@lamentis/naome 1.0.0

package/crates/naome-core/src/task_state.rs

@@ -0,0 +1,1859 @@
+use std::collections::{HashMap, HashSet};
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::process::Command;
+
+use serde_json::Value;
+
+use crate::harness_health::{validate_harness_health, HarnessHealthOptions};
+use crate::models::NaomeError;
+
+const CONTROL_STATE_PATH: &str = ".naome/task-state.json";
+const ALLOWED_STATUS: &[&str] = &[
+    "idle",
+    "planning",
+    "implementing",
+    "revising",
+    "verifying",
+    "needs_human_review",
+    "blocked",
+    "complete",
+];
+const BLOCKING_STATUS: &[&str] = &[
+    "planning",
+    "implementing",
+    "revising",
+    "verifying",
+    "needs_human_review",
+    "blocked",
+];
+const ALLOWED_EVIDENCE_STATUS: &[&str] = &["added", "modified", "deleted", "renamed"];
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+pub enum TaskStateMode {
+    State,
+    Admission,
+    Progress,
+    CommitGate,
+    PushGate,
+}
+
+#[derive(Debug, Clone)]
+pub struct TaskStateOptions {
+    pub mode: TaskStateMode,
+    pub harness_health: Option<HarnessHealthOptions>,
+}
+
+impl Default for TaskStateOptions {
+    fn default() -> Self {
+        Self {
+            mode: TaskStateMode::State,
+            harness_health: None,
+        }
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct TaskStateReport {
+    pub errors: Vec<String>,
+    pub notices: Vec<String>,
+}
+
+#[derive(Debug, Clone)]
+struct ChangedEntry {
+    path: String,
+    status: String,
+}
+
+pub fn validate_task_state(
+    root: &Path,
+    options: TaskStateOptions,
+) -> Result<TaskStateReport, NaomeError> {
+    let mut report = TaskStateReport {
+        errors: Vec::new(),
+        notices: Vec::new(),
+    };
+    let Some(task_state) = read_json(root, ".naome/task-state.json", &mut report.errors)? else {
+        return Ok(report);
+    };
+
+    validate_task_state_shape(&task_state, &mut report.errors);
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if !ALLOWED_STATUS.contains(&status) {
+        return Ok(report);
+    }
+
+    validate_harness_health_gate(root, &options, &mut report.errors)?;
+    if !report.errors.is_empty() {
+        return Ok(report);
+    }
+
+    match options.mode {
+        TaskStateMode::Admission => {
+            validate_admission(&task_state, root, &mut report.errors)?;
+            return Ok(report);
+        }
+        TaskStateMode::Progress => {
+            validate_progress(&task_state, root, &mut report.errors)?;
+            return Ok(report);
+        }
+        TaskStateMode::CommitGate => {
+            validate_commit_gate(&task_state, root, &mut report.errors, &mut report.notices)?;
+            return Ok(report);
+        }
+        TaskStateMode::PushGate => {
+            validate_push_gate(&task_state, &mut report.errors);
+            return Ok(report);
+        }
+        TaskStateMode::State => {}
+    }
+
+    if status == "idle" {
+        validate_idle_state(&task_state, &mut report.errors);
+        return Ok(report);
+    }
+
+    let active_error_start = report.errors.len();
+    validate_active_task(task_state.get("activeTask"), &mut report.errors);
+    validate_pending_upgrade(&task_state, root, &mut report.errors)?;
+    validate_active_task_references(
+        task_state.get("activeTask"),
+        root,
+        &mut report.errors,
+        Some(status),
+    )?;
+
+    if status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), &mut report.errors);
+        validate_human_review_blocker_paths(
+            task_state.get("activeTask"),
+            task_state.get("blocker"),
+            root,
+            &mut report.errors,
+        )?;
+        validate_proof_evidence_covers_changed_paths(
+            task_state.get("activeTask"),
+            root,
+            &mut report.errors,
+        )?;
+        if report.errors.len() > active_error_start {
+            report.errors.push("needs_human_review task state is invalid; fix blocker paths and proof evidence before asking for a human decision.".to_string());
+        } else {
+            report.errors.push(format_blocker(
+                "Human review required",
+                task_state.get("blocker"),
+            ));
+        }
+        return Ok(report);
+    }
+
+    if status == "blocked" {
+        validate_blocker(task_state.get("blocker"), &mut report.errors);
+        report
+            .errors
+            .push(format_blocker("Task is blocked", task_state.get("blocker")));
+        return Ok(report);
+    }
+
+    if BLOCKING_STATUS.contains(&status) {
+        report.errors.push(format!(
+            "Task is still {status}; new work must wait until the active task is complete or resolved."
+        ));
+        return Ok(report);
+    }
+
+    validate_complete_task(
+        task_state.get("activeTask"),
+        task_state.get("blocker"),
+        root,
+        &mut report.errors,
+        &mut report.notices,
+    )?;
+    Ok(report)
+}
+
+fn validate_harness_health_gate(
+    root: &Path,
+    options: &TaskStateOptions,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(health_options) = options.harness_health.clone() else {
+        return Ok(());
+    };
+
+    let health_errors = validate_harness_health(root, health_options)?;
+    if health_errors.is_empty() {
+        return Ok(());
+    }
+
+    errors.push(
+        "Harness health failed; normal NAOME task work is repair-only until machine-owned harness files are healthy. Human options: repair_harness, review_harness_health."
