@lamentis/naome 1.1.0 → 1.1.2

package/Cargo.lock

@@ -76,7 +76,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "naome-cli"
-version = "1.1.0"
+version = "1.1.2"
 dependencies = [
  "naome-core",
  "serde_json",
@@ -84,7 +84,7 @@ dependencies = [
 
 [[package]]
 name = "naome-core"
-version = "1.1.0"
+version = "1.1.2"
 dependencies = [
  "serde",
  "serde_json",

package/bin/naome-node.js

@@ -18,6 +18,7 @@ const updated = [];
 const skipped = [];
 const unsafeSkipped = [];
 const useColor = process.stdout.isTTY && process.env.NO_COLOR !== "1";
+const verboseOutput = process.argv.includes("--verbose");
 const healthCheckerRelativePath = ".naome/bin/check-harness-health.js";
 const taskStateCheckerRelativePath = ".naome/bin/check-task-state.js";
 const naomeCommandRelativePath = ".naome/bin/naome.js";
@@ -513,6 +514,7 @@ async function runFreshInstall() {
   patchInstalledMachineOwnedIntegrity();
   ensureBuiltInVerificationChecks();
   patchManifestDate();
+  ensureCompleteUpgradeState(null);
   ensureArchiveDirectory();
   takeoverExistingAgents();
   ensureLocalOnlySourceControlBoundary();
@@ -1454,26 +1456,31 @@ function printSummary() {
   console.log("");
   console.log(`${color.green("+")} ${summaryTitle}`);
 
-  if (installed.length > 0) {
+  const detailedOutput = shouldPrintDetailedSummary();
+  if (!detailedOutput) {
+    printCompactSummary();
+  }
+
+  if (detailedOutput && installed.length > 0) {
     const installedItems = uniqueStrings(installed);
     printSection(`Installed ${installedItems.length} ${installedItems.length === 1 ? "item" : "items"}`);
     printList(installed, "+");
   }
 
-  if (updated.length > 0) {
+  if (detailedOutput && updated.length > 0) {
     const updatedItems = uniqueStrings(updated);
     printSection(`Updated ${updatedItems.length} ${updatedItems.length === 1 ? "item" : "items"}`);
     printList(updated, "~");
   }
 
-  if (archived.length > 0) {
+  if (detailedOutput && archived.length > 0) {
     printSection("Archived");
     for (const entry of archived) {
       console.log(`${color.dim(">")} ${entry.from} -> ${entry.to}`);
     }
   }
 
-  if (skipped.length > 0) {
+  if (detailedOutput && skipped.length > 0) {
     const skippedItems = uniqueStrings(skipped);
     printSection(`Skipped ${skippedItems.length} existing ${skippedItems.length === 1 ? "path" : "paths"}`);
     printList(skipped, "-");
@@ -1484,6 +1491,11 @@ function printSummary() {
     printList(unsafeSkipped, "!");
   }
 
+  if (isRepositoryInitialized()) {
+    console.log("");
+    return;
+  }
+
   printSection("Next step");
   console.log("Copy this into your coding agent:");
   console.log("");
@@ -1493,6 +1505,35 @@ function printSummary() {
   console.log("");
 }
 
+function shouldPrintDetailedSummary() {
+  return verboseOutput || !existingInstall;
+}
+
+function printCompactSummary() {
+  const installedCount = uniqueStrings(installed).length;
+  const updatedCount = uniqueStrings(updated).length;
+  const archivedCount = archived.length;
+
+  if (installedCount > 0) {
+    console.log(`${color.dim("installed")} ${installedCount}`);
+  }
+  if (updatedCount > 0) {
+    console.log(`${color.dim("updated")} ${updatedCount}`);
+  }
+  if (archivedCount > 0) {
+    console.log(`${color.dim("archived")} ${archivedCount}`);
+  }
+}
+
+function isRepositoryInitialized() {
+  try {
+    const initState = JSON.parse(readFileSync(join(targetRoot, ".naome", "init-state.json"), "utf8"));
+    return initState.initialized === true;
+  } catch {
+    return false;
+  }
+}
+
 assertTemplateRoot();
 loadInstallPlan();
 

package/crates/naome-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-cli"
-version = "1.1.0"
+version = "1.1.2"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-core"
-version = "1.1.0"
+version = "1.1.2"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/src/route.rs

@@ -8,6 +8,7 @@ use serde_json::Value;
 
 use crate::decision::{evaluate_decision, EvaluationOptions};
 use crate::git;
+use crate::harness_health::{validate_harness_health, HarnessHealthOptions};
 use crate::install_plan::{LOCAL_NATIVE_BINARY_PATHS, LOCAL_ONLY_MACHINE_OWNED_PATHS};
 use crate::intent::{evaluate_intent, IntentDecision};
 use crate::journal::{append_task_journal, TaskJournalEntry};
@@ -15,8 +16,9 @@ use crate::models::{Decision, NaomeError};
 use crate::paths;
 use crate::task_state::{
     completed_task_commit_paths, completed_task_harness_refresh_diff, harness_refresh_diff,
-    harness_refresh_with_unrelated_diff,
+    harness_refresh_with_unrelated_diff, validate_task_state, TaskStateMode, TaskStateOptions,
 };
+use crate::verification_contract::validate_verification_contract;
 
 const MAX_NAOME_TASK_WORKTREES: usize = 25;
 
