@lamentis/naome 1.0.0

package/crates/naome-core/src/harness_health.rs

@@ -0,0 +1,557 @@
+use std::collections::{HashMap, HashSet};
+use std::fs;
+use std::path::{Component, Path};
+
+use serde_json::Value;
+use sha2::{Digest, Sha256};
+
+use crate::models::NaomeError;
+
+const HEALTH_CHECKER_RELATIVE_PATH: &str = ".naome/bin/check-harness-health.js";
+const TASK_STATE_CHECKER_RELATIVE_PATH: &str = ".naome/bin/check-task-state.js";
+const NAOME_COMMAND_RELATIVE_PATH: &str = ".naome/bin/naome.js";
+
+#[cfg(windows)]
+const NATIVE_BINARY_RELATIVE_PATH: &str = ".naome/bin/naome-rust.exe";
+#[cfg(not(windows))]
+const NATIVE_BINARY_RELATIVE_PATH: &str = ".naome/bin/naome-rust";
+
+const EXPECTED_MACHINE_OWNED_PATHS: &[&str] = &[
+    "AGENTS.md",
+    ".naome/package.json",
+    ".naome/bin/naome.js",
+    ".naome/bin/check-task-state.js",
+    ".naome/bin/check-harness-health.js",
+    ".naome/task-contract.schema.json",
+    "docs/naome/index.md",
+    "docs/naome/first-run.md",
+    "docs/naome/agent-workflow.md",
+    "docs/naome/execution.md",
+    "docs/naome/upgrade.md",
+];
+
+const EXPECTED_PROJECT_OWNED_PATHS: &[&str] = &[
+    ".naomeignore",
+    ".naome/init-state.json",
+    ".naome/manifest.json",
+    ".naome/task-state.json",
+    ".naome/upgrade-state.json",
+    ".naome/verification.json",
+    "docs/naome/architecture.md",
+    "docs/naome/decisions.md",
+    "docs/naome/repo-profile.md",
+    "docs/naome/security.md",
+    "docs/naome/testing.md",
+];
+
+#[derive(Debug, Clone, Default)]
+pub struct HarnessHealthOptions {
+    pub expected_integrity: HashMap<String, String>,
+    pub allow_missing_integrity: bool,
+    pub allow_missing_archive: bool,
+}
+
+pub fn validate_harness_health(
+    root: &Path,
+    options: HarnessHealthOptions,
+) -> Result<Vec<String>, NaomeError> {
+    let mut errors = Vec::new();
+
+    for relative_path in EXPECTED_MACHINE_OWNED_PATHS {
+        validate_regular_file(root, relative_path, &mut errors)?;
+    }
+
+    for relative_path in EXPECTED_PROJECT_OWNED_PATHS {
+        validate_regular_file(root, relative_path, &mut errors)?;
+    }
+
+    validate_directory(root, ".naome/archive", &mut errors, true)?;
+    validate_naome_ignore(root, &mut errors)?;
+    validate_agents_entrypoint(root, &mut errors)?;
+    validate_naome_package_scope(root, &mut errors)?;
+
+    if can_read_json(root, ".naome/manifest.json")? {
+        let manifest = read_json(root, ".naome/manifest.json", &mut errors)?;
+        if let Some(manifest) = manifest {
+            validate_manifest_shape(&manifest, &mut errors);
+            validate_manifest_ownership(&manifest, &mut errors);
+            validate_manifest_integrity(root, &manifest, &options, &mut errors)?;
+            validate_native_decision_binary(root, &manifest, &mut errors)?;
+        }
+    }
+
+    validate_json_object(root, ".naome/task-state.json", &mut errors)?;
+    validate_json_object(root, ".naome/upgrade-state.json", &mut errors)?;
+
+    Ok(errors)
+}
+
+fn validate_manifest_shape(manifest: &Value, errors: &mut Vec<String>) {
+    let Some(object) = manifest.as_object() else {
+        errors.push(".naome/manifest.json must be a JSON object.".to_string());
+        return;
+    };
+
+    if object.get("name").and_then(Value::as_str) != Some("naome") {
+        errors.push(".naome/manifest.json name must be naome.".to_string());