+            .to_string(),
+    );
+    errors.extend(
+        health_errors
+            .into_iter()
+            .map(|error| format!("Harness health: {error}")),
+    );
+    Ok(())
+}
+
+fn validate_task_state_shape(task_state: &Value, errors: &mut Vec<String>) {
+    let Some(object) = task_state.as_object() else {
+        errors.push(".naome/task-state.json must be a JSON object.".to_string());
+        return;
+    };
+
+    if object.get("schema").and_then(Value::as_str) != Some("naome.task-state.v1") {
+        errors.push(".naome/task-state.json schema must be naome.task-state.v1.".to_string());
+    }
+
+    if object.get("version").and_then(Value::as_i64) != Some(1) {
+        errors.push(".naome/task-state.json version must be 1.".to_string());
+    }
+
+    let status = object.get("status").and_then(Value::as_str);
+    if !status.is_some_and(|value| ALLOWED_STATUS.contains(&value)) {
+        errors.push(format!(
+            ".naome/task-state.json status must be one of: {}.",
+            ALLOWED_STATUS.join(", ")
+        ));
+    }
+
+    if let Some(updated_at) = object.get("updatedAt") {
+        if !updated_at.is_null() && !updated_at.as_str().is_some_and(is_iso_datetime) {
+            errors.push(
+                ".naome/task-state.json updatedAt must be an ISO timestamp or null.".to_string(),
+            );
+        }
+    }
+}
+
+fn validate_idle_state(task_state: &Value, errors: &mut Vec<String>) {
+    if !task_state.get("activeTask").is_some_and(Value::is_null) {
+        errors.push("idle task state must have activeTask set to null.".to_string());
+    }
+
+    if !task_state.get("blocker").is_some_and(Value::is_null) {
+        errors.push("idle task state must have blocker set to null.".to_string());
+    }
+}
+
+fn validate_active_task(active_task: Option<&Value>, errors: &mut Vec<String>) {
+    let Some(active_task) = active_task.and_then(Value::as_object) else {
+        errors.push("activeTask must be an object for active task states.".to_string());
+        return;
+    };
+
+    if !active_task
+        .get("id")
+        .and_then(Value::as_str)
+        .is_some_and(is_id)
+    {
+        errors.push("activeTask.id must be kebab-case lowercase.".to_string());
+    }
+
+    require_string(active_task.get("request"), "activeTask.request", errors);
+    validate_prompt_record(
+        active_task.get("userPrompt"),
+        "activeTask.userPrompt",
+        errors,
+    );
+    require_string_array(
+        active_task.get("allowedPaths"),
+        "activeTask.allowedPaths",
+        errors,
+    );
+    require_string_array(
+        active_task.get("declaredChangeTypes"),
+        "activeTask.declaredChangeTypes",
+        errors,
+    );
+    require_string_array_allow_empty(
+        active_task.get("requiredCheckIds"),
+        "activeTask.requiredCheckIds",
+        errors,
+    );
+    validate_control_state_patterns(
+        active_task.get("allowedPaths"),
+        "activeTask.allowedPaths",
+        errors,
+    );
+
+    if !active_task.get("proofResults").is_some_and(Value::is_array) {
+        errors.push("activeTask.proofResults must be an array.".to_string());
+    }
+
+    validate_revisions(active_task.get("revisions"), errors);
+    validate_human_review(active_task.get("humanReview"), errors);
+}
+
+fn validate_revisions(revisions: Option<&Value>, errors: &mut Vec<String>) {
+    let Some(revisions) = revisions else {
+        return;
+    };
+    let Some(revisions) = revisions.as_array() else {
+        errors.push("activeTask.revisions must be an array when present.".to_string());
+        return;
+    };
+
+    for (index, revision) in revisions.iter().enumerate() {
+        let prefix = format!("activeTask.revisions[{index}]");
+        let Some(object) = revision.as_object() else {
+            errors.push(format!("{prefix} must be an object."));
+            continue;
+        };
+
+        require_string(object.get("request"), &format!("{prefix}.request"), errors);
+        validate_prompt_record(
+            object.get("userPrompt"),
+            &format!("{prefix}.userPrompt"),
+            errors,
+        );
+
+        if !object
+            .get("requestedAt")
+            .and_then(Value::as_str)
+            .is_some_and(is_iso_datetime)
+        {
+            errors.push(format!("{prefix}.requestedAt must be an ISO timestamp."));
+        }
+
+        if let Some(proof_stale) = object.get("proofStale") {
+            if !proof_stale.is_boolean() {
+                errors.push(format!("{prefix}.proofStale must be boolean when present."));
+            }
+        }
+    }
+}
+
+fn validate_prompt_record(
+    prompt_record: Option<&Value>,
+    field_name: &str,
+    errors: &mut Vec<String>,
+) {
+    let Some(object) = prompt_record.and_then(Value::as_object) else {
+        errors.push(format!(
+            "{field_name} must be an object with receivedAt and text."
+        ));
+        return;
+    };
+
+    if !object
+        .get("receivedAt")
+        .and_then(Value::as_str)
+        .is_some_and(is_iso_datetime)
+    {
+        errors.push(format!("{field_name}.receivedAt must be an ISO timestamp."));
+    }
+
+    require_string(object.get("text"), &format!("{field_name}.text"), errors);
+}
+
+fn validate_human_review(human_review: Option<&Value>, errors: &mut Vec<String>) {
+    let Some(object) = human_review.and_then(Value::as_object) else {
+        errors.push("activeTask.humanReview must be an object.".to_string());
+        return;
+    };
+
+    if !object.get("required").is_some_and(Value::is_boolean) {
+        errors.push("activeTask.humanReview.required must be boolean.".to_string());
+    }
+
+    if !object.get("approved").is_some_and(Value::is_boolean) {
+        errors.push("activeTask.humanReview.approved must be boolean.".to_string());
+    }
+
+    if let Some(reason) = object.get("reason") {
+        if !reason.is_null() && !reason.as_str().is_some_and(is_non_empty_string) {
+            errors.push("activeTask.humanReview.reason must be a string or null.".to_string());
+        }
+    }
+}
+
+fn validate_blocker(blocker: Option<&Value>, errors: &mut Vec<String>) {
+    let Some(object) = blocker.and_then(Value::as_object) else {
+        errors.push(
+            "blocker must be an object when task state is blocked or needs human review."
+                .to_string(),
+        );
+        return;
+    };
+
+    require_string(object.get("type"), "blocker.type", errors);
+    require_string(object.get("message"), "blocker.message", errors);
+    require_string_array_allow_empty(object.get("paths"), "blocker.paths", errors);
+    require_string_array(object.get("humanOptions"), "blocker.humanOptions", errors);
+}
+
+fn format_blocker(prefix: &str, blocker: Option<&Value>) -> String {
+    let Some(object) = blocker.and_then(Value::as_object) else {
+        return format!("{prefix}.");
+    };
+
+    let mut parts = vec![format!(
+        "{prefix}: {}",
+        object
+            .get("message")
+            .and_then(Value::as_str)
+            .unwrap_or("No message recorded.")
+    )];
+
+    if let Some(paths) = string_array(object.get("paths")) {
+        if !paths.is_empty() {
+            parts.push(format!("Paths: {}", paths.join(", ")));
+        }
+    }
+
+    if let Some(options) = string_array(object.get("humanOptions")) {
+        if !options.is_empty() {
+            parts.push(format!("Human options: {}", options.join(", ")));
+        }
+    }
+
+    parts.join(" ")
+}
+
+fn validate_pending_upgrade(
+    _task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    if !root.join(".naome/upgrade-state.json").exists() {
+        return Ok(());
+    }
+
+    let Some(upgrade_state) = read_json(root, ".naome/upgrade-state.json", errors)? else {
+        return Ok(());
+    };
+
+    if upgrade_state.get("status").and_then(Value::as_str) == Some("needs_agent_upgrade") {
+        let pending = upgrade_state
+            .get("pending")
+            .and_then(Value::as_array)
+            .map(|values| {
+                values
+                    .iter()
+                    .filter_map(Value::as_str)
+                    .collect::<Vec<_>>()
+                    .join(", ")
+            })
+            .unwrap_or_else(|| "unknown".to_string());
+        errors.push(format!(
+            "NAOME upgrade is pending. Finish docs/naome/upgrade.md before feature work. Pending: {pending}"
+        ));
+    }
+
+    Ok(())
+}
+
+fn validate_active_task_references(
+    active_task: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+    status: Option<&str>,
+) -> Result<(), NaomeError> {
+    let Some(active_task) = active_task else {
+        return Ok(());
+    };
+
+    validate_admission_proof(active_task.get("admission"), root, errors)?;
+    validate_external_git_reconciliation(active_task, status, root, errors)?;
+    let check_ids = read_verification_check_ids(root, errors)?;
+    validate_required_check_ids(active_task, &check_ids, errors);
+    validate_proof_result_entries(active_task, &check_ids, root, errors)?;
+    Ok(())
+}
+
+fn validate_admission_proof(
+    admission: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(object) = admission.and_then(Value::as_object) else {
+        errors.push(
+            "activeTask.admission must be an object recorded from a passed admission check."
