@lamentis/naome 1.0.0

package/crates/naome-core/tests/verification.rs

@@ -0,0 +1,165 @@
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use naome_core::seed_builtin_verification_checks;
+use serde_json::json;
+
+#[test]
+fn seeds_builtin_checks_without_removing_repo_specific_checks() {
+    let repo = TestRepo::new("verification-seed");
+    repo.write_naome_json(
+        "verification.json",
+        json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "ready",
+            "lastUpdated": "2026-05-05",
+            "checks": [
+                {
+                    "id": "repo-docs",
+                    "command": "npm run docs:test",
+                    "cwd": ".",
+                    "purpose": "Validate repository documentation.",
+                    "cost": "fast",
+                    "source": "repository intake",
+                    "evidence": ["package.json"],
+                    "lastVerified": null
+                }
+            ],
+            "changeTypes": [
+                {
+                    "id": "repo-docs",
+                    "description": "Repository documentation changes.",
+                    "paths": ["docs/**"],
+                    "requiredChecks": ["repo-docs"],
+                    "recommendedChecks": [],
+                    "humanReview": false
+                }
+            ],
+            "releaseGates": [
+                {
+                    "checkId": "repo-docs",
+                    "requiredWhen": "Before merging repository documentation changes."
+                }
+            ]
+        }),
+    );
+
+    let changed = seed_builtin_verification_checks(repo.path()).unwrap();
+
+    assert!(changed);
+    let verification = repo.read_naome_json("verification.json");
+    assert_eq!(
+        check_command(&verification, "diff-check"),
+        Some("git diff --check")
+    );
+    assert_eq!(
+        check_command(&verification, "naome-harness-health"),
+        Some("node .naome/bin/check-harness-health.js")
+    );
+    assert_eq!(
+        check_command(&verification, "naome-task-state"),
+        Some("node .naome/bin/check-task-state.js")
+    );
+    assert_eq!(
+        check_command(&verification, "repo-docs"),
+        Some("npm run docs:test")
+    );
+
+    let changed_again = seed_builtin_verification_checks(repo.path()).unwrap();
+    assert!(!changed_again);
+}
+
+#[test]
+fn seeding_builtin_checks_preserves_existing_verification_layout() {
+    let repo = TestRepo::new("verification-layout");
+    repo.write_naome_file(
+        "verification.json",
+        r#"{
+  "schema": "naome.verification.v1",
+  "version": 1,
+  "status": "ready",
+  "lastUpdated": "2026-05-06",
+  "checks": [
+    {
+      "id": "repo-docs",
+      "command": "npm run docs:test",
+      "cwd": ".",
+      "purpose": "Validate repository documentation.",
+      "cost": "fast",
+      "source": "repository intake",
+      "evidence": [
+        "package.json"
+      ],
+      "lastVerified": null
+    }
+  ],
+  "changeTypes": [],
+  "releaseGates": []
+}
+"#,
+    );
+
+    let changed = seed_builtin_verification_checks(repo.path()).unwrap();
+
+    assert!(changed);
+    let content = repo.read_naome_file("verification.json");
+    assert!(content.find("\"schema\"").unwrap() < content.find("\"checks\"").unwrap());
+    assert!(content.find("\"checks\"").unwrap() < content.find("\"changeTypes\"").unwrap());
+    assert!(
+        content.find("\"id\": \"repo-docs\"").unwrap()
+            < content.find("\"command\": \"npm run docs:test\"").unwrap()
+    );
+}
+
+fn check_command<'a>(verification: &'a serde_json::Value, check_id: &str) -> Option<&'a str> {
+    verification
+        .get("checks")?
+        .as_array()?
+        .iter()
+        .find(|check| check.get("id").and_then(serde_json::Value::as_str) == Some(check_id))?
+        .get("command")?
