@lamentis/naome 1.1.1 → 1.1.2

package/Cargo.lock

@@ -76,7 +76,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "naome-cli"
-version = "1.1.1"
+version = "1.1.2"
 dependencies = [
  "naome-core",
  "serde_json",
@@ -84,7 +84,7 @@ dependencies = [
 
 [[package]]
 name = "naome-core"
-version = "1.1.1"
+version = "1.1.2"
 dependencies = [
  "serde",
  "serde_json",

package/bin/naome-node.js

@@ -18,6 +18,7 @@ const updated = [];
 const skipped = [];
 const unsafeSkipped = [];
 const useColor = process.stdout.isTTY && process.env.NO_COLOR !== "1";
+const verboseOutput = process.argv.includes("--verbose");
 const healthCheckerRelativePath = ".naome/bin/check-harness-health.js";
 const taskStateCheckerRelativePath = ".naome/bin/check-task-state.js";
 const naomeCommandRelativePath = ".naome/bin/naome.js";
@@ -1455,26 +1456,31 @@ function printSummary() {
   console.log("");
   console.log(`${color.green("+")} ${summaryTitle}`);
 
-  if (installed.length > 0) {
+  const detailedOutput = shouldPrintDetailedSummary();
+  if (!detailedOutput) {
+    printCompactSummary();
+  }
+
+  if (detailedOutput && installed.length > 0) {
     const installedItems = uniqueStrings(installed);
     printSection(`Installed ${installedItems.length} ${installedItems.length === 1 ? "item" : "items"}`);
     printList(installed, "+");
   }
 
-  if (updated.length > 0) {
+  if (detailedOutput && updated.length > 0) {
     const updatedItems = uniqueStrings(updated);
     printSection(`Updated ${updatedItems.length} ${updatedItems.length === 1 ? "item" : "items"}`);
     printList(updated, "~");
   }
 
-  if (archived.length > 0) {
+  if (detailedOutput && archived.length > 0) {
     printSection("Archived");
     for (const entry of archived) {
       console.log(`${color.dim(">")} ${entry.from} -> ${entry.to}`);
     }
   }
 
-  if (skipped.length > 0) {
+  if (detailedOutput && skipped.length > 0) {
     const skippedItems = uniqueStrings(skipped);
     printSection(`Skipped ${skippedItems.length} existing ${skippedItems.length === 1 ? "path" : "paths"}`);
     printList(skipped, "-");
@@ -1485,6 +1491,11 @@ function printSummary() {
     printList(unsafeSkipped, "!");
   }
 
+  if (isRepositoryInitialized()) {
+    console.log("");
+    return;
+  }
+
   printSection("Next step");
   console.log("Copy this into your coding agent:");
   console.log("");
@@ -1494,6 +1505,35 @@ function printSummary() {
   console.log("");
 }
 
+function shouldPrintDetailedSummary() {
+  return verboseOutput || !existingInstall;
+}
+
+function printCompactSummary() {
+  const installedCount = uniqueStrings(installed).length;
+  const updatedCount = uniqueStrings(updated).length;
+  const archivedCount = archived.length;
+
+  if (installedCount > 0) {
+    console.log(`${color.dim("installed")} ${installedCount}`);
+  }
+  if (updatedCount > 0) {
+    console.log(`${color.dim("updated")} ${updatedCount}`);
+  }
+  if (archivedCount > 0) {
+    console.log(`${color.dim("archived")} ${archivedCount}`);
+  }
+}
+
+function isRepositoryInitialized() {
+  try {
+    const initState = JSON.parse(readFileSync(join(targetRoot, ".naome", "init-state.json"), "utf8"));
+    return initState.initialized === true;
+  } catch {
+    return false;
+  }
+}
+
 assertTemplateRoot();
 loadInstallPlan();
 

package/crates/naome-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-cli"
-version = "1.1.1"
+version = "1.1.2"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-core"
-version = "1.1.1"
+version = "1.1.2"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/src/route.rs