+                .to_string(),
+        );
+        return Ok(());
+    };
+    let prefix = "activeTask.admission";
+
+    require_string(object.get("command"), &format!("{prefix}.command"), errors);
+    require_string(object.get("cwd"), &format!("{prefix}.cwd"), errors);
+    require_string_array_allow_empty(
+        object.get("changedPaths"),
+        &format!("{prefix}.changedPaths"),
+        errors,
+    );
+    require_string(object.get("gitHead"), &format!("{prefix}.gitHead"), errors);
+
+    if object.get("command").and_then(Value::as_str)
+        != Some("node .naome/bin/check-task-state.js --admission")
+    {
+        errors.push(format!(
+            "{prefix}.command must be node .naome/bin/check-task-state.js --admission."
+        ));
+    }
+
+    if object.get("cwd").and_then(Value::as_str) != Some(".") {
+        errors.push(format!("{prefix}.cwd must be \".\"."));
+    }
+
+    match object.get("exitCode").and_then(Value::as_i64) {
+        Some(0) => {}
+        Some(_) => errors.push(format!("{prefix}.exitCode must be 0.")),
+        None => errors.push(format!("{prefix}.exitCode must be an integer.")),
+    }
+
+    if !object
+        .get("checkedAt")
+        .and_then(Value::as_str)
+        .is_some_and(is_iso_datetime)
+    {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+    }
+
+    if let Some(changed_paths) = object.get("changedPaths").and_then(Value::as_array) {
+        if !changed_paths.is_empty() {
+            errors.push(format!("{prefix}.changedPaths must be empty because task admission requires a clean git diff."));
+        }
+    }
+
+    if let Some(git_head) = object.get("gitHead").and_then(Value::as_str) {
+        if !git_head.trim().is_empty() && !git_commit_exists(root, git_head)? {
+            errors.push(format!("{prefix}.gitHead must be an existing git commit."));
+        }
+    }
+
+    Ok(())
+}
+
+fn validate_external_git_reconciliation(
+    active_task: &Value,
+    status: Option<&str>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    if status == Some("complete") {
+        return Ok(());
+    }
+
+    let Some(admission_head) = active_task
+        .get("admission")
+        .and_then(|admission| admission.get("gitHead"))
+        .and_then(Value::as_str)
+        .filter(|head| !head.trim().is_empty())
+    else {
+        return Ok(());
+    };
+
+    let Some(current_head) = read_git_head(root)? else {
+        return Ok(());
+    };
+
+    if current_head != admission_head {
+        errors.push(format!("Task git HEAD changed after admission from {admission_head} to {current_head}. Reconcile external git work before continuing. Human options: mark_task_complete_from_git, reopen_task_revision, recover_current_diff, cancel_task_state."));
+    }
+
+    Ok(())
+}
+
+fn read_verification_check_ids(
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<HashSet<String>, NaomeError> {
+    let mut check_ids = HashSet::new();
+    let Some(verification) = read_json(root, ".naome/verification.json", errors)? else {
+        return Ok(check_ids);
+    };
+
+    if let Some(checks) = verification.get("checks").and_then(Value::as_array) {
+        for check in checks {
+            if let Some(id) = check.get("id").and_then(Value::as_str) {
+                if !id.trim().is_empty() {
+                    check_ids.insert(id.to_string());
+                }
+            }
+        }
+    }
+
+    Ok(check_ids)
+}
+
+fn validate_required_check_ids(
+    active_task: &Value,
+    check_ids: &HashSet<String>,
+    errors: &mut Vec<String>,
+) {
+    let Some(required_check_ids) = active_task
+        .get("requiredCheckIds")
+        .and_then(Value::as_array)
+    else {
+        return;
+    };
+
+    for check_id in required_check_ids {
+        if let Some(check_id) = check_id.as_str().filter(|value| !value.trim().is_empty()) {
+            if !check_ids.contains(check_id) {
+                errors.push(format!(
+                    "activeTask.requiredCheckIds unknown check id: {check_id}"
+                ));
+            }
+        }
+    }
+}
+
+fn validate_proof_result_entries(
+    active_task: &Value,
+    check_ids: &HashSet<String>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(proofs) = active_task.get("proofResults").and_then(Value::as_array) else {
+        return Ok(());
+    };
+
+    for (index, proof) in proofs.iter().enumerate() {
+        validate_proof_result(proof, index, check_ids, root, errors, active_task)?;
+    }
+
+    Ok(())
+}
+
+fn validate_proof_results(
+    active_task: &Value,
+    check_ids: &HashSet<String>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(required_check_ids) = active_task
+        .get("requiredCheckIds")
+        .and_then(Value::as_array)
+    else {
+        return Ok(());
+    };
+    let Some(proofs) = active_task.get("proofResults").and_then(Value::as_array) else {
+        return Ok(());
+    };
+
+    for check_id in required_check_ids {
+        let Some(check_id) = check_id.as_str().filter(|value| !value.trim().is_empty()) else {
+            continue;
+        };
+
+        match proofs
+            .iter()
+            .find(|proof| proof.get("checkId").and_then(Value::as_str) == Some(check_id))
+        {
+            Some(proof) if proof.get("exitCode").and_then(Value::as_i64) == Some(0) => {}
+            Some(_) => errors.push(format!(
+                "activeTask.proofResults failed proof result: {check_id}"
+            )),
+            None => errors.push(format!(
+                "activeTask.proofResults missing proof result: {check_id}"
+            )),
+        }
+    }
+
+    validate_proof_result_entries(active_task, check_ids, root, errors)
+}
+
+fn validate_proof_evidence_covers_changed_paths(
+    active_task: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(active_task) = active_task else {
+        return Ok(());
+    };
+    let Some(proofs) = active_task.get("proofResults").and_then(Value::as_array) else {
+        return Ok(());
+    };
+    if proofs.is_empty() {
+        return Ok(());
+    }
+
+    let changed_paths = read_task_diff(active_task, root)?;