@@ -109,13 +111,19 @@ pub fn evaluate_route(
                         .to_string();
             }
             "auto_commit_completed_task_then_create_isolated_task_worktree" => {
-                let before = git_head(root)?;
+                let worktree_name_head = task_worktree_name_head(root)?;
+                preflight_isolated_task_worktree(root, prompt, &worktree_name_head)?;
+                let before = Some(worktree_name_head.clone());
                 git_add_completed_task_paths(root)?;
                 git_commit(root, "chore(naome): baseline completed task")?;
                 let after = git_head(root)?;
                 journal_entry =
                     append_task_journal(root, "route_auto_baseline", before, after.clone())?;
-                let created = create_isolated_task_worktree(root, prompt)?;
+                let created = create_isolated_task_worktree_with_name_head(
+                    root,
+                    prompt,
+                    &worktree_name_head,
+                )?;
                 task_root = PathBuf::from(&created.path);
                 mutation_performed = true;
                 executed_actions.push("commit_task_baseline".to_string());
@@ -147,6 +155,8 @@ pub fn evaluate_route(
                 user_message = "NAOME baselined the harness refresh and completed task, then admitted the next task.".to_string();
             }
             "auto_commit_harness_refresh_then_create_isolated_task_worktree" => {
+                let worktree_name_head = task_worktree_name_head(root)?;
+                preflight_isolated_task_worktree(root, prompt, &worktree_name_head)?;
                 let Some(split) = harness_refresh_with_unrelated_diff(root)? else {
                     return Err(NaomeError::new(
                         "Unable to split harness refresh paths from unrelated dirty paths.",
@@ -154,7 +164,11 @@ pub fn evaluate_route(
                 };
                 git_stage_only_paths(root, &split.harness_paths)?;
                 git_commit(root, "chore(naome): baseline harness refresh")?;
-                let created = create_isolated_task_worktree(root, prompt)?;
+                let created = create_isolated_task_worktree_with_name_head(
+                    root,
+                    prompt,
+                    &worktree_name_head,
+                )?;
                 task_root = PathBuf::from(&created.path);
                 mutation_performed = true;
                 executed_actions.push("commit_harness_refresh_baseline".to_string());
@@ -591,7 +605,7 @@ fn run_user_diff_quality_gate(
                     "Quality check {check_id} is referenced but not defined."
                 )));
             };
-            run_quality_check(root, check)?;
+            run_quality_check(root, check_id, check)?;
         }
 
         let current_paths = git::changed_paths(root)?;
@@ -606,7 +620,7 @@ fn run_user_diff_quality_gate(
 
         validate_changed_text_whitespace(root, changed_paths)?;
         if let Some(check) = checks.get("diff-check") {
-            run_quality_check(root, check)?;
+            run_quality_check(root, "diff-check", check)?;
         }
         let current_paths = git::changed_paths(root)?;
         let current_set = sorted_path_set(&current_paths);
@@ -814,27 +828,238 @@ fn push_unique_string(values: &mut Vec<String>, value: &str) {
     }
 }
 
-fn run_quality_check(root: &Path, check: &QualityCheck) -> Result<(), NaomeError> {
-    let cwd = root.join(&check.cwd);
-    let output = if cfg!(windows) {
-        Command::new("cmd")
-            .args(["/C", &check.command])
-            .current_dir(cwd)
-            .output()?
+fn run_quality_check(root: &Path, check_id: &str, check: &QualityCheck) -> Result<(), NaomeError> {
+    match check_id {
+        "installer-tests" => require_builtin_quality_check(
+            check_id,
+            check,
+            "npm run test:naome-installer",
+        ),
+        "rust-build" => require_builtin_quality_check(check_id, check, "npm run build:rust"),
+        "decision-engine-tests" => {
+            require_builtin_quality_check(check_id, check, "npm run test:decision-engine")
+        }
+        "package-dry-run" => require_builtin_quality_check(check_id, check, "npm run pack:dry-run"),
+        "diff-check" => {
+            require_builtin_quality_check(check_id, check, "git diff --check")?;
+            let output = Command::new("git")
+                .args(["diff", "--check"])
+                .current_dir(root)
+                .output()?;
+
+            if output.status.success() {
+                Ok(())
+            } else {
+                Err(NaomeError::new(command_output(&output)))
+            }
+        }
+        "naome-harness-health" => {
+            require_builtin_quality_check(
+                check_id,
+                check,
+                "node .naome/bin/check-harness-health.js",
+            )?;
+            run_harness_health_check(root)
+        }
+        "dogfood-health" => {
+            require_builtin_quality_check(check_id, check, "npm run dogfood:health")?;
+            run_harness_health_check(root)
+        }
+        "task-state-check" => {
+            require_builtin_quality_check(check_id, check, "npm run check:task-state")?;
+            run_template_task_state_check(root)
+        }
+        "verification-contract-check" => {
+            require_builtin_quality_check(
+                check_id,
+                check,
+                "npm run check:verification-contract",
+            )?;
+            run_template_verification_contract_check(root)
+        }
+        "context-budget-check" => {
+            require_builtin_quality_check(check_id, check, "npm run check:context-budget")?;
+            run_context_budget_check(root)
+        }
+        _ => Err(NaomeError::new(format!(
+            "Quality check {check_id} is not a built-in safe check; NAOME will not execute repository-controlled verification commands."
+        ))),
+    }
+}
+
+fn require_builtin_quality_check(
+    check_id: &str,
+    check: &QualityCheck,
+    expected_command: &str,
+) -> Result<(), NaomeError> {
+    if check.cwd == "." && check.command == expected_command {
+        return Ok(());
+    }
+
+    Err(NaomeError::new(format!(
+        "Quality check {check_id} has an unsafe command or cwd; expected command `{expected_command}` with cwd `.`."
+    )))
+}
+
+fn run_harness_health_check(root: &Path) -> Result<(), NaomeError> {
+    let errors = validate_harness_health(
+        root,
+        HarnessHealthOptions {
+            expected_integrity: packaged_harness_integrity()?,
+            ..HarnessHealthOptions::default()
+        },
+    )?;
+    if errors.is_empty() {
+        Ok(())
     } else {
-        Command::new("sh")
-            .args(["-c", &check.command])
-            .current_dir(cwd)
-            .output()?
-    };
+        Err(NaomeError::new(errors.join("\n")))
+    }
+}
 
