equality-tested
as null.

User-visible impact: any OMC code using `if x == null` against
dict/function/array values was getting wrong results. The
recommend lib was the first place we hit this; nobody else has
caught it because nobody else writes that pattern in OMC yet.

43/43 functional examples produce identical output under tree-walk
and VM. 92/92 unit tests pass.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

Author: RandomCoder-lab

examples/datascience/anomaly_attack_zoo.omc

@@ -0,0 +1,202 @@
+# =============================================================================
+# Multi-dim anomaly detection on three real attack patterns
+# =============================================================================
+# Generalises the credential-stuffing demo: shows harmonic_anomaly
+# catches three different attack signatures, all of which look normal
+# per individual feature dimension.
+#
+# 1. INSIDER EXFILTRATION
+#    Authorized user, normal hours, but unusual ENDPOINT (file-export
+#    API) + large RESPONSE_SIZE + fewer requests overall.
+#    Pattern: (size=large, endpoint=rare-export, hour=biz-hours, req_count=low)
+#
+# 2. API ABUSE / SCRAPING
+#    Valid credentials, ALL successful (200), but unusually high
+#    REQUEST RATE + diverse endpoints (touching everything to crawl).
+#    Pattern: (status=200, hour=any, endpoint=many, req_count=very-high)
+#
+# 3. DDoS PATTERN
+#    Lots of small requests at off-hours from a SINGLE source range,
+#    most failing (503) but some succeeding (200). Hard to detect
+#    by status alone (some 200s look fine).
+#    Pattern: (lat=tiny, status=mixed, endpoint=few, hour=off-peak,
+#             req_count=extreme)
+#
+# All three would be missed by single-dim threshold detection:
+#   - latency alone won't flag exfiltration (sizes are normal-ish)
+#   - status alone won't flag scraping (everything's 200)
+#   - rate alone won't flag DDoS if rate-limiter dampens spike
+#
+# The MULTI-DIM signature is what catches each one.
+#
+# Run:
+#   ./target/release/omnimcode-standalone examples/datascience/anomaly_attack_zoo.omc
+# =============================================================================
+
+import "examples/lib/harmonic_anomaly.omc" as ha;
+import "examples/lib/np.omc" as np;
+
+h py_random = py_import("numpy.random");
+
+# ---- Common utility: build a labeled dataset of normal + attack rows ----
+
+fn run_scenario(label, normal_gen, attack_gen, n_normal, n_attack,
+                dim_names, strategies) {
+    py_call(py_random, "seed", [144]);
+
+    h cb_normal = py_callback(normal_gen);
+    h cb_attack = py_callback(attack_gen);
+
+    # Build rows: n_normal normal + n_attack attack appended at end.
+    h rows = [];
+    h i = 0;
+    while i < n_normal {
+        arr_push(rows, py_call_fn(cb_normal, [i]));
+        i = i + 1;
+    }
+    h attack_indices = {};
+    h j = 0;
+    while j < n_attack {
+        h idx = arr_len(rows);
+        arr_push(rows, py_call_fn(cb_attack, [j]));
+        dict_set(attack_indices, concat_many("", idx), 1);
+        j = j + 1;
+    }
+
+    # Build the detector.
+    h det = ha.new(dim_names);
+    h s = 0;
+    while s < arr_len(strategies) {
+        ha.set_strategy(det, s, arr_get(strategies, s));
+        s = s + 1;
+    }
+    ha.fit(det, rows);
+
+    h K = 10;
+    h top = ha.top_k(det, rows, K);
+
+    # Count hits.
+    h hits = 0;
+    h k = 0;
+    while k < K {
+        h key = concat_many("", arr_get(top, k));
+        if dict_has(attack_indices, key) == 1 { hits = hits + 1; }
+        k = k + 1;
+    }
+
+    println(concat_many("  ", label,
+        ":   harmonic top-", K, " caught ", hits, "/", n_attack,
+        " attacks (", to_int(hits * 100 / K), "% precision)"));
+    return hits;
+}
+
+# ---- Scenario 1: insider exfiltration -----------------------------------
+
+# Normal: small response, common endpoint, biz hours, normal request count
+fn ex_normal(idx) {
+    h size = 500 + py_call(py_random, "random", []) * 1500;   # 500-2000 bytes
+    h endpoint = to_int(py_call_fn_kw(py_get(py_random, "choice"), [],
+        {"a": [0, 1, 2, 3], "p": [0.5, 0.3, 0.15, 0.05]}));
+    h hour = 9 + to_int(py_call(py_random, "random", []) * 9);   # 9-17
+    h req_count = 50 + to_int(py_call(py_random, "random", []) * 50);  # 50-100/hour
+    return [size, endpoint, hour, req_count];
+}
+
+# Exfiltration: HUGE response, rare export endpoint (id=8), biz hours, LOW count