+    let evidence_paths: HashSet<String> = proofs
+        .iter()
+        .flat_map(|proof| {
+            proof
+                .get("evidence")
+                .and_then(Value::as_array)
+                .cloned()
+                .unwrap_or_default()
+        })
+        .filter_map(|entry| evidence_entry_path(&entry).map(normalize_path))
+        .collect();
+
+    let allowed_paths = string_array(active_task.get("allowedPaths")).unwrap_or_default();
+    let changed_allowed_paths: Vec<String> = changed_paths
+        .diff_paths
+        .into_iter()
+        .filter(|path| matches_any_pattern(path, &allowed_paths))
+        .collect();
+    let missing_paths: Vec<String> = changed_allowed_paths
+        .into_iter()
+        .filter(|path| !evidence_paths.contains(path))
+        .collect();
+
+    if !missing_paths.is_empty() {
+        errors.push(format!(
+            "activeTask.proofResults evidence missing changed allowed paths: {}",
+            missing_paths.join(", ")
+        ));
+    }
+
+    Ok(())
+}
+
+fn validate_proof_result(
+    proof: &Value,
+    index: usize,
+    check_ids: &HashSet<String>,
+    root: &Path,
+    errors: &mut Vec<String>,
+    active_task: &Value,
+) -> Result<(), NaomeError> {
+    let prefix = format!("activeTask.proofResults[{index}]");
+    let Some(object) = proof.as_object() else {
+        errors.push(format!("{prefix} must be an object."));
+        return Ok(());
+    };
+
+    require_string(object.get("checkId"), &format!("{prefix}.checkId"), errors);
+    require_string(object.get("command"), &format!("{prefix}.command"), errors);
+    require_string(object.get("cwd"), &format!("{prefix}.cwd"), errors);
+    validate_evidence_array(
+        object.get("evidence"),
+        &format!("{prefix}.evidence"),
+        errors,
+    );
+    validate_control_state_paths(
+        object.get("evidence"),
+        &format!("{prefix}.evidence"),
+        errors,
+    );
+
+    if object.get("exitCode").and_then(Value::as_i64).is_none() {
+        errors.push(format!("{prefix}.exitCode must be an integer."));
+    }
+
+    if !object
+        .get("checkedAt")
+        .and_then(Value::as_str)
+        .is_some_and(is_iso_datetime)
+    {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+    }
+
+    if let Some(check_id) = object.get("checkId").and_then(Value::as_str) {
+        if !check_id.trim().is_empty() && !check_ids.contains(check_id) {
+            errors.push(format!("{prefix}.checkId unknown check id: {check_id}"));
+        }
+    }
+
+    validate_evidence_paths(
+        object.get("evidence"),
+        &format!("{prefix}.evidence"),
+        root,
+        errors,
+        active_task,
+    )
+}
+
+fn validate_evidence_array(evidence: Option<&Value>, field_name: &str, errors: &mut Vec<String>) {
+    let Some(evidence) = evidence.and_then(Value::as_array) else {
+        errors.push(format!("{field_name} must be an evidence array."));
+        return;
+    };
+
+    for (index, entry) in evidence.iter().enumerate() {
+        let prefix = format!("{field_name}[{index}]");
+        if entry.as_str().is_some_and(is_non_empty_string) {
+            continue;
+        }
+
+        let Some(object) = entry.as_object() else {
+            errors.push(format!(
+                "{prefix} must be a non-empty string path or an evidence object."
+            ));
+            continue;
+        };
+
+        require_string(object.get("path"), &format!("{prefix}.path"), errors);
+
+        if let Some(status) = object.get("status").and_then(Value::as_str) {
+            if !ALLOWED_EVIDENCE_STATUS.contains(&status) {
+                errors.push(format!(
+                    "{prefix}.status must be one of: {}.",
+                    ALLOWED_EVIDENCE_STATUS.join(", ")
+                ));
+            }
+        }
+
+        if object.contains_key("fromPath")
+            && !object
+                .get("fromPath")
+                .and_then(Value::as_str)
+                .is_some_and(is_non_empty_string)
+        {
+            errors.push(format!(
+                "{prefix}.fromPath must be a non-empty string when present."
+            ));
+        }
+    }
+}
+
+fn validate_control_state_patterns(
+    patterns: Option<&Value>,
+    field_name: &str,
+    errors: &mut Vec<String>,
+) {
+    let Some(patterns) = string_array(patterns) else {
+        return;
+    };
+
+    for pattern in patterns {
+        if matches_path_pattern(CONTROL_STATE_PATH, &pattern) {
+            errors.push(format!(
+                "{field_name} cannot include NAOME control state: {pattern}"
+            ));
+        }
+    }
+}
+
+fn validate_control_state_paths(paths: Option<&Value>, field_name: &str, errors: &mut Vec<String>) {
+    let Some(paths) = paths.and_then(Value::as_array) else {
+        return;
+    };
+
+    for entry in paths {
+        let Some(path) = evidence_entry_path(entry) else {
+            continue;
+        };
+        if normalize_path(&path) == CONTROL_STATE_PATH {
+            errors.push(format!(
+                "{field_name} cannot include NAOME control state: {path}"
+            ));
+        }
+    }
+}
+
+fn validate_evidence_paths(
+    evidence: Option<&Value>,
+    field_name: &str,
+    root: &Path,
+    errors: &mut Vec<String>,
+    active_task: &Value,
+) -> Result<(), NaomeError> {
+    let Some(evidence) = evidence.and_then(Value::as_array) else {
+        return Ok(());
+    };
+
+    let mut deleted_paths: HashSet<String> = read_git_changed_entries(root)?
+        .into_iter()
+        .filter(|entry| entry.status == "deleted")
+        .map(|entry| entry.path)
+        .collect();
+    for path in read_historical_deleted_paths(active_task, root)? {
+        deleted_paths.insert(path);
+    }
+
+    for entry in evidence {
+        let Some(evidence_path) = evidence_entry_path(entry) else {
+            continue;
+        };
+        let normalized_path = normalize_path(&evidence_path);
+        if Path::new(&evidence_path).is_absolute()
+            || normalized_path.split('/').any(|part| part == "..")