-    if output.status.success() {
+fn packaged_harness_integrity() -> Result<std::collections::HashMap<String, String>, NaomeError> {
+    const CHECKER: &str =
+        include_str!("../../../templates/naome-root/.naome/bin/check-harness-health.js");
+    let start_marker = "const expectedMachineOwnedIntegrity = Object.freeze({";
+    let start = CHECKER
+        .find(start_marker)
+        .ok_or_else(|| NaomeError::new("Packaged harness integrity block is missing."))?;
+    let body_start = start + start_marker.len();
+    let end = CHECKER[body_start..]
+        .find("\n});")
+        .map(|offset| body_start + offset)
+        .ok_or_else(|| NaomeError::new("Packaged harness integrity block is incomplete."))?;
+
+    let mut integrity = std::collections::HashMap::new();
+    for line in CHECKER[body_start..end].lines() {
+        let line = line.trim().trim_end_matches(',').trim();
+        if line.is_empty() {
+            continue;
+        }
+        let Some((path, hash)) = line.split_once(':') else {
+            return Err(NaomeError::new(format!(
+                "Packaged harness integrity entry is invalid: {line}"
+            )));
+        };
+        let path: String = serde_json::from_str(path.trim()).map_err(|error| {
+            NaomeError::new(format!(
+                "Packaged harness integrity path is invalid: {error}"
+            ))
+        })?;
+        let hash: String = serde_json::from_str(hash.trim()).map_err(|error| {
+            NaomeError::new(format!(
+                "Packaged harness integrity hash is invalid: {error}"
+            ))
+        })?;
+        integrity.insert(path, hash);
+    }
+
+    if integrity.is_empty() {
+        return Err(NaomeError::new(
+            "Packaged harness integrity block is empty.",
+        ));
+    }
+
+    Ok(integrity)
+}
+
+fn run_template_task_state_check(root: &Path) -> Result<(), NaomeError> {
+    let template_root = template_root(root);
+    let report = validate_task_state(
+        &template_root,
+        TaskStateOptions {
+            mode: TaskStateMode::State,
+            harness_health: Some(HarnessHealthOptions {
+                expected_integrity: packaged_harness_integrity()?,
+                allow_missing_archive: true,
+                ..HarnessHealthOptions::default()
+            }),
+        },
+    )?;
+    if report.errors.is_empty() {
         Ok(())
     } else {
-        Err(NaomeError::new(command_output(&output)))
+        Err(NaomeError::new(report.errors.join("\n")))
+    }
+}
+
+fn run_template_verification_contract_check(root: &Path) -> Result<(), NaomeError> {
+    let errors = validate_verification_contract(&template_root(root))?;
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(NaomeError::new(errors.join("\n")))
+    }
+}
+
+fn run_context_budget_check(root: &Path) -> Result<(), NaomeError> {
+    let template_root = template_root(root);
+    let mut context_files = vec![
+        template_root.join("AGENTS.md"),
+        template_root.join(".naomeignore"),
+    ];
+    context_files.extend(markdown_files(&template_root.join("docs").join("naome"))?);
+    context_files.sort();
+
+    let mut errors = Vec::new();
+    for path in context_files {
+        let content = fs::read_to_string(&path)?;
+        let line_count = count_lines(&content);
+        if line_count > 200 {
+            errors.push(format!(
+                "{}: {line_count} lines",
+                display_repo_path(root, &path)
+            ));
+        }
+    }
+
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(NaomeError::new(format!(
+            "NAOME context budget exceeded. Limit: 200 lines per file.\n{}",
+            errors.join("\n")
+        )))
     }
 }
 