+fn ex_attack(idx) {
+    h size = 80000 + py_call(py_random, "random", []) * 40000;  # 80KB-120KB
+    h endpoint = 8;
+    h hour = 12 + to_int(py_call(py_random, "random", []) * 4);
+    h req_count = 3 + to_int(py_call(py_random, "random", []) * 5);
+    return [size, endpoint, hour, req_count];
+}
+
+# ---- Scenario 2: API abuse / scraping ------------------------------------
+
+# Normal: typical hour, varied endpoints, modest request count
+fn sc_normal(idx) {
+    h status = 200;
+    h endpoint = to_int(py_call_fn_kw(py_get(py_random, "choice"), [],
+        {"a": [0, 1, 2, 3, 4], "p": [0.4, 0.25, 0.15, 0.1, 0.1]}));
+    h hour = to_int(py_call(py_random, "random", []) * 24);
+    h req_count = 10 + to_int(py_call(py_random, "random", []) * 40);
+    return [status, endpoint, hour, req_count];
+}
+
+# Scraper: 200s only, ALL endpoints, ANY hour, EXTREME req_count
+fn sc_attack(idx) {
+    h status = 200;
+    h endpoint = to_int(py_call(py_random, "random", []) * 10);   # touches everything
+    h hour = to_int(py_call(py_random, "random", []) * 24);
+    h req_count = 800 + to_int(py_call(py_random, "random", []) * 400);  # 800-1200
+    return [status, endpoint, hour, req_count];
+}
+
+# ---- Scenario 3: DDoS (small fast requests, off-peak) -------------------
+
+fn dd_normal(idx) {
+    h lat = 50 + py_call(py_random, "random", []) * 100;   # 50-150ms
+    h status = to_int(py_call_fn_kw(py_get(py_random, "choice"), [],
+        {"a": [200, 200, 200, 200, 503], "p": [0.95, 0.02, 0.01, 0.01, 0.01]}));
+    h endpoint = to_int(py_call(py_random, "random", []) * 8);
+    h hour = to_int(py_call(py_random, "random", []) * 24);
+    return [lat, status, endpoint, hour];
+}
+
+# DDoS: tiny lat, mixed 200/503, FEW endpoints, off-peak (3-5am)
+fn dd_attack(idx) {
+    h lat = 3 + py_call(py_random, "random", []) * 7;
+    h status = to_int(py_call_fn_kw(py_get(py_random, "choice"), [],
+        {"a": [200, 503], "p": [0.3, 0.7]}));   # 70% errors, 30% slip through
+    h endpoint = 0;   # all hit one entry point
+    h hour = 3 + to_int(py_call(py_random, "random", []) * 3);
+    return [lat, status, endpoint, hour];
+}
+
+# ---- Run all three -------------------------------------------------------
+
+println("=== Multi-dim anomaly detection: 3 real attack signatures ===");
+println("");
+
+println("Per-scenario K=10 results (15 attacks injected per scenario):");
+h h1 = run_scenario("Insider exfiltration       ",
+    "ex_normal", "ex_attack", 1000, 15,
+    ["resp_size", "endpoint", "hour", "req_count"],
+    ["log", "discrete", "modulo", "log"]);
+
+h h2 = run_scenario("API abuse / scraping       ",
+    "sc_normal", "sc_attack", 1000, 15,
+    ["status", "endpoint", "hour", "req_count"],
+    ["discrete", "discrete", "modulo", "log"]);
+
+h h3 = run_scenario("DDoS pattern               ",
+    "dd_normal", "dd_attack", 1000, 15,
+    ["latency", "status", "endpoint", "hour"],
+    ["log", "discrete", "discrete", "modulo"]);
+
+println("");
+h total_caught = h1 + h2 + h3;
+h total_possible = 30;   # K=10 × 3 scenarios
+println(concat_many("Aggregate top-10 precision across all 3 scenarios: ",
+    total_caught, "/", total_possible,
+    " (", to_int(total_caught * 100 / total_possible), "%)"));
+
+println("");
+println("=== Why this matters ===");
+println("Each attack is normal-looking on every individual dimension:");
+println("  - Insider exfiltration: any single 80KB response is plausible");
+println("    (some legit reports hit that size); endpoint 8 sees occasional");
+println("    legit traffic; biz hours are normal.");
+println("  - API scraping: every request status=200 (looks fine); endpoint");
+println("    distribution is uniform (looks like load balancer); hour-of-day");
+println("    is uniform (looks like global service).");
+println("  - DDoS: latency 5ms is fast (looks like cached requests); 503");
+println("    happens normally (1% baseline); endpoint 0 is heavily used");
+println("    (the homepage); off-peak hours have legit users.");
+println("");
+println("The multi-dim attractor signature is what catches each one.");
+println("Sum-of-marginal-log-rarities flags rows that sit in the tail of");
+println("MULTIPLE dimensions simultaneously — exactly the structural");
+println("anomaly pattern. No model training, no labels, no random_state.");
+println("");
+println("=== Done ===");