+        .as_str()
+}
+
+struct TestRepo {
+    root: PathBuf,
+}
+
+impl TestRepo {
+    fn new(name: &str) -> Self {
+        let nonce = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let root = std::env::temp_dir().join(format!("naome-core-{name}-{nonce}"));
+        fs::create_dir_all(root.join(".naome")).unwrap();
+        Self { root }
+    }
+
+    fn path(&self) -> &Path {
+        &self.root
+    }
+
+    fn write_naome_json(&self, file_name: &str, value: serde_json::Value) {
+        fs::write(
+            self.root.join(".naome").join(file_name),
+            format!("{}\n", serde_json::to_string_pretty(&value).unwrap()),
+        )
+        .unwrap();
+    }
+
+    fn write_naome_file(&self, file_name: &str, content: &str) {
+        fs::write(self.root.join(".naome").join(file_name), content).unwrap();
+    }
+
+    fn read_naome_json(&self, file_name: &str) -> serde_json::Value {
+        serde_json::from_str(&fs::read_to_string(self.root.join(".naome").join(file_name)).unwrap())
+            .unwrap()
+    }
+
+    fn read_naome_file(&self, file_name: &str) -> String {
+        fs::read_to_string(self.root.join(".naome").join(file_name)).unwrap()
+    }
+}

package/crates/naome-core/tests/verification_contract.rs

@@ -0,0 +1,181 @@
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use naome_core::validate_verification_contract;
+use serde_json::json;
+
+#[test]
+fn accepts_valid_contract_and_testing_map() {
+    let repo = TestRepo::new("verification-contract-valid");
+    repo.write_testing_markdown(default_testing_markdown());
+    repo.write_naome_json(
+        "verification.json",
+        json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "uninitialized",
+            "lastUpdated": null,
+            "checks": [
+                {
+                    "id": "diff-check",
+                    "command": "git diff --check",
+                    "cwd": ".",
+                    "purpose": "Reject whitespace errors.",
+                    "cost": "fast",
+                    "source": "git",
+                    "evidence": [],
+                    "lastVerified": null
+                }
+            ],
+            "changeTypes": [
+                {
+                    "id": "docs",
+                    "description": "Documentation changes.",
+                    "paths": ["docs/**"],
+                    "requiredChecks": ["diff-check"],
+                    "recommendedChecks": [],
+                    "humanReview": false
+                }
+            ],
+            "releaseGates": [
+                {
+                    "checkId": "diff-check",
+                    "requiredWhen": "Before release when docs changed."
+                }
+            ]
+        }),
+    );
+
+    let errors = validate_verification_contract(repo.path()).unwrap();
+
+    assert!(errors.is_empty(), "{errors:#?}");
+}
+
+#[test]
+fn rejects_missing_check_references_and_ready_placeholders() {
+    let repo = TestRepo::new("verification-contract-invalid");
+    repo.write_testing_markdown(default_testing_markdown());
+    repo.write_naome_json(
+        "verification.json",
+        json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "ready",
+            "lastUpdated": "2026-05-05",
+            "checks": [
+                {
+                    "id": "example-check",
+                    "command": "replace with real command",
+                    "cwd": ".",
+                    "purpose": "Replace with what this proves.",
+                    "cost": "fast",
+                    "source": "replace with evidence source",
+                    "evidence": [],
+                    "lastVerified": null
+                }
+            ],
+            "changeTypes": [
+                {
+                    "id": "docs",
+                    "description": "Documentation changes.",
+                    "paths": ["docs/**"],
+                    "requiredChecks": ["missing-check"],
+                    "recommendedChecks": [],
+                    "humanReview": false
+                }
+            ],
+            "releaseGates": []
+        }),
+    );
+
+    let errors = validate_verification_contract(repo.path()).unwrap();
+    let joined = errors.join("\n");
+
+    assert!(joined.contains("unknown check id: missing-check"));
+    assert!(joined.contains("must not contain example placeholders"));