+fn template_root(root: &Path) -> PathBuf {
+    root.join("packages")
+        .join("naome")
+        .join("templates")
+        .join("naome-root")
+}
+
+fn markdown_files(dir: &Path) -> Result<Vec<PathBuf>, NaomeError> {
+    let mut files = Vec::new();
+    for entry in fs::read_dir(dir)? {
+        let entry = entry?;
+        let path = entry.path();
+        if path.is_dir() {
+            files.extend(markdown_files(&path)?);
+        } else if path.is_file() && path.extension().is_some_and(|extension| extension == "md") {
+            files.push(path);
+        }
+    }
+    Ok(files)
+}
+
+fn count_lines(content: &str) -> usize {
+    if content.is_empty() {
+        0
+    } else if content.ends_with('\n') {
+        content.split('\n').count() - 1
+    } else {
+        content.split('\n').count()
+    }
+}
+
+fn display_repo_path(root: &Path, path: &Path) -> String {
+    path.strip_prefix(root)
+        .unwrap_or(path)
+        .to_string_lossy()
+        .to_string()
+}
+
 fn git_commit(root: &Path, message: &str) -> Result<(), NaomeError> {
     let output = Command::new("git")
         .args(["commit", "-m", message])
@@ -848,10 +1073,19 @@ fn git_commit(root: &Path, message: &str) -> Result<(), NaomeError> {
 }
 
 fn create_isolated_task_worktree(root: &Path, prompt: &str) -> Result<RouteWorktree, NaomeError> {
+    let name_head = task_worktree_name_head(root)?;
+    create_isolated_task_worktree_with_name_head(root, prompt, &name_head)
+}
+
+fn create_isolated_task_worktree_with_name_head(
+    root: &Path,
+    prompt: &str,
+    name_head: &str,
+) -> Result<RouteWorktree, NaomeError> {
     let base_head = git_head(root)?.ok_or_else(|| {
         NaomeError::new("Cannot create task worktree because the repository has no HEAD.")
     })?;
-    let short_head = base_head.chars().take(12).collect::<String>();
+    let short_head = name_head.chars().take(12).collect::<String>();
     let slug = prompt_slug(prompt);
     let common_git_dir = git_common_dir(root)?;
     let worktree_base = common_git_dir.join("naome").join("worktrees");
@@ -900,6 +1134,48 @@ fn create_isolated_task_worktree(root: &Path, prompt: &str) -> Result<RouteWorkt
     ))
 }
 
+fn preflight_isolated_task_worktree(
+    root: &Path,
+    prompt: &str,
+    name_head: &str,
+) -> Result<(), NaomeError> {
+    let short_head = name_head.chars().take(12).collect::<String>();
+    let slug = prompt_slug(prompt);
+    let common_git_dir = git_common_dir(root)?;
+    let worktree_base = common_git_dir.join("naome").join("worktrees");
+    fs::create_dir_all(&worktree_base)?;
+    let worktree_count = existing_naome_task_worktree_count(&worktree_base)?;
+    if worktree_count >= MAX_NAOME_TASK_WORKTREES {
+        return Err(NaomeError::new(format!(
+            "Too many NAOME task worktrees are present ({worktree_count}). Finish or remove old task worktrees before creating another isolated task worktree."
+        )));
+    }
+
+    for attempt in 1..100 {
+        let suffix = if attempt == 1 {
+            String::new()
+        } else {
+            format!("-{attempt}")
+        };
+        let name = format!("{slug}-{short_head}{suffix}");
+        let branch = format!("naome/task/{name}");
+        let path = worktree_base.join(&name);
+        if !path.exists() && !git_branch_exists(root, &branch)? {
+            return Ok(());
+        }
+    }
+
+    Err(NaomeError::new(
+        "Cannot create a unique NAOME task worktree after 99 attempts.",
+    ))
+}
+
+fn task_worktree_name_head(root: &Path) -> Result<String, NaomeError> {
+    git_head(root)?.ok_or_else(|| {
+        NaomeError::new("Cannot create task worktree because the repository has no HEAD.")
+    })
+}
+
 fn existing_naome_task_worktree_count(worktree_base: &Path) -> Result<usize, NaomeError> {
     let mut count = 0;
     for entry in fs::read_dir(worktree_base)? {

package/crates/naome-core/src/task_state.rs

@@ -1469,10 +1469,10 @@ fn validate_commit_gate(
         .get("status")
         .and_then(Value::as_str)
         .unwrap_or("invalid");
-    if status == "complete" && completed_task_harness_refresh_diff(root)?.is_some() {
-        if is_safe_harness_refresh_diff(&changed_paths) {
-            return Ok(());
-        }
+    if status == "complete" && is_deterministic_harness_refresh_diff(&changed_paths) {
+        validate_pending_upgrade(task_state, root, errors)?;
+        validate_completed_task_for_harness_refresh(task_state, root, &staged_entries, errors)?;
+        return Ok(());
     }
 
     if status == "complete" {
@@ -1525,6 +1525,49 @@ fn validate_commit_gate(
     Ok(())
 }
 