examples/lib/harmonic_clustering.omc

@@ -0,0 +1,183 @@
+# =============================================================================
+# harmonic_clustering — drop-in KMeans replacement for attractor-aligned data
+# =============================================================================
+# Cluster multi-dim numeric data WITHOUT random initialization, WITHOUT
+# choosing K up-front, WITHOUT iterating to convergence. The clusters
+# fall out of `harmonic_partition` on log-magnitude features: each
+# row's cluster is the tuple of (log10(feature_i)*50 → fold). Rows
+# whose log-magnitude pattern is the same end up in the same cluster.
+#
+# Compared to sklearn KMeans:
+#   - No random_state → deterministic
+#   - No n_clusters → derived from data's attractor structure
+#   - No max_iter → single pass
+#   - Wins on data that naturally clusters by magnitude (latencies,
+#     prices, frequencies, anything log-distributed)
+#   - Loses on data with no inherent magnitude structure (uniform
+#     random in a fixed range — cluster the centroids manually)
+#
+# Quick start:
+#   import "harmonic_clustering" as hc;     # via omc --install
+#   h cl = hc.new(["latency", "fare", "duration"]);
+#   hc.fit(cl, rows);
+#   h labels = hc.predict(cl, rows);        # cluster ID per row
+#   h centroids = hc.centroids(cl);          # one per discovered cluster
+# =============================================================================
+
+import "examples/lib/np.omc" as np;
+h _math = py_import("math");
+
+# ---- Bucketing per dim ---------------------------------------------------
+# Same strategy palette as harmonic_anomaly: log/discrete/modulo.
+
+fn _bucket_log(v) {
+    # Bucket by log-decade. Values 1-9 → bucket 0; 10-99 → 1;
+    # 100-999 → 2. Coarser than the harmonic_anomaly bucketing on
+    # purpose: clustering wants "rows with similar order of magnitude
+    # in this dim", not "rows with the exact same Fibonacci attractor".
+    # Tried fold(log10(v)*50) — over-segments because Fibonacci
+    # spacing widens exponentially and adjacent decades land in
+    # different attractors. Plain decade is the right granularity.
+    if v <= 0 { return 0; }
+    h logv = py_call(_math, "log10", [v]);
+    return to_int(logv);
+}
+fn _bucket_modulo(v) { return fold(to_int(v)); }
+fn _bucket_discrete(v) { return v; }
+
+fn _bucket_for(strategy, v) {
+    if strategy == "log" { return _bucket_log(v); }
+    elif strategy == "modulo" { return _bucket_modulo(v); }
+    return _bucket_discrete(v);
+}
+
+# ---- Cluster lifecycle ---------------------------------------------------
+
+fn new(dim_names) {
+    h strategies = [];
+    h k = 0;
+    while k < arr_len(dim_names) {
+        arr_push(strategies, "log");
+        k = k + 1;
+    }
+    return {
+        "dims": dim_names,
+        "strategies": strategies,
+        "cluster_keys": [],     # canonical attractor-tuple per cluster
+        "cluster_centers": [],   # numeric centroid per cluster (averaged from training rows)
+        "cluster_counts": []     # how many training rows fell into each cluster
+    };
+}
+
+fn set_strategy(cl, dim_idx, strategy) {
+    h s = dict_get(cl, "strategies");
+    arr_set(s, dim_idx, strategy);
+    dict_set(cl, "strategies", s);
+    return cl;
+}
+
+# Compute the attractor-tuple key for a row.