+}
+
+#[test]
+fn rejects_checks_without_explicit_last_verified_value() {
+    let repo = TestRepo::new("verification-contract-last-verified");
+    repo.write_testing_markdown(default_testing_markdown());
+    repo.write_naome_json(
+        "verification.json",
+        json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "uninitialized",
+            "lastUpdated": null,
+            "checks": [
+                {
+                    "id": "diff-check",
+                    "command": "git diff --check",
+                    "cwd": ".",
+                    "purpose": "Reject whitespace errors.",
+                    "cost": "fast",
+                    "source": "git",
+                    "evidence": []
+                }
+            ],
+            "changeTypes": [],
+            "releaseGates": []
+        }),
+    );
+
+    let errors = validate_verification_contract(repo.path()).unwrap();
+    let joined = errors.join("\n");
+
+    assert!(joined.contains("checks[0].lastVerified must be YYYY-MM-DD or null."));
+}
+
+fn default_testing_markdown() -> &'static str {
+    "# Testing And Verification\n\n\
+## Verification Map\n\n\
+| Change type | Required proof | Command | Notes |\n|---|---|---|---|\n\n\
+## Known Checks\n\n\
+| Check id | Command | Cwd | Cost | Last verified |\n|---|---|---|---|---|\n\n\
+## Change Type Rules\n\n\
+| Change type | Paths | Required checks |\n|---|---|---|\n\n\
+## Release Gates\n\n\
+| Check id | Required when |\n|---|---|\n\n\
+## Evidence\n\n\
+- Test fixture.\n"
+}
+
+struct TestRepo {
+    root: PathBuf,
+}
+
+impl TestRepo {
+    fn new(name: &str) -> Self {
+        let nonce = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let root = std::env::temp_dir().join(format!("naome-core-{name}-{nonce}"));
+        fs::create_dir_all(root.join(".naome")).unwrap();
+        fs::create_dir_all(root.join("docs").join("naome")).unwrap();
+        Self { root }
+    }
+
+    fn path(&self) -> &Path {
+        &self.root
+    }
+
+    fn write_naome_json(&self, file_name: &str, value: serde_json::Value) {
+        fs::write(
+            self.root.join(".naome").join(file_name),
+            format!("{}\n", serde_json::to_string_pretty(&value).unwrap()),
+        )
+        .unwrap();
+    }
+
+    fn write_testing_markdown(&self, content: &str) {
+        fs::write(
+            self.root.join("docs").join("naome").join("testing.md"),
+            content,
+        )
+        .unwrap();
+    }
+}

package/package.json

@@ -0,0 +1,44 @@
+{
+  "name": "@lamentis/naome",
+  "version": "1.0.0",
+  "description": "Native-first CLI for the NAOME agent harness.",
+  "license": "MIT",
+  "type": "module",
+  "keywords": [
+    "agent",
+    "agents",
+    "ai",
+    "harness",
+    "repository",
+    "codex",
+    "claude"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Lamentis-O/naome.git",
+    "directory": "packages/naome"
+  },
+  "bugs": {
+    "url": "https://github.com/Lamentis-O/naome/issues"
+  },
+  "homepage": "https://github.com/Lamentis-O/naome#readme",
+  "bin": {
+    "naome": "bin/naome.js"
+  },
+  "files": [
+    "bin/naome.js",
+    "bin/naome-node.js",
+    "Cargo.lock",
+    "Cargo.toml",
+    "crates",
+    "native",
+    "templates",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -0,0 +1,163 @@
+#!/usr/bin/env node
+
+const { existsSync, readFileSync } = require("node:fs");
+const { createHash } = require("node:crypto");
+const { dirname, join, resolve } = require("node:path");
+const { spawnSync } = require("node:child_process");
+
+const nativeBinaryRelativePath = process.platform === "win32" ? ".naome/bin/naome-rust.exe" : ".naome/bin/naome-rust";
+const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
+
+const expectedMachineOwnedIntegrity = Object.freeze({
+  "AGENTS.md": "sha256:ebe589ce85b43d4aa23014d8a26a49bd33dc52ef1bba68e4f63a7e86640be06a",
+  ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
+  ".naome/bin/naome.js": "sha256:1b63729dc55730a826193d35cf78e755a991b356ac81b45f4aa3fcf24c8152fa",
+  ".naome/bin/check-task-state.js": "sha256:43c02868072d0d13499aefba2e9a5ec9517d59539fd19ff0f11e3e4623a51b44",
+  ".naome/bin/check-harness-health.js": "sha256:dce2a380022dd63d86bd762869debafbc635ab3d7e8fae985e2d429d8ee437ad",
+  ".naome/task-contract.schema.json": "sha256:c806416d4944eaed6dc48b3760fd0dd5b9b5a7c9ab895697fe36b54c41c1332f",