+fn validate_completed_task_for_harness_refresh(
+    task_state: &Value,
+    root: &Path,
+    staged_entries: &[ChangedEntry],
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    validate_active_task(task_state.get("activeTask"), errors);
+    validate_active_task_references(task_state.get("activeTask"), root, errors, Some("complete"))?;
+    if !task_state.get("blocker").is_some_and(Value::is_null) {
+        errors.push("complete task state must have blocker set to null.".to_string());
+    }
+
+    let Some(active_task) = task_state.get("activeTask") else {
+        return Ok(());
+    };
+
+    let check_ids = read_verification_check_ids(root, errors)?;
+    validate_required_check_ids(active_task, &check_ids, errors);
+
+    let mut validation_errors = Vec::new();
+    validate_complete_task_against_entries(
+        active_task,
+        root,
+        &check_ids,
+        staged_entries,
+        &mut validation_errors,
+    )?;
+
+    let staged_harness_paths = task_diff_from_entries(active_task, staged_entries).outside_paths;
+    let allowed_scope_error = format!(
+        "Changed files outside allowedPaths: {}",
+        staged_harness_paths.join(", ")
+    );
+
+    errors.extend(
+        validation_errors
+            .into_iter()
+            .filter(|error| error != &allowed_scope_error),
+    );
+
+    Ok(())
+}
+
 fn validate_push_gate(task_state: &Value, errors: &mut Vec<String>) {
     let status = task_state
         .get("status")
@@ -1598,8 +1641,11 @@ fn is_safe_harness_refresh_path(path: &str) -> bool {
     is_packaged_machine_owned_path(path) || is_repair_support_path(path)
 }
 
-fn is_safe_harness_refresh_diff(changed_paths: &[String]) -> bool {
+fn is_deterministic_harness_refresh_diff(changed_paths: &[String]) -> bool {
     !changed_paths.is_empty()
+        && changed_paths
+            .iter()
+            .any(|path| is_packaged_machine_owned_path(path) || is_repair_archive_path(path))
         && changed_paths
             .iter()
             .all(|path| is_safe_harness_refresh_path(path))

package/crates/naome-core/tests/route.rs

@@ -203,6 +203,50 @@ fn execute_route_commits_user_diff_after_quality_gate_passes() {
     assert!(route.user_message.contains("quality gates passed"));
 }
 
+#[test]
+fn execute_route_commits_product_diff_with_declared_safe_quality_checks() {
+    let repo = TestRepo::new("route-product-diff-quality-pass");
+    repo.init_git();
+    repo.write_file(
+        "packages/naome/crates/naome-core/src/route.rs",
+        "pub fn baseline() {}\n",
+    );
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_product_quality_verification();
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    repo.write_file(
+        "packages/naome/crates/naome-core/src/route.rs",
+        "pub fn changed() {}\n",
+    );
+
+    let route = evaluate_route(
+        repo.path(),
+        "commit my changes",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.policy_action, "commit_user_diff_with_quality_gate");
+    assert!(route.allowed);
+    assert!(route.mutation_performed);
+    assert_eq!(
+        route.executed_actions,
+        vec![
+            "run_user_diff_quality_gate".to_string(),
+            "commit_user_diff".to_string()
+        ]
+    );
+    assert_eq!(repo.git_status_short(), "");
+
+    let committed_paths = repo.git_stdout(&["show", "--name-only", "--format=", "HEAD"]);
+    assert!(committed_paths.contains("packages/naome/crates/naome-core/src/route.rs"));
+    assert!(route.user_message.contains("quality gates passed"));
+}
+
 #[test]
 fn execute_route_preserves_staged_rename_when_committing_user_diff() {
     let repo = TestRepo::new("route-user-diff-staged-rename");
@@ -334,11 +378,17 @@ fn execute_route_refuses_user_diff_commit_when_check_mutates_after_diff_check()
     assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
     assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
     assert!(repo.git_status_short().contains("README.md"));
-    assert!(route.user_message.contains("trailing whitespace"));
+    assert_eq!(
+        fs::read_to_string(repo.path().join("README.md")).unwrap(),
+        "# Manual edit\n"
+    );
+    assert!(route
+        .user_message
+        .contains("will not execute repository-controlled verification commands"));
 }
 
 #[test]
-fn execute_route_refuses_user_diff_commit_when_diff_check_adds_paths() {
+fn execute_route_refuses_user_diff_commit_when_diff_check_command_is_unsafe() {
     let repo = TestRepo::new("route-user-diff-mutating-diff-check");
     repo.init_git();
     repo.write_file("README.md", "# Baseline\n");
@@ -394,10 +444,10 @@ fn execute_route_refuses_user_diff_commit_when_diff_check_adds_paths() {
     assert!(!route.mutation_performed);
     assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
     assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
-    assert!(repo.git_status_short().contains("NEW.md"));
+    assert!(!repo.path().join("NEW.md").exists());
     assert!(route
         .user_message
-        .contains("Quality checks changed the diff path set"));
+        .contains("Quality check diff-check has an unsafe command or cwd"));
 }
 
 #[test]
@@ -432,6 +482,79 @@ fn execute_route_refuses_user_diff_commit_when_quality_gate_fails() {
     assert!(route.user_message.contains("quality gate failed"));
 }
 