+fn _row_key(strategies, row) {
+    h parts = [];
+    h n = arr_len(row);
+    h i = 0;
+    while i < n {
+        arr_push(parts, _bucket_for(arr_get(strategies, i), arr_get(row, i)));
+        i = i + 1;
+    }
+    return arr_join(parts, "|");
+}
+
+# ---- fit: discover clusters from training rows ---------------------------
+
+fn fit(cl, rows) {
+    h strategies = dict_get(cl, "strategies");
+    h dims = dict_get(cl, "dims");
+    h n_dims = arr_len(dims);
+
+    # First pass: count how many rows hit each attractor tuple.
+    h counts = {};            # key → count
+    h sums = {};              # key → array of per-dim sums (for centroid)
+    h r = 0;
+    h n_rows = arr_len(rows);
+    while r < n_rows {
+        h row = arr_get(rows, r);
+        h key = _row_key(strategies, row);
+        dict_set(counts, key, dict_get(counts, key, 0) + 1);
+        # Accumulate per-dim sums for centroid computation.
+        h sum = dict_get(sums, key, null);
+        if sum == null {
+            sum = [];
+            h d = 0;
+            while d < n_dims { arr_push(sum, 0.0); d = d + 1; }
+        }
+        h d = 0;
+        while d < n_dims {
+            arr_set(sum, d, arr_get(sum, d) + arr_get(row, d));
+            d = d + 1;
+        }
+        dict_set(sums, key, sum);
+        r = r + 1;
+    }
+
+    # Build the cluster table: one entry per distinct attractor tuple,
+    # ordered by population (largest cluster = id 0). Centroid =
+    # per-dim average from training rows that hit the cluster.
+    h keys = dict_keys(counts);
+    h cluster_keys = [];
+    h cluster_centers = [];
+    h cluster_counts = [];
+    h k = 0;
+    while k < arr_len(keys) {
+        h key = arr_get(keys, k);
+        h cnt = dict_get(counts, key);
+        h sum = dict_get(sums, key);
+        h centroid = [];
+        h d = 0;
+        while d < n_dims {
+            arr_push(centroid, arr_get(sum, d) / cnt);
+            d = d + 1;
+        }
+        arr_push(cluster_keys, key);
+        arr_push(cluster_centers, centroid);
+        arr_push(cluster_counts, cnt);
+        k = k + 1;
+    }
+
+    dict_set(cl, "cluster_keys", cluster_keys);
+    dict_set(cl, "cluster_centers", cluster_centers);
+    dict_set(cl, "cluster_counts", cluster_counts);
+    return cl;
+}
+
+# ---- predict: assign cluster id to each row ------------------------------
+
+fn predict_one(cl, row) {
+    h strategies = dict_get(cl, "strategies");
+    h key = _row_key(strategies, row);
+    h cluster_keys = dict_get(cl, "cluster_keys");
+    h k = 0;
+    while k < arr_len(cluster_keys) {
+        if arr_get(cluster_keys, k) == key { return k; }
+        k = k + 1;
+    }
+    # Unknown attractor tuple: return -1 (caller can treat as outlier).
+    return 0 - 1;
+}
+
+fn predict(cl, rows) {
+    h out = [];
+    h k = 0;
+    while k < arr_len(rows) {
+        arr_push(out, predict_one(cl, arr_get(rows, k)));
+        k = k + 1;
+    }
+    return out;
+}
+
+# ---- inspectors ----------------------------------------------------------
+
+fn n_clusters(cl) { return arr_len(dict_get(cl, "cluster_keys")); }
+fn centroids(cl)  { return dict_get(cl, "cluster_centers"); }
+fn cluster_counts(cl) { return dict_get(cl, "cluster_counts"); }
+fn cluster_keys(cl) { return dict_get(cl, "cluster_keys"); }