+        {
+            errors.push(format!("{field_name} unsafe path: {evidence_path}"));
+            continue;
+        }
+
+        if !root.join(&normalized_path).exists() && !deleted_paths.contains(&normalized_path) {
+            errors.push(format!(
+                "{field_name} path does not exist or is not deleted in git diff: {evidence_path}"
+            ));
+        }
+    }
+
+    Ok(())
+}
+
+fn read_historical_deleted_paths(
+    active_task: &Value,
+    root: &Path,
+) -> Result<Vec<String>, NaomeError> {
+    let Some(admission_head) = active_task
+        .get("admission")
+        .and_then(|admission| admission.get("gitHead"))
+        .and_then(Value::as_str)
+        .filter(|head| !head.trim().is_empty())
+    else {
+        return Ok(Vec::new());
+    };
+
+    if !git_commit_exists(root, admission_head)? {
+        return Ok(Vec::new());
+    }
+
+    let Some(current_head) = read_git_head(root)? else {
+        return Ok(Vec::new());
+    };
+
+    if current_head == admission_head {
+        return Ok(Vec::new());
+    }
+
+    let output = run_git(
+        root,
+        ["diff", "--name-status", "-z", admission_head, &current_head],
+    )?;
+    if !output.status.success() {
+        return Ok(Vec::new());
+    }
+
+    Ok(parse_name_status_output(&output.stdout)
+        .into_iter()
+        .filter(|entry| entry.status == "deleted")
+        .map(|entry| entry.path)
+        .collect())
+}
+
+fn evidence_entry_path(entry: &Value) -> Option<String> {
+    entry
+        .as_str()
+        .filter(|value| is_non_empty_string(value))
+        .map(ToString::to_string)
+        .or_else(|| {
+            entry
+                .get("path")
+                .and_then(Value::as_str)
+                .filter(|value| is_non_empty_string(value))
+                .map(ToString::to_string)
+        })
+}
+
+fn validate_changed_paths(
+    active_task: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let diff = read_task_diff(active_task, root)?;
+    if !diff.outside_paths.is_empty() {
+        errors.push(format!(
+            "Changed files outside allowedPaths: {}",
+            diff.outside_paths.join(", ")
+        ));
+    }
+    Ok(())
+}
+
+fn validate_human_review_blocker_paths(
+    active_task: Option<&Value>,
+    blocker: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let (Some(active_task), Some(blocker)) = (active_task, blocker) else {
+        return Ok(());
+    };
+    let diff = read_task_diff(active_task, root)?;
+    if diff.outside_paths.is_empty() {
+        return Ok(());
+    }
+
+    let blocker_paths: HashSet<String> = blocker
+        .get("paths")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(Value::as_str)
+        .map(normalize_path)
+        .collect();
+    let missing_paths: Vec<String> = diff
+        .outside_paths
+        .into_iter()
+        .filter(|path| !blocker_paths.contains(path))
+        .collect();
+
+    if !missing_paths.is_empty() {
+        errors.push(format!(
+            "blocker.paths missing actual scope violations: {}",
+            missing_paths.join(", ")
+        ));
+    }
+
+    Ok(())
+}
+
+struct TaskDiff {
+    diff_paths: Vec<String>,
+    outside_paths: Vec<String>,
+}
+
+fn read_task_diff(active_task: &Value, root: &Path) -> Result<TaskDiff, NaomeError> {
+    let entries = read_git_changed_entries(root)?;
+    let allowed_paths = string_array(active_task.get("allowedPaths")).unwrap_or_default();
+    let diff_paths: Vec<String> = entries
+        .into_iter()
+        .map(|entry| entry.path)
+        .filter(|path| path != CONTROL_STATE_PATH)
+        .collect();
+    let outside_paths = diff_paths
+        .iter()
+        .filter(|path| !matches_any_pattern(path, &allowed_paths))
+        .cloned()
+        .collect();
+
+    Ok(TaskDiff {
+        diff_paths,
+        outside_paths,
+    })
+}
+
+fn validate_complete_task(
+    active_task: Option<&Value>,
+    blocker: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let error_start = errors.len();
+
+    if !blocker.is_some_and(Value::is_null) {
+        errors.push("complete task state must have blocker set to null.".to_string());
+    }
+
+    let Some(active_task) = active_task else {
+        return Ok(());
+    };
+
+    if active_task
+        .get("humanReview")
+        .and_then(|review| review.get("required"))
+        .and_then(Value::as_bool)
+        == Some(true)
+        && active_task
+            .get("humanReview")
+            .and_then(|review| review.get("approved"))
+            .and_then(Value::as_bool)
+            != Some(true)
+    {
+        errors.push("complete task requires human review approval before completion.".to_string());
+    }
+
+    let check_ids = read_verification_check_ids(root, errors)?;
+    validate_required_check_ids(active_task, &check_ids, errors);
+    validate_proof_results(active_task, &check_ids, root, errors)?;
+    validate_changed_paths(active_task, root, errors)?;
+    validate_proof_evidence_covers_changed_paths(Some(active_task), root, errors)?;
+
+    if errors.len() == error_start {
+        add_completed_task_diff_notice(root, notices)?;
+    }
+
+    Ok(())
+}
+
+fn validate_progress(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    validate_init_complete(root, errors)?;
+    validate_upgrade_complete(root, errors)?;
+
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+
+    match status {
+        "planning" | "implementing" | "revising" | "verifying" => {
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_pending_upgrade(task_state, root, errors)?;
+            validate_active_task_references(
+                task_state.get("activeTask"),
+                root,
+                errors,
+                Some(status),
+            )?;
+            if let Some(active_task) = task_state.get("activeTask") {
+                validate_changed_paths(active_task, root, errors)?;
+            }
+        }
+        "needs_human_review" => {
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_active_task_references(
+                task_state.get("activeTask"),
+                root,
+                errors,
+                Some(status),
+            )?;
+            validate_blocker(task_state.get("blocker"), errors);
+            validate_human_review_blocker_paths(
+                task_state.get("activeTask"),
+                task_state.get("blocker"),
+                root,
+                errors,
+            )?;
+            validate_proof_evidence_covers_changed_paths(
+                task_state.get("activeTask"),
+                root,
+                errors,
+            )?;
+            errors.push(format_blocker(
+                "Human review required",
+                task_state.get("blocker"),
+            ));
+        }
+        "blocked" => {
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_blocker(task_state.get("blocker"), errors);
+            errors.push(format_blocker("Task is blocked", task_state.get("blocker")));
+        }
+        "complete" => errors.push(
+            "Task is complete; use node .naome/bin/check-task-state.js for completion validation."
+                .to_string(),
+        ),
+        "idle" => errors.push(
+            "No active task is in progress; use --admission before starting feature work."
+                .to_string(),
+        ),
+        _ => {}
+    }
+
+    Ok(())
+}
+
+fn validate_admission(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    validate_init_complete(root, errors)?;
+    validate_upgrade_complete(root, errors)?;
+
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    match status {
+        "idle" => validate_idle_state(task_state, errors),
+        "complete" => {
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_active_task_references(
+                task_state.get("activeTask"),
+                root,
+                errors,
+                Some(status),
+            )?;
+            validate_complete_task(
+                task_state.get("activeTask"),
+                task_state.get("blocker"),
+                root,
+                errors,
+                &mut Vec::new(),
+            )?;
+        }
+        "needs_human_review" => {
+            let start = errors.len();
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_active_task_references(
+                task_state.get("activeTask"),
+                root,
+                errors,
+                Some(status),
+            )?;
+            validate_blocker(task_state.get("blocker"), errors);
+            validate_human_review_blocker_paths(
+                task_state.get("activeTask"),
+                task_state.get("blocker"),
+                root,
+                errors,
+            )?;
+            validate_proof_evidence_covers_changed_paths(
+                task_state.get("activeTask"),
+                root,
+                errors,
+            )?;
+            if errors.len() > start {
+                errors.push("Task admission is blocked because needs_human_review state is invalid; fix blocker paths and proof evidence before asking for a human decision.".to_string());
+            } else {
+                errors.push(format_blocker(
+                    "Task admission is blocked",
+                    task_state.get("blocker"),
+                ));
+            }
+        }
+        "blocked" => {
+            validate_blocker(task_state.get("blocker"), errors);
+            errors.push(format_blocker(
+                "Task admission is blocked",
+                task_state.get("blocker"),
+            ));
+        }
+        other => errors.push(format!(
+            "Task admission is blocked because task state is {other}."