+  "docs/naome/index.md": "sha256:75c4cdf9edcd46c83a619cbfc551e96cae35bcff694d955ebab4624125ae7f12",
+  "docs/naome/first-run.md": "sha256:a1dd0bd17ec9d71955a473cd2c4a615538e89a7d81e8f4e1015a50ab9efe3558",
+  "docs/naome/agent-workflow.md": "sha256:5e5b26e7896f95a9154abcd133f08b33f84fddc679757ed15c043a91e319fb4e",
+  "docs/naome/execution.md": "sha256:3d67fd9922a66a66f79f920adbb24dcd47eefdfde835a5351a27ffed932dcfea",
+  "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"
+});
+
+function main() {
+  const root = findHarnessRoot(process.cwd()) || resolve(__dirname, "..", "..");
+  const nativeBinary = resolveNativeDecisionBinary(root);
+
+  const result = spawnSync(nativeBinary, ["check-harness-health", "--root", root], {
+    cwd: root,
+    encoding: "utf8",
+    env: {
+      ...process.env,
+      NAOME_EXPECTED_INTEGRITY_JSON: JSON.stringify(expectedMachineOwnedIntegrity)
+    },
+    stdio: "inherit"
+  });
+
+  process.exit(result.status === null ? 1 : result.status);
+}
+
+function resolveNativeDecisionBinary(root) {
+  const expectedIntegrity = expectedNativeIntegrity(root);
+  const candidates = [
+    process.env.NAOME_NATIVE_BIN,
+    join(root, nativeBinaryRelativePath),
+    join(root, "packages", "naome", "target", "release", nativeBinaryName),
+    join(root, "packages", "naome", "target", "debug", nativeBinaryName)
+  ].filter(Boolean);
+
+  for (const candidate of candidates) {
+    if (isUsableNativeBinary(candidate, root, expectedIntegrity)) {
+      return candidate;
+    }
+  }
+
+  if (expectedIntegrity) {
+    fail(`No runnable NAOME native harness health binary matched ${expectedIntegrity}. Run naome sync again.`);
+  }
+
+  const built = buildSourceNativeBinary(root);
+  if (built && isUsableNativeBinary(built, root, null)) {
+    return built;
+  }
+
+  fail("NAOME native harness health binary is missing or incompatible. Run naome sync again.");
+}
+
+function expectedNativeIntegrity(root) {
+  if (isIntegrityHash(process.env.NAOME_EXPECTED_NATIVE_INTEGRITY)) {
+    return process.env.NAOME_EXPECTED_NATIVE_INTEGRITY;
+  }
+
+  const manifestPath = join(root, ".naome", "manifest.json");
+  if (!existsSync(manifestPath)) {
+    return null;
+  }
+
+  let manifest;
+  try {
+    manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
+  } catch {
+    return null;
+  }
+
+  const expected = manifest.integrity?.[nativeBinaryRelativePath];
+  if (!isIntegrityHash(expected)) {
+    return null;
+  }
+
+  return expected;
+}
+
+function isUsableNativeBinary(candidate, root, expectedIntegrity) {
+  if (!candidate || !existsSync(candidate)) {
+    return false;
+  }
+
+  if (expectedIntegrity) {
+    const actual = `sha256:${createHash("sha256").update(readFileSync(candidate)).digest("hex")}`;
+    if (actual !== expectedIntegrity) {
+      return false;
+    }
+  }
+
+  const probe = spawnSync(candidate, [], {
+    cwd: root,
+    encoding: "utf8",
+    stdio: "ignore"
+  });
+  return !probe.error && probe.status !== null;
+}
+
+function buildSourceNativeBinary(root) {
+  const manifestPath = join(root, "packages", "naome", "Cargo.toml");
+  if (!existsSync(manifestPath)) {
+    return null;
+  }
+
+  const result = spawnSync("cargo", ["build", "--release", "--manifest-path", manifestPath, "-p", "naome-cli"], {
+    cwd: root,
+    encoding: "utf8",
+    stdio: "ignore"
+  });
+  if (result.status !== 0) {
+    return null;
+  }
+
+  const builtPath = join(root, "packages", "naome", "target", "release", nativeBinaryName);
+  return existsSync(builtPath) ? builtPath : null;
+}
+
+function findHarnessRoot(startPath) {
+  let current = resolve(startPath);
+
+  while (true) {
+    if (existsSync(join(current, ".naome", "manifest.json"))) {
+      return current;
+    }
+
+    const parent = dirname(current);
+    if (parent === current) {
+      return null;
+    }
+
+    current = parent;
+  }
+}
+
+function isIntegrityHash(value) {
+  return typeof value === "string" && /^sha256:[a-f0-9]{64}$/.test(value);
+}
+
+function fail(message) {
+  console.error("NAOME harness health check failed.");
+  console.error(`- ${message}`);
+  console.error("");
+  console.error("Repair options: repair_harness, review_harness_diff, cancel_repair_baseline");
+  console.error("Run naome sync to repair machine-owned files after review.");
+  process.exit(1);
+}
+
+main();