+    }
+
+    if !object
+        .get("harnessVersion")
+        .and_then(Value::as_str)
+        .is_some_and(is_version)
+    {
+        errors.push(".naome/manifest.json harnessVersion must be semver.".to_string());
+    }
+
+    if !string_array(object.get("machineOwned")).is_some() {
+        errors.push(".naome/manifest.json machineOwned must be a string array.".to_string());
+    }
+
+    if !string_array(object.get("projectOwned")).is_some() {
+        errors.push(".naome/manifest.json projectOwned must be a string array.".to_string());
+    }
+
+    if !object.get("integrity").is_some_and(Value::is_object) {
+        errors.push(".naome/manifest.json integrity must be an object.".to_string());
+    }
+}
+
+fn validate_manifest_ownership(manifest: &Value, errors: &mut Vec<String>) {
+    let Some(object) = manifest.as_object() else {
+        return;
+    };
+    let Some(machine_owned) = string_array(object.get("machineOwned")) else {
+        return;
+    };
+    let Some(project_owned) = string_array(object.get("projectOwned")) else {
+        return;
+    };
+
+    validate_contains_all(
+        &machine_owned,
+        EXPECTED_MACHINE_OWNED_PATHS,
+        ".naome/manifest.json machineOwned",
+        errors,
+    );
+    validate_contains_all(
+        &project_owned,
+        EXPECTED_PROJECT_OWNED_PATHS,
+        ".naome/manifest.json projectOwned",
+        errors,
+    );
+}
+
+fn validate_manifest_integrity(
+    root: &Path,
+    manifest: &Value,
+    options: &HarnessHealthOptions,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(integrity) = manifest.get("integrity").and_then(Value::as_object) else {
+        return Ok(());
+    };
+
+    for relative_path in EXPECTED_MACHINE_OWNED_PATHS {
+        let packaged_expected = options.expected_integrity.get(*relative_path);
+        let manifest_expected = integrity.get(*relative_path).and_then(Value::as_str);
+
+        let Some(packaged_expected) = packaged_expected else {
+            if options.allow_missing_integrity {
+                continue;
+            }
+
+            errors.push(format!("Packaged integrity missing {relative_path}."));
+            continue;
+        };
+
+        if !is_integrity_hash(packaged_expected) {
+            errors.push(format!("Packaged integrity missing {relative_path}."));
+            continue;
+        }
+
+        let Some(manifest_expected) = manifest_expected.filter(|value| is_integrity_hash(value))
+        else {
+            errors.push(format!(
+                ".naome/manifest.json integrity missing {relative_path}."
+            ));
+            continue;
+        };
+
+        if manifest_expected != packaged_expected {
+            errors.push(format!(
+                "{relative_path} manifest integrity does not match packaged integrity. Expected {packaged_expected}, got {manifest_expected}."
+            ));
+            continue;
+        }
+
+        if !root.join(relative_path).exists() || has_symlink_in_path(root, relative_path)? {
+            continue;
+        }
+
+        let content = fs::read(root.join(relative_path))?;
+        let actual = format!("sha256:{}", machine_sha256(relative_path, &content));
+        if actual != *packaged_expected {
+            errors.push(format!(
+                "{relative_path} integrity mismatch. Expected {packaged_expected}, got {actual}."