+        )),
+    }
+
+    validate_clean_git_diff(task_state, root, errors)
+}
+
+fn validate_upgrade_complete(root: &Path, errors: &mut Vec<String>) -> Result<(), NaomeError> {
+    let Some(upgrade_state) = read_json(root, ".naome/upgrade-state.json", errors)? else {
+        return Ok(());
+    };
+
+    if upgrade_state.get("status").and_then(Value::as_str) != Some("complete") {
+        let pending = upgrade_state
+            .get("pending")
+            .and_then(Value::as_array)
+            .map(|values| {
+                values
+                    .iter()
+                    .filter_map(Value::as_str)
+                    .collect::<Vec<_>>()
+                    .join(", ")
+            })
+            .unwrap_or_else(|| "unknown".to_string());
+        errors.push(format!("NAOME upgrade is not complete. Finish docs/naome/upgrade.md before feature work. Pending: {pending}"));
+    }
+    Ok(())
+}
+
+fn validate_init_complete(root: &Path, errors: &mut Vec<String>) -> Result<(), NaomeError> {
+    let Some(init_state) = read_json(root, ".naome/init-state.json", errors)? else {
+        return Ok(());
+    };
+
+    if init_state.get("initialized").and_then(Value::as_bool) != Some(true)
+        || init_state.get("intakeStatus").and_then(Value::as_str) != Some("complete")
+    {
+        errors.push(
+            "NAOME intake is not complete. Finish docs/naome/first-run.md before feature work."
+                .to_string(),
+        );
+    }
+    Ok(())
+}
+
+fn validate_clean_git_diff(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let changed_paths = read_git_changed_paths(root)?;
+    if !changed_paths.is_empty() {
+        errors.push(format_dirty_diff_admission_blocker(
+            task_state,
+            root,
+            &changed_paths,
+        )?);
+    }
+    Ok(())
+}
+
+fn validate_commit_gate(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let changed_paths = read_git_changed_paths(root)?;
+    if changed_paths.is_empty() {
+        return Ok(());
+    }
+
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if status == "complete" {
+        validate_active_task(task_state.get("activeTask"), errors);
+        validate_active_task_references(task_state.get("activeTask"), root, errors, Some(status))?;
+        validate_complete_task(
+            task_state.get("activeTask"),
+            task_state.get("blocker"),
+            root,
+            errors,
+            notices,
+        )?;
+        return Ok(());
+    }
+
+    if status == "idle" && is_install_or_upgrade_baseline_diff(root, &changed_paths)? {
+        return Ok(());
+    }
+
+    if status == "idle" && is_harness_repair_diff(root, &changed_paths)? {
+        return Ok(());
+    }
+
+    validate_init_complete(root, errors)?;
+    validate_upgrade_complete(root, errors)?;
+
+    if status == "idle" {
+        errors.push(format!("NAOME commit gate blocked: changed paths are not owned by a completed task state. Changed paths: {}. Finish a NAOME task and use naome commit, or reconcile the diff before committing.", changed_paths.join(", ")));
+        return Ok(());
+    }
+
+    if status == "blocked" || status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), errors);
+    }
+
+    errors.push(format!("NAOME commit gate blocked because task state is {status}. Finish or revise the active task, set it to complete with fresh proof, then use naome commit. Human options: continue_current_task, request_task_changes, mark_task_blocked, cancel_task_state."));
+    Ok(())
+}
+
+fn validate_push_gate(task_state: &Value, errors: &mut Vec<String>) {
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if !BLOCKING_STATUS.contains(&status) {
+        return;
+    }
+
+    if status == "blocked" || status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), errors);
+    }
+
+    errors.push(format!("NAOME push gate blocked because task state is {status}. Resolve the active task before pushing. Human options: continue_current_task, request_task_changes, mark_task_blocked, cancel_task_state."));
+}
+
+fn format_dirty_diff_admission_blocker(
+    task_state: &Value,
+    root: &Path,
+    changed_paths: &[String],
+) -> Result<String, NaomeError> {
+    let prefix = format!(
+        "Task admission requires a clean git diff. Changed paths: {}.",
+        changed_paths.join(", ")
+    );
+
+    if is_harness_repair_diff(root, changed_paths)? {
+        return Ok(format!("{prefix} These look like completed Harness Repair changes. Ask the user to choose exactly one: commit_repair_baseline, review_repair_diff, cancel_repair_baseline. Do not commit without explicit user selection."));
+    }
+
+    if is_completed_task_diff(task_state, changed_paths) {
+        return Ok(format!("{prefix} These look like completed task changes. Ask the user to choose exactly one: commit_task_baseline, review_task_diff, request_task_changes, cancel_task_changes. Do not commit without explicit user selection."));
+    }
+
+    if is_naome_baseline_diff(changed_paths) {
+        return Ok(format!("{prefix} These look like completed NAOME install or upgrade changes. Ask the user to choose exactly one: commit_upgrade_baseline, review_diff_first, cancel_upgrade_baseline. Do not commit without explicit user selection."));
+    }
+
+    Ok(format!("{prefix} Ask the user to choose exactly one: review_task_diff, request_task_changes, cancel_task_changes. Do not start new feature work or commit without explicit user selection."))