+#[test]
+fn execute_route_refuses_user_diff_commit_when_dogfood_health_finds_integrity_mismatch() {
+    let repo = TestRepo::from_template("route-user-diff-dogfood-health-integrity");
+    repo.init_git();
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_dogfood_readme_quality_verification();
+    repo.write_file(
+        ".naome/bin/check-task-state.js",
+        "#!/usr/bin/env node\nconsole.log('already tampered');\n",
+    );
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    repo.write_file("README.md", "# Local edit\n");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+
+    let route = evaluate_route(
+        repo.path(),
+        "commit my changes",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.policy_action, "commit_user_diff_with_quality_gate");
+    assert!(!route.allowed);
+    assert!(!route.mutation_performed);
+    assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
+    assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
+    assert!(repo.git_status_short().contains("README.md"));
+    assert!(route.user_message.contains("quality gate failed"));
+    assert!(route.user_message.contains("integrity mismatch"));
+}
+
+#[test]
+fn execute_route_refuses_user_diff_commit_when_task_state_check_finds_template_integrity_mismatch()
+{
+    let repo = TestRepo::new("route-user-diff-task-state-integrity");
+    repo.init_git();
+    repo.write_file("README.md", "# Baseline\n");
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_task_state_readme_quality_verification();
+    repo.copy_packaged_template_to_route_template_root();
+    repo.write_file(
+        "packages/naome/templates/naome-root/.naome/bin/check-task-state.js",
+        "#!/usr/bin/env node\nconsole.log('already tampered');\n",
+    );
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    repo.write_file("README.md", "# Local edit\n");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+
+    let route = evaluate_route(
+        repo.path(),
+        "commit my changes",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.policy_action, "commit_user_diff_with_quality_gate");
+    assert!(!route.allowed);
+    assert!(!route.mutation_performed);
+    assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
+    assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
+    assert!(repo.git_status_short().contains("README.md"));
+    assert!(route.user_message.contains("quality gate failed"));
+    assert!(route.user_message.contains("integrity mismatch"));
+}
+
 #[test]
 fn execute_route_baselines_harness_refresh_before_dirty_repo_worktree() {
     let repo = TestRepo::new("route-dirty-harness-refresh-worktree");
@@ -662,6 +785,57 @@ fn execute_route_refuses_to_create_more_than_max_isolated_worktrees() {
         .contains("Too many NAOME task worktrees are present"));
 }
 
+#[test]
+fn execute_route_preflights_worktree_before_completed_task_baseline() {
+    let repo =
+        TestRepo::completed_task_with_unrelated_user_edit("route-completed-worktree-preflight");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+    let before_status = repo.git_status_short();
+    let common_dir = repo.git_stdout(&["rev-parse", "--git-common-dir"]);
+    let worktree_root = repo.path().join(common_dir).join("naome").join("worktrees");
+    fs::create_dir_all(&worktree_root).unwrap();
+    for index in 0..25 {
+        fs::create_dir_all(worktree_root.join(format!("stale-{index}"))).unwrap();
+    }
+
+    let error = evaluate_route(
+        repo.path(),
+        "Add another line to README as a new task.",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap_err();
+
+    assert!(error
+        .to_string()
+        .contains("Too many NAOME task worktrees are present"));
+    assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
+    assert_eq!(repo.git_status_short(), before_status);
+}
+
+#[test]
+fn execute_route_uses_preflighted_worktree_name_after_completed_task_baseline() {
+    let repo = TestRepo::completed_task_with_unrelated_user_edit("route-worktree-name-preflight");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+    let before_short = &before_head[..12];
+
+    let route = evaluate_route(
+        repo.path(),
+        "Add another line to README as a new task.",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    let worktree = route.worktree.expect("route should create a worktree");
+    assert!(worktree.branch.contains(before_short));
+    assert!(worktree.path.contains(before_short));
+}
+
 #[test]
 fn dry_route_plans_harness_refresh_split_before_completed_task_baseline() {
     let repo = TestRepo::completed_task_with_harness_refresh_diff("route-dry-harness-refresh");
@@ -875,6 +1049,27 @@ impl TestRepo {
         Self { root }
     }
 
+    fn from_template(name: &str) -> Self {
+        let repo = Self::new(name);
+        let template_root = packaged_template_root();
+        copy_dir(&template_root, repo.path());
+        fs::create_dir_all(repo.path().join(".naome/archive")).unwrap();
+        repo
+    }
+
+    fn copy_packaged_template_to_route_template_root(&self) {
+        copy_dir(&packaged_template_root(), &self.route_template_root());
+        fs::create_dir_all(self.route_template_root().join(".naome/archive")).unwrap();
+    }
+
+    fn route_template_root(&self) -> PathBuf {
+        self.root
+            .join("packages")
+            .join("naome")
+            .join("templates")
+            .join("naome-root")
+    }
+
     fn completed_task_with_diff(name: &str) -> Self {
         let repo = Self::new(name);
         repo.init_git();
@@ -999,6 +1194,153 @@ impl TestRepo {
         );
     }
 