+            ));
+        }
+    }
+
+    Ok(())
+}
+
+fn validate_native_decision_binary(
+    root: &Path,
+    manifest: &Value,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(object) = manifest.as_object() else {
+        return Ok(());
+    };
+    let Some(machine_owned) = string_array(object.get("machineOwned")) else {
+        return Ok(());
+    };
+    let Some(integrity) = object.get("integrity").and_then(Value::as_object) else {
+        return Ok(());
+    };
+
+    if !machine_owned
+        .iter()
+        .any(|entry| entry == NATIVE_BINARY_RELATIVE_PATH)
+    {
+        return Ok(());
+    }
+
+    validate_regular_file(root, NATIVE_BINARY_RELATIVE_PATH, errors)?;
+
+    if !root.join(NATIVE_BINARY_RELATIVE_PATH).exists()
+        || has_symlink_in_path(root, NATIVE_BINARY_RELATIVE_PATH)?
+    {
+        return Ok(());
+    }
+
+    let Some(manifest_expected) = integrity
+        .get(NATIVE_BINARY_RELATIVE_PATH)
+        .and_then(Value::as_str)
+        .filter(|value| is_integrity_hash(value))
+    else {
+        errors.push(format!(
+            ".naome/manifest.json integrity missing {NATIVE_BINARY_RELATIVE_PATH}."
+        ));
+        return Ok(());
+    };
+
+    let actual = format!(
+        "sha256:{}",
+        sha256_bytes(&fs::read(root.join(NATIVE_BINARY_RELATIVE_PATH))?)
+    );
+    if actual != manifest_expected {
+        errors.push(format!(
+            "{NATIVE_BINARY_RELATIVE_PATH} integrity mismatch. Expected {manifest_expected}, got {actual}."
+        ));
+    }
+
+    let command_path = root.join(NAOME_COMMAND_RELATIVE_PATH);
+    if !command_path.exists() || has_symlink_in_path(root, NAOME_COMMAND_RELATIVE_PATH)? {
+        return Ok(());
+    }
+
+    let command_content = fs::read_to_string(command_path)?;
+    let command_expected = native_integrity_from_naome_command(&command_content);
+    if command_expected.as_deref() != Some(manifest_expected) {
+        errors.push(format!(
+            "{NAOME_COMMAND_RELATIVE_PATH} native binary integrity does not match .naome/manifest.json."
+        ));
+    }
+
+    Ok(())
+}
+
+fn validate_naome_ignore(root: &Path, errors: &mut Vec<String>) -> Result<(), NaomeError> {
+    let relative_path = ".naomeignore";
+    if !root.join(relative_path).exists() || has_symlink_in_path(root, relative_path)? {
+        return Ok(());
+    }
+
+    let content = fs::read_to_string(root.join(relative_path))?;
+    if !content
+        .lines()
+        .map(str::trim)
+        .any(|line| line == ".naome/archive/")
+    {
+        errors.push(".naomeignore must include .naome/archive/.".to_string());
+    }
+
+    Ok(())
+}
+
+fn validate_agents_entrypoint(root: &Path, errors: &mut Vec<String>) -> Result<(), NaomeError> {
+    let relative_path = "AGENTS.md";
+    if !root.join(relative_path).exists() || has_symlink_in_path(root, relative_path)? {
+        return Ok(());
+    }
+
+    let content = fs::read_to_string(root.join(relative_path))?;
+    if !content.contains("node .naome/bin/check-harness-health.js") {
+        errors.push(
+            "AGENTS.md must require node .naome/bin/check-harness-health.js before feature work."
+                .to_string(),
+        );
+    }
+
+    if !content.contains("node .naome/bin/check-task-state.js --admission") {
+        errors.push(
+            "AGENTS.md must require node .naome/bin/check-task-state.js --admission before feature work."