+}
+
+fn is_harness_repair_diff(root: &Path, changed_paths: &[String]) -> Result<bool, NaomeError> {
+    let machine_owned_paths = read_machine_owned_paths(root)?;
+    if machine_owned_paths.is_empty() {
+        return Ok(false);
+    }
+
+    let has_repair_signal = changed_paths
+        .iter()
+        .any(|path| machine_owned_paths.contains(path) || is_repair_archive_path(path));
+    if !has_repair_signal {
+        return Ok(false);
+    }
+
+    Ok(changed_paths
+        .iter()
+        .all(|path| machine_owned_paths.contains(path) || is_repair_support_path(path)))
+}
+
+fn is_repair_support_path(path: &str) -> bool {
+    path == ".naome/manifest.json"
+        || path == ".naome/upgrade-state.json"
+        || is_repair_archive_path(path)
+}
+
+fn is_repair_archive_path(path: &str) -> bool {
+    path.starts_with(".naome/archive/repair-")
+}
+
+fn is_completed_task_diff(task_state: &Value, changed_paths: &[String]) -> bool {
+    if task_state.get("status").and_then(Value::as_str) != Some("complete") {
+        return false;
+    }
+    let Some(active_task) = task_state.get("activeTask") else {
+        return false;
+    };
+    let allowed_paths = string_array(active_task.get("allowedPaths")).unwrap_or_default();
+    let task_paths: Vec<&String> = changed_paths
+        .iter()
+        .filter(|path| path.as_str() != CONTROL_STATE_PATH)
+        .collect();
+    !task_paths.is_empty()
+        && task_paths
+            .iter()
+            .all(|path| matches_any_pattern(path, &allowed_paths))
+}
+
+fn is_naome_baseline_diff(changed_paths: &[String]) -> bool {
+    changed_paths.iter().all(|path| {
+        path == "AGENTS.md"
+            || path == ".gitignore"
+            || path == ".naomeignore"
+            || path.starts_with(".naome/")
+            || path.starts_with("docs/naome/")
+    })
+}
+
+fn is_install_or_upgrade_baseline_diff(
+    root: &Path,
+    changed_paths: &[String],
+) -> Result<bool, NaomeError> {
+    if !is_naome_baseline_diff(changed_paths) {
+        return Ok(false);
+    }
+
+    let has_setup_signal = changed_paths.iter().any(|path| {
+        matches!(
+            path.as_str(),
+            "AGENTS.md"
+                | ".gitignore"
+                | ".naomeignore"
+                | ".naome/init-state.json"
+                | ".naome/manifest.json"
+                | ".naome/package.json"
+                | ".naome/task-contract.schema.json"
+                | ".naome/upgrade-state.json"
+        )
+    });
+    if !has_setup_signal {
+        return Ok(false);
+    }
+
+    if read_init_incomplete(root)? || read_upgrade_baseline_signal(root)? {
+        return Ok(true);
+    }
+
+    Ok(changed_paths.iter().any(|path| {
+        matches!(
+            path.as_str(),
+            ".naome/init-state.json" | ".naome/manifest.json" | ".naome/upgrade-state.json"
+        )
+    }))
+}
+
+fn read_init_incomplete(root: &Path) -> Result<bool, NaomeError> {
+    let Some(init_state) = read_json(root, ".naome/init-state.json", &mut Vec::new())? else {
+        return Ok(false);
+    };
+
+    Ok(
+        init_state.get("initialized").and_then(Value::as_bool) != Some(true)
+            || init_state.get("intakeStatus").and_then(Value::as_str) != Some("complete"),
+    )
+}
+
+fn read_upgrade_baseline_signal(root: &Path) -> Result<bool, NaomeError> {
+    let Some(upgrade_state) = read_json(root, ".naome/upgrade-state.json", &mut Vec::new())? else {
+        return Ok(false);
+    };
+
+    Ok(upgrade_state.get("fromVersion").is_some()
+        || upgrade_state
+            .get("pending")
+            .and_then(Value::as_array)
+            .is_some_and(|pending| !pending.is_empty())
+        || upgrade_state
+            .get("completed")
+            .and_then(Value::as_array)
+            .is_some_and(|completed| !completed.is_empty()))
+}
+
+fn read_machine_owned_paths(root: &Path) -> Result<HashSet<String>, NaomeError> {
+    let Some(manifest) = read_json(root, ".naome/manifest.json", &mut Vec::new())? else {
+        return Ok(HashSet::new());
+    };
+
+    Ok(manifest
+        .get("machineOwned")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(Value::as_str)
+        .filter(|value| is_non_empty_string(value))
+        .map(normalize_path)
+        .collect())
+}
+
+fn add_completed_task_diff_notice(
+    root: &Path,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let changed_paths = read_git_changed_paths(root)?;
+    if changed_paths.is_empty() {
+        return Ok(());
+    }
+
+    notices.push(format!("Next task admission is blocked until the completed task diff is resolved. Changed paths: {}. Ask the user to choose exactly one: commit_task_baseline, review_task_diff, request_task_changes, cancel_task_changes. Do not start new feature work until one option is resolved.", changed_paths.join(", ")));
+    Ok(())
+}
+
+fn read_git_changed_paths(root: &Path) -> Result<Vec<String>, NaomeError> {
+    Ok(read_git_changed_entries(root)?
+        .into_iter()
+        .map(|entry| entry.path)
+        .collect())
+}
+
+fn read_git_changed_entries(root: &Path) -> Result<Vec<ChangedEntry>, NaomeError> {
+    let git_check = run_git(root, ["rev-parse", "--is-inside-work-tree"])?;
+    if !git_check.status.success() {
+        return Err(NaomeError::new(
+            "complete task validation requires a git work tree.",
+        ));
+    }
+
+    let mut entries: HashMap<String, ChangedEntry> = HashMap::new();
+    for args in [
+        vec!["diff", "--name-status", "-z"],
+        vec!["diff", "--name-status", "--cached", "-z"],
+    ] {
+        let output = Command::new("git").args(&args).current_dir(root).output()?;
+        if !output.status.success() {
+            return Err(NaomeError::new(format!(
+                "git {} failed: {}",
+                args.join(" "),
+                command_output(&output)
+            )));
+        }
+
+        for entry in parse_name_status_output(&output.stdout) {
+            upsert_changed_entry(&mut entries, entry);
+        }
+    }
+
+    let untracked = run_git(root, ["ls-files", "--others", "--exclude-standard", "-z"])?;
+    if !untracked.status.success() {
+        return Err(NaomeError::new(format!(
+            "git ls-files --others --exclude-standard -z failed: {}",
+            command_output(&untracked)
+        )));
+    }
+
+    for token in split_nul(&untracked.stdout) {
+        let path = normalize_path(token.trim());
+        if !path.is_empty() {
+            upsert_changed_entry(
+                &mut entries,
+                ChangedEntry {
+                    path,
+                    status: "added".to_string(),
+                },
+            );
+        }
+    }
+
+    let mut entries: Vec<ChangedEntry> = entries.into_values().collect();
+    entries.sort_by(|left, right| left.path.cmp(&right.path));
+    Ok(entries)
+}
+
+fn parse_name_status_output(output: &[u8]) -> Vec<ChangedEntry> {
+    let tokens = split_nul(output);
+    let mut entries = Vec::new();
+    let mut index = 0;
+
+    while index < tokens.len() {
+        let raw_status = &tokens[index];
+        index += 1;
+        let status_code = raw_status.chars().next().unwrap_or('M');
+
+        if status_code == 'R' || status_code == 'C' {
+            let from_path = normalize_path(tokens.get(index).map(String::as_str).unwrap_or(""));
+            index += 1;
+            let to_path = normalize_path(tokens.get(index).map(String::as_str).unwrap_or(""));
+            index += 1;
+            if !from_path.is_empty() {
+                entries.push(ChangedEntry {
+                    path: from_path,
+                    status: "deleted".to_string(),
+                });
+            }
+            if !to_path.is_empty() {
+                entries.push(ChangedEntry {
+                    path: to_path,
+                    status: "renamed".to_string(),
+                });
+            }
+            continue;
+        }
+
+        let path = normalize_path(tokens.get(index).map(String::as_str).unwrap_or(""));
+        index += 1;
+        if path.is_empty() {
+            continue;
+        }
+
+        entries.push(ChangedEntry {
+            path,
+            status: git_status_code_to_evidence_status(status_code).to_string(),
+        });
+    }
+
+    entries
+}
+
+fn split_nul(output: &[u8]) -> Vec<String> {
+    output
+        .split(|byte| *byte == 0)
+        .filter(|token| !token.is_empty())
+        .map(|token| String::from_utf8_lossy(token).to_string())
+        .collect()
+}
+
+fn git_status_code_to_evidence_status(status_code: char) -> &'static str {
+    match status_code {
+        'A' => "added",
+        'D' => "deleted",
+        _ => "modified",
+    }
+}
+
+fn upsert_changed_entry(entries: &mut HashMap<String, ChangedEntry>, entry: ChangedEntry) {
+    let should_replace = entries
+        .get(&entry.path)
+        .map(|existing| status_rank(&entry.status) > status_rank(&existing.status))
+        .unwrap_or(true);
+    if should_replace {
+        entries.insert(entry.path.clone(), entry);
+    }
+}
+
+fn status_rank(status: &str) -> u8 {
+    match status {
+        "deleted" => 4,
+        "renamed" => 3,
+        "added" => 2,
+        _ => 1,
+    }
+}
+
+fn read_git_head(root: &Path) -> Result<Option<String>, NaomeError> {
+    let output = run_git(root, ["rev-parse", "HEAD"])?;
+    if !output.status.success() {
+        return Ok(None);
+    }
+    Ok(Some(
+        String::from_utf8_lossy(&output.stdout).trim().to_string(),
+    ))
+}
+
+fn git_commit_exists(root: &Path, commit: &str) -> Result<bool, NaomeError> {
+    Ok(
+        run_git(root, ["cat-file", "-e", &format!("{commit}^{{commit}}")])?