+    fn write_product_quality_verification(&self) {
+        self.write_naome_json(
+            "verification.json",
+            json!({
+                "schema": "naome.verification.v1",
+                "version": 1,
+                "status": "ready",
+                "checks": [
+                    {
+                        "id": "installer-tests",
+                        "command": "npm run test:naome-installer",
+                        "cwd": ".",
+                        "purpose": "Validate installer behavior.",
+                        "cost": "medium",
+                        "source": "test",
+                        "evidence": ["scripts/naome-installer.test.js"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "rust-build",
+                        "command": "npm run build:rust",
+                        "cwd": ".",
+                        "purpose": "Build native CLI.",
+                        "cost": "medium",
+                        "source": "test",
+                        "evidence": ["packages/naome/Cargo.toml"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "decision-engine-tests",
+                        "command": "npm run test:decision-engine",
+                        "cwd": ".",
+                        "purpose": "Validate route decisions.",
+                        "cost": "fast",
+                        "source": "test",
+                        "evidence": ["packages/naome/crates/naome-core/tests/route.rs"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "package-dry-run",
+                        "command": "npm run pack:dry-run",
+                        "cwd": ".",
+                        "purpose": "Validate package metadata.",
+                        "cost": "medium",
+                        "source": "test",
+                        "evidence": ["packages/naome/package.json"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "diff-check",
+                        "command": "git diff --check",
+                        "cwd": ".",
+                        "purpose": "Reject whitespace errors.",
+                        "cost": "fast",
+                        "source": "test",
+                        "evidence": ["packages/naome/crates/naome-core/src/route.rs"],
+                        "lastVerified": null
+                    }
+                ],
+                "changeTypes": [
+                    {
+                        "id": "product-installer-or-template",
+                        "description": "NAOME product changes.",
+                        "paths": ["packages/naome/**", "scripts/**"],
+                        "requiredChecks": [
+                            "installer-tests",
+                            "rust-build",
+                            "decision-engine-tests",
+                            "package-dry-run"
+                        ],
+                        "recommendedChecks": [],
+                        "humanReview": false
+                    }
+                ],
+                "releaseGates": []
+            }),
+        );
+    }
+
+    fn write_dogfood_readme_quality_verification(&self) {
+        self.write_naome_json(
+            "verification.json",
+            json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "ready",
+            "checks": [
+                {
+                    "id": "dogfood-health",
+                    "command": "npm run dogfood:health",
+                    "cwd": ".",
+                    "purpose": "Validate installed harness integrity.",
+                    "cost": "fast",
+                    "source": "test",
+                    "evidence": [".naome/bin/check-task-state.js"],
+                    "lastVerified": null
+                }
+            ],
+            "changeTypes": [
+                {
+                    "id": "installed-self-hosted-harness",
+                    "description": "Installed harness files.",
+                    "paths": ["README.md"],
+                    "requiredChecks": ["dogfood-health"],
+                    "recommendedChecks": [],
+                    "humanReview": false
+                }
+            ],
+                "releaseGates": []
+            }),
+        );
+    }
+
+    fn write_task_state_readme_quality_verification(&self) {
+        self.write_naome_json(
+            "verification.json",
+            json!({
+                "schema": "naome.verification.v1",
+                "version": 1,
+                "status": "ready",
+                "checks": [
+                    {
+                        "id": "task-state-check",
+                        "command": "npm run check:task-state",
+                        "cwd": ".",
+                        "purpose": "Validate template task-state and harness integrity.",
+                        "cost": "fast",
+                        "source": "test",
+                        "evidence": ["packages/naome/templates/naome-root/.naome/bin/check-task-state.js"],
+                        "lastVerified": null
+                    }
+                ],
+                "changeTypes": [
+                    {
+                        "id": "installed-self-hosted-harness",
+                        "description": "Installed harness files.",
+                        "paths": ["README.md"],
+                        "requiredChecks": ["task-state-check"],
+                        "recommendedChecks": [],
+                        "humanReview": false
+                    }
+                ],
+                "releaseGates": []
+            }),
+        );
+    }
+
     fn write_naome_json(&self, file_name: &str, value: serde_json::Value) {
         let path = self.root.join(".naome").join(file_name);
         fs::write(
@@ -1062,6 +1404,32 @@ impl TestRepo {
     }
 }
 
+fn packaged_template_root() -> PathBuf {
+    PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+        .join("..")
+        .join("..")
+        .join("templates")
+        .join("naome-root")
+}
+
+fn copy_dir(from: &Path, to: &Path) {
+    fs::create_dir_all(to).unwrap();
+    for entry in fs::read_dir(from).unwrap() {
+        let entry = entry.unwrap();
+        let from_path = entry.path();
+        let to_path = to.join(entry.file_name());
+        let file_type = entry.file_type().unwrap();
+        if file_type.is_dir() {
+            copy_dir(&from_path, &to_path);
+        } else if file_type.is_file() {
+            if let Some(parent) = to_path.parent() {
+                fs::create_dir_all(parent).unwrap();
+            }
+            fs::copy(&from_path, &to_path).unwrap();
+        }
+    }
+}
+
 fn completed_task_state(admission_head: &str) -> serde_json::Value {
     json!({
         "schema": "naome.task-state.v1",

package/crates/naome-core/tests/task_state.rs

@@ -222,6 +222,146 @@ fn commit_gate_allows_staged_harness_refresh_split_from_completed_task() {
     assert!(report.errors.is_empty(), "{:#?}", report.errors);
 }
 