+                .to_string(),
+        );
+    }
+
+    Ok(())
+}
+
+fn validate_naome_package_scope(root: &Path, errors: &mut Vec<String>) -> Result<(), NaomeError> {
+    let relative_path = ".naome/package.json";
+    if !can_read_json(root, relative_path)? {
+        return Ok(());
+    }
+
+    let Some(value) = read_json(root, relative_path, errors)? else {
+        return Ok(());
+    };
+
+    if value.get("type").and_then(Value::as_str) != Some("commonjs") {
+        errors.push(".naome/package.json type must be commonjs.".to_string());
+    }
+
+    Ok(())
+}
+
+fn validate_json_object(
+    root: &Path,
+    relative_path: &str,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    if !can_read_json(root, relative_path)? {
+        return Ok(());
+    }
+
+    let Some(value) = read_json(root, relative_path, errors)? else {
+        return Ok(());
+    };
+
+    if !value.is_object() {
+        errors.push(format!("{relative_path} must be a JSON object."));
+    }
+
+    Ok(())
+}
+
+fn can_read_json(root: &Path, relative_path: &str) -> Result<bool, NaomeError> {
+    let path = root.join(relative_path);
+    Ok(path.exists() && !has_symlink_in_path(root, relative_path)? && path.is_file())
+}
+
+fn read_json(
+    root: &Path,
+    relative_path: &str,
+    errors: &mut Vec<String>,
+) -> Result<Option<Value>, NaomeError> {
+    let path = root.join(relative_path);
+    if !path.exists() {
+        errors.push(format!("{relative_path} is missing."));
+        return Ok(None);
+    }
+
+    match serde_json::from_str(&fs::read_to_string(path)?) {
+        Ok(value) => Ok(Some(value)),
+        Err(error) => {
+            errors.push(format!("{relative_path} is not valid JSON: {error}"));
+            Ok(None)
+        }
+    }
+}
+
+fn validate_contains_all(
+    actual_values: &[String],
+    expected_values: &[&str],
+    field_name: &str,
+    errors: &mut Vec<String>,
+) {
+    let actual: HashSet<&str> = actual_values.iter().map(String::as_str).collect();
+    for expected in expected_values {
+        if !actual.contains(expected) {
+            errors.push(format!("{field_name} must include {expected}."));
+        }
+    }
+}
+
+fn validate_regular_file(
+    root: &Path,
+    relative_path: &str,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let path = root.join(relative_path);
+    if has_symlink_in_path(root, relative_path)? {
+        errors.push(format!("{relative_path} must not contain symlinks."));
+        return Ok(());
+    }
+
+    if !path.exists() {
+        errors.push(format!("{relative_path} is missing."));
+        return Ok(());
+    }
+
+    if !path.is_file() {
+        errors.push(format!("{relative_path} must be a regular file."));
+    }
+
+    Ok(())
+}
+
+fn validate_directory(
+    root: &Path,
+    relative_path: &str,
+    errors: &mut Vec<String>,
+    allow_missing: bool,
+) -> Result<(), NaomeError> {
+    let path = root.join(relative_path);
+    if has_symlink_in_path(root, relative_path)? {
+        errors.push(format!("{relative_path} must not contain symlinks."));
+        return Ok(());
+    }
+
+    if !path.exists() {
+        if !allow_missing {
+            errors.push(format!("{relative_path} is missing."));
+        }
+        return Ok(());
+    }
+
+    if !path.is_dir() {
+        errors.push(format!("{relative_path} must be a directory."));
+    }
+
+    Ok(())
+}
+
+fn has_symlink_in_path(root: &Path, relative_path: &str) -> Result<bool, NaomeError> {
+    let mut current = root.to_path_buf();
+    for component in Path::new(relative_path).components() {
+        match component {
+            Component::Normal(part) => current.push(part),
+            _ => continue,
+        }
+
+        match fs::symlink_metadata(&current) {
+            Ok(metadata) if metadata.file_type().is_symlink() => return Ok(true),
+            Ok(_) => {}
+            Err(error) if error.kind() == std::io::ErrorKind::NotFound => continue,
+            Err(error) => return Err(error.into()),
+        }
+    }
+
+    Ok(false)
+}
+
+fn string_array(value: Option<&Value>) -> Option<Vec<String>> {
+    value.and_then(Value::as_array).and_then(|entries| {
+        entries
+            .iter()
+            .map(|entry| {
+                entry
+                    .as_str()
+                    .filter(|text| !text.trim().is_empty())
+                    .map(ToString::to_string)
+            })
+            .collect()
+    })
+}
+
+fn is_version(value: &str) -> bool {
+    let parts: Vec<&str> = value.split('.').collect();
+    parts.len() == 3
+        && parts
+            .iter()
+            .all(|part| !part.is_empty() && part.chars().all(|ch| ch.is_ascii_digit()))
+}
+
+fn is_integrity_hash(value: &str) -> bool {
+    value.len() == "sha256:".len() + 64
+        && value.starts_with("sha256:")
+        && value["sha256:".len()..]