+            .status
+            .success(),
+    )
+}
+
+fn run_git<const N: usize>(
+    root: &Path,
+    args: [&str; N],
+) -> Result<std::process::Output, NaomeError> {
+    Ok(Command::new("git").args(args).current_dir(root).output()?)
+}
+
+fn command_output(output: &std::process::Output) -> String {
+    let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();
+    if !stderr.is_empty() {
+        return stderr;
+    }
+    String::from_utf8_lossy(&output.stdout).trim().to_string()
+}
+
+fn matches_any_pattern(path: &str, patterns: &[String]) -> bool {
+    patterns
+        .iter()
+        .any(|pattern| matches_path_pattern(path, pattern))
+}
+
+fn matches_path_pattern(path: &str, pattern: &str) -> bool {
+    let normalized_path = normalize_path(path);
+    let normalized_pattern = normalize_path(pattern);
+
+    if normalized_path == normalized_pattern {
+        return true;
+    }
+
+    if let Some(prefix) = normalized_pattern.strip_suffix("/**") {
+        return normalized_path == prefix || normalized_path.starts_with(&format!("{prefix}/"));
+    }
+
+    if !normalized_pattern.contains('*') {
+        return false;
+    }
+
+    let path_to_match = if normalized_pattern.contains('/') {
+        normalized_path
+    } else {
+        PathBuf::from(&normalized_path)
+            .file_name()
+            .map(|name| name.to_string_lossy().to_string())
+            .unwrap_or(normalized_path)
+    };
+    wildcard_match(path_to_match.as_bytes(), normalized_pattern.as_bytes())
+}
+
+fn wildcard_match(value: &[u8], pattern: &[u8]) -> bool {
+    let (mut value_index, mut pattern_index) = (0, 0);
+    let mut star_index = None;
+    let mut match_index = 0;
+
+    while value_index < value.len() {
+        if pattern_index < pattern.len()
+            && pattern[pattern_index] != b'*'
+            && pattern[pattern_index] == value[value_index]
+        {
+            value_index += 1;
+            pattern_index += 1;
+        } else if pattern_index < pattern.len() && pattern[pattern_index] == b'*' {
+            star_index = Some(pattern_index);
+            match_index = value_index;
+            pattern_index += 1;
+        } else if let Some(star) = star_index {
+            pattern_index = star + 1;
+            match_index += 1;
+            value_index = match_index;
+        } else {
+            return false;
+        }
+    }
+
+    while pattern_index < pattern.len() && pattern[pattern_index] == b'*' {
+        pattern_index += 1;
+    }
+
+    pattern_index == pattern.len()
+}
+
+fn read_json(
+    root: &Path,
+    relative_path: &str,
+    errors: &mut Vec<String>,
+) -> Result<Option<Value>, NaomeError> {
+    let path = root.join(relative_path);
+    if !path.exists() {
+        errors.push(format!("{relative_path} is missing."));
+        return Ok(None);
+    }
+
+    match serde_json::from_str(&fs::read_to_string(path)?) {
+        Ok(value) => Ok(Some(value)),
+        Err(error) => {
+            errors.push(format!("{relative_path} is not valid JSON: {error}"));
+            Ok(None)
+        }
+    }
+}
+
+fn require_string(value: Option<&Value>, field_name: &str, errors: &mut Vec<String>) {
+    if !value
+        .and_then(Value::as_str)
+        .is_some_and(is_non_empty_string)
+    {
+        errors.push(format!("{field_name} must be a non-empty string."));
+    }
+}
+
+fn require_string_array(value: Option<&Value>, field_name: &str, errors: &mut Vec<String>) {
+    let Some(values) = value.and_then(Value::as_array) else {
+        errors.push(format!("{field_name} must be a non-empty string array."));
+        return;
+    };
+
+    if values.is_empty()
+        || values
+            .iter()
+            .any(|entry| !entry.as_str().is_some_and(is_non_empty_string))
+    {
+        errors.push(format!("{field_name} must be a non-empty string array."));
+    }
+}
+
+fn require_string_array_allow_empty(
+    value: Option<&Value>,
+    field_name: &str,
+    errors: &mut Vec<String>,
+) {
+    let Some(values) = value.and_then(Value::as_array) else {
+        errors.push(format!("{field_name} must be a string array."));
+        return;
+    };
+
+    if values
+        .iter()
+        .any(|entry| !entry.as_str().is_some_and(is_non_empty_string))
+    {
+        errors.push(format!("{field_name} must be a string array."));
+    }
+}
+
+fn string_array(value: Option<&Value>) -> Option<Vec<String>> {
+    value.and_then(Value::as_array).and_then(|values| {
+        values
+            .iter()
+            .map(|entry| {
+                entry
+                    .as_str()
+                    .filter(|value| is_non_empty_string(value))
+                    .map(ToString::to_string)
+            })
+            .collect()
+    })
+}
+
+fn is_non_empty_string(value: &str) -> bool {
+    !value.trim().is_empty()
+}
+
+fn is_id(value: &str) -> bool {
+    let mut chars = value.chars();
+    let Some(first) = chars.next() else {
+        return false;
+    };
+    (first.is_ascii_lowercase() || first.is_ascii_digit())
+        && value
+            .chars()
+            .all(|ch| ch.is_ascii_lowercase() || ch.is_ascii_digit() || ch == '-')
+}
+
+fn is_iso_datetime(value: &str) -> bool {
+    let bytes = value.as_bytes();
+    bytes.len() == 24
+        && bytes[4] == b'-'
+        && bytes[7] == b'-'
+        && bytes[10] == b'T'
+        && bytes[13] == b':'
+        && bytes[16] == b':'
+        && bytes[19] == b'.'
+        && bytes[23] == b'Z'
+        && bytes
+            .iter()
+            .enumerate()
+            .filter(|(index, _)| ![4, 7, 10, 13, 16, 19, 23].contains(index))
+            .all(|(_, byte)| byte.is_ascii_digit())
+}
+
+fn normalize_path(value: impl AsRef<str>) -> String {
+    value
+        .as_ref()
+        .replace('\\', "/")
+        .trim_start_matches("./")
+        .to_string()
+}