+#[test]
+fn commit_gate_allows_staged_harness_refresh_after_completed_task_is_baselined() {
+    let repo = TaskFixture::new(complete_task_state(json!({
+        "allowedPaths": ["README.md"],
+        "proofResults": [successful_proof(json!({ "evidence": ["README.md"] }))]
+    })));
+    repo.install_healthy_harness();
+    repo.write("README.md", "# Completed task result\n");
+    repo.init_git();
+    repo.write("AGENTS.md", "# Agent Instructions\n\nUpdated by sync.\n");
+    repo.write_json(
+        ".naome/manifest.json",
+        json!({
+            "name": "naome",
+            "harnessVersion": "1.1.1",
+            "profile": "standard",
+            "machineOwned": MACHINE_OWNED_PATHS,
+            "projectOwned": PROJECT_OWNED_PATHS,
+            "integrity": {}
+        }),
+    );
+    repo.git(["add", "AGENTS.md", ".naome/manifest.json"]);
+
+    let report = validate_task_state(
+        repo.path(),
+        TaskStateOptions {
+            mode: TaskStateMode::CommitGate,
+            ..TaskStateOptions::default()
+        },
+    )
+    .unwrap();
+
+    assert!(report.errors.is_empty(), "{:#?}", report.errors);
+}
+
+#[test]
+fn commit_gate_rejects_harness_refresh_when_completed_task_proof_is_missing() {
+    let repo = TaskFixture::new(complete_task_state(json!({
+        "allowedPaths": ["README.md"],
+        "proofResults": []
+    })));
+    repo.install_healthy_harness();
+    repo.write("README.md", "# Completed task result\n");
+    repo.init_git();
+    repo.write("AGENTS.md", "# Agent Instructions\n\nUpdated by sync.\n");
+    repo.git(["add", "AGENTS.md"]);
+
+    let report = validate_task_state(
+        repo.path(),
+        TaskStateOptions {
+            mode: TaskStateMode::CommitGate,
+            ..TaskStateOptions::default()
+        },
+    )
+    .unwrap();
+
+    assert!(
+        report
+            .errors
+            .iter()
+            .any(|error| error.contains("activeTask.proofResults missing proof result: diff-check")),
+        "{:#?}",
+        report.errors
+    );
+}
+
+#[test]
+fn commit_gate_rejects_harness_refresh_with_pending_upgrade_state() {
+    let repo = TaskFixture::new(complete_task_state(json!({
+        "allowedPaths": ["README.md"],
+        "proofResults": [successful_proof(json!({ "evidence": ["README.md"] }))]
+    })));
+    repo.install_healthy_harness();
+    repo.write("README.md", "# Completed task result\n");
+    repo.init_git();
+    repo.write("AGENTS.md", "# Agent Instructions\n\nUpdated by sync.\n");
+    repo.write_json(
+        ".naome/upgrade-state.json",
+        json!({
+            "status": "needs_agent_upgrade",
+            "fromVersion": "1.1.0",
+            "toVersion": "1.1.1",
+            "pending": ["manual-step"],
+            "completed": []
+        }),
+    );
+    repo.git(["add", "AGENTS.md", ".naome/upgrade-state.json"]);
+
+    let report = validate_task_state(
+        repo.path(),
+        TaskStateOptions {
+            mode: TaskStateMode::CommitGate,
+            ..TaskStateOptions::default()
+        },
+    )
+    .unwrap();
+
+    assert!(
+        report
+            .errors
+            .iter()
+            .any(|error| error.contains("NAOME upgrade is pending")),
+        "{:#?}",
+        report.errors
+    );
+}
+
+#[test]
+fn commit_gate_rejects_support_only_harness_refresh_after_completed_task_is_baselined() {
+    let repo = TaskFixture::new(complete_task_state(json!({
+        "allowedPaths": ["README.md"],
+        "proofResults": [successful_proof(json!({ "evidence": ["README.md"] }))]
+    })));
+    repo.install_healthy_harness();
+    repo.write("README.md", "# Completed task result\n");
+    repo.init_git();
+    repo.write_json(
+        ".naome/upgrade-state.json",
+        json!({
+            "status": "complete",
+            "fromVersion": null,
+            "toVersion": "1.1.1",
+            "pending": [],
+            "completed": []
+        }),
+    );
+    repo.git(["add", ".naome/upgrade-state.json"]);
+
+    let report = validate_task_state(
+        repo.path(),
+        TaskStateOptions {
+            mode: TaskStateMode::CommitGate,
+            ..TaskStateOptions::default()
+        },
+    )
+    .unwrap();
+
+    assert!(!report.errors.is_empty(), "{:#?}", report.errors);
+}
+
 #[test]
 fn commit_gate_ignores_unstaged_user_edits_outside_completed_task_scope() {
     let repo = TaskFixture::new(complete_task_state(json!({

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.1.0",
+  "version": "1.1.2",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "MIT",
   "type": "module",

package/templates/naome-root/.naome/manifest.json

@@ -1,6 +1,6 @@
 {
   "name": "naome",
-  "harnessVersion": "1.1.0",
+  "harnessVersion": "1.1.1",
   "profile": "standard",
   "installedAt": null,
   "machineOwned": [

package/templates/naome-root/.naome/upgrade-state.json

@@ -1,7 +1,7 @@
 {
   "status": "complete",
   "fromVersion": null,
-  "toVersion": "1.1.0",
+  "toVersion": "1.1.1",
   "pending": [],
   "completed": []
 }