+            .chars()
+            .all(|ch| ch.is_ascii_hexdigit() && !ch.is_ascii_uppercase())
+}
+
+fn machine_sha256(relative_path: &str, content: &[u8]) -> String {
+    let normalized = normalize_machine_owned_content(relative_path, content);
+    sha256_bytes(&normalized)
+}
+
+fn sha256_bytes(content: &[u8]) -> String {
+    let mut hasher = Sha256::new();
+    hasher.update(content);
+    format!("{:x}", hasher.finalize())
+}
+
+fn normalize_machine_owned_content(relative_path: &str, content: &[u8]) -> Vec<u8> {
+    if relative_path == HEALTH_CHECKER_RELATIVE_PATH || relative_path == TASK_STATE_CHECKER_RELATIVE_PATH {
+        return replace_expected_integrity_block(content);
+    }
+
+    if relative_path == NAOME_COMMAND_RELATIVE_PATH {
+        return replace_native_integrity_line(content);
+    }
+
+    content.to_vec()
+}
+
+fn replace_expected_integrity_block(content: &[u8]) -> Vec<u8> {
+    let text = String::from_utf8_lossy(content);
+    let start_marker = "const expectedMachineOwnedIntegrity = Object.freeze({\n";
+    let normalized =
+        "const expectedMachineOwnedIntegrity = Object.freeze({\n  __generated__: \"sha256:generated\"\n});\n";
+    let Some(start) = text.find(start_marker) else {
+        return content.to_vec();
+    };
+    let after_start = start + start_marker.len();
+    let Some(relative_end) = text[after_start..].find("\n});\n") else {
+        return content.to_vec();
+    };
+    let end = after_start + relative_end + "\n});\n".len();
+
+    let mut next = String::with_capacity(text.len());
+    next.push_str(&text[..start]);
+    next.push_str(normalized);
+    next.push_str(&text[end..]);
+    next.into_bytes()
+}
+
+fn replace_native_integrity_line(content: &[u8]) -> Vec<u8> {
+    let text = String::from_utf8_lossy(content);
+    let prefix = "const expectedNativeBinaryIntegrity = \"";
+    let Some(start) = text.find(prefix) else {
+        return content.to_vec();
+    };
+    let Some(relative_end) = text[start..].find(";\n") else {
+        return content.to_vec();
+    };
+    let end = start + relative_end + ";\n".len();
+    let replacement = "const expectedNativeBinaryIntegrity = \"sha256:generated\";\n";
+
+    let mut next = String::with_capacity(text.len());
+    next.push_str(&text[..start]);
+    next.push_str(replacement);
+    next.push_str(&text[end..]);
+    next.into_bytes()
+}
+
+fn native_integrity_from_naome_command(content: &str) -> Option<String> {
+    let prefix = "const expectedNativeBinaryIntegrity = \"";
+    let start = content.find(prefix)? + prefix.len();
+    let rest = &content[start..];
+    let end = rest.find("\";")?;
+    let value = &rest[..end];
+    is_integrity_hash(value).then(|| value.to_string())
+}

package/crates/naome-core/src/install_plan.rs

@@ -0,0 +1,82 @@
+use serde::Serialize;
+
+pub const MACHINE_OWNED_PATHS: &[&str] = &[
+    "AGENTS.md",
+    ".naome/package.json",
+    ".naome/bin/naome.js",
+    ".naome/bin/check-task-state.js",
+    ".naome/bin/check-harness-health.js",
+    ".naome/task-contract.schema.json",
+    "docs/naome/index.md",
+    "docs/naome/first-run.md",
+    "docs/naome/agent-workflow.md",
+    "docs/naome/execution.md",
+    "docs/naome/upgrade.md",
+];
+
+pub const PROJECT_OWNED_PATHS: &[&str] = &[
+    ".naomeignore",
+    ".naome/init-state.json",
+    ".naome/manifest.json",
+    ".naome/task-state.json",
+    ".naome/upgrade-state.json",
+    ".naome/verification.json",
+    "docs/naome/architecture.md",
+    "docs/naome/decisions.md",
+    "docs/naome/repo-profile.md",
+    "docs/naome/security.md",
+    "docs/naome/testing.md",
+];
+
+pub const LOCAL_ONLY_MACHINE_OWNED_PATHS: &[&str] = &[
+    ".naome/package.json",
+    ".naome/bin/naome.js",
+    ".naome/bin/check-task-state.js",
+    ".naome/bin/check-harness-health.js",
+    ".naome/task-contract.schema.json",
+    "docs/naome/index.md",
+    "docs/naome/first-run.md",
+    "docs/naome/agent-workflow.md",
+    "docs/naome/execution.md",
+    "docs/naome/upgrade.md",
+];
+
+const LOCAL_NATIVE_BINARY_PATHS: &[&str] = &[
+    ".naome/bin/naome-rust",
+    ".naome/bin/naome-rust.exe",
+    ".naome/archive",
+];
+
+#[derive(Debug, Clone, Serialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct InstallPlan {
+    pub schema: &'static str,
+    pub harness_version: String,
+    pub machine_owned: Vec<&'static str>,
+    pub project_owned: Vec<&'static str>,
+    pub local_only_machine_owned: Vec<&'static str>,
+    pub gitignore_entries: Vec<&'static str>,
+    pub git_untrack_paths: Vec<&'static str>,
+}
+
+pub fn install_plan(harness_version: impl Into<String>) -> InstallPlan {
+    let mut gitignore_entries = vec![
+        "# NAOME local machine-owned harness files.",
+        ".naome/archive/",
+        ".naome/bin/naome-rust*",
+    ];
+    gitignore_entries.extend_from_slice(LOCAL_ONLY_MACHINE_OWNED_PATHS);
+
+    let mut git_untrack_paths = LOCAL_ONLY_MACHINE_OWNED_PATHS.to_vec();
+    git_untrack_paths.extend_from_slice(LOCAL_NATIVE_BINARY_PATHS);
+
+    InstallPlan {
+        schema: "naome.install-plan.v1",
+        harness_version: harness_version.into(),
+        machine_owned: MACHINE_OWNED_PATHS.to_vec(),
+        project_owned: PROJECT_OWNED_PATHS.to_vec(),
+        local_only_machine_owned: LOCAL_ONLY_MACHINE_OWNED_PATHS.to_vec(),
+        gitignore_entries,
+        git_untrack_paths,
+    }
+}

package/crates/naome-core/src/lib.rs

@@ -0,0 +1,17 @@
+mod decision;
+mod git;
+mod harness_health;
+mod install_plan;
+mod models;
+mod paths;
+mod task_state;
+mod verification;
+mod verification_contract;
+
+pub use decision::{evaluate_decision, format_decision, EvaluationOptions};
+pub use harness_health::{validate_harness_health, HarnessHealthOptions};
+pub use install_plan::{install_plan, InstallPlan};
+pub use models::{Decision, NaomeError};
+pub use task_state::{validate_task_state, TaskStateMode, TaskStateOptions, TaskStateReport};
+pub use verification::seed_builtin_verification_checks;
+pub use verification_contract::validate_verification_contract;