@@ -8,6 +8,7 @@ use serde_json::Value;
 
 use crate::decision::{evaluate_decision, EvaluationOptions};
 use crate::git;
+use crate::harness_health::{validate_harness_health, HarnessHealthOptions};
 use crate::install_plan::{LOCAL_NATIVE_BINARY_PATHS, LOCAL_ONLY_MACHINE_OWNED_PATHS};
 use crate::intent::{evaluate_intent, IntentDecision};
 use crate::journal::{append_task_journal, TaskJournalEntry};
@@ -15,8 +16,9 @@ use crate::models::{Decision, NaomeError};
 use crate::paths;
 use crate::task_state::{
     completed_task_commit_paths, completed_task_harness_refresh_diff, harness_refresh_diff,
-    harness_refresh_with_unrelated_diff,
+    harness_refresh_with_unrelated_diff, validate_task_state, TaskStateMode, TaskStateOptions,
 };
+use crate::verification_contract::validate_verification_contract;
 
 const MAX_NAOME_TASK_WORKTREES: usize = 25;
 
@@ -603,7 +605,7 @@ fn run_user_diff_quality_gate(
                     "Quality check {check_id} is referenced but not defined."
                 )));
             };
-            run_quality_check(root, check)?;
+            run_quality_check(root, check_id, check)?;
         }
 
         let current_paths = git::changed_paths(root)?;
@@ -618,7 +620,7 @@ fn run_user_diff_quality_gate(
 
         validate_changed_text_whitespace(root, changed_paths)?;
         if let Some(check) = checks.get("diff-check") {
-            run_quality_check(root, check)?;
+            run_quality_check(root, "diff-check", check)?;
         }
         let current_paths = git::changed_paths(root)?;
         let current_set = sorted_path_set(&current_paths);
@@ -826,25 +828,236 @@ fn push_unique_string(values: &mut Vec<String>, value: &str) {
     }
 }
 
-fn run_quality_check(root: &Path, check: &QualityCheck) -> Result<(), NaomeError> {
-    let cwd = root.join(&check.cwd);
-    let output = if cfg!(windows) {
-        Command::new("cmd")
-            .args(["/C", &check.command])
-            .current_dir(cwd)
-            .output()?
+fn run_quality_check(root: &Path, check_id: &str, check: &QualityCheck) -> Result<(), NaomeError> {
+    match check_id {
+        "installer-tests" => require_builtin_quality_check(
+            check_id,
+            check,
+            "npm run test:naome-installer",
+        ),
+        "rust-build" => require_builtin_quality_check(check_id, check, "npm run build:rust"),
+        "decision-engine-tests" => {
+            require_builtin_quality_check(check_id, check, "npm run test:decision-engine")
+        }
+        "package-dry-run" => require_builtin_quality_check(check_id, check, "npm run pack:dry-run"),
+        "diff-check" => {
+            require_builtin_quality_check(check_id, check, "git diff --check")?;
+            let output = Command::new("git")
+                .args(["diff", "--check"])
+                .current_dir(root)
+                .output()?;
+
+            if output.status.success() {
+                Ok(())
+            } else {
+                Err(NaomeError::new(command_output(&output)))
+            }
+        }
+        "naome-harness-health" => {
+            require_builtin_quality_check(
+                check_id,
+                check,
+                "node .naome/bin/check-harness-health.js",
+            )?;
+            run_harness_health_check(root)
+        }
+        "dogfood-health" => {
+            require_builtin_quality_check(check_id, check, "npm run dogfood:health")?;
+            run_harness_health_check(root)
+        }
+        "task-state-check" => {
+            require_builtin_quality_check(check_id, check, "npm run check:task-state")?;
+            run_template_task_state_check(root)
+        }
+        "verification-contract-check" => {
+            require_builtin_quality_check(
+                check_id,
+                check,
+                "npm run check:verification-contract",
+            )?;
+            run_template_verification_contract_check(root)
+        }
+        "context-budget-check" => {
+            require_builtin_quality_check(check_id, check, "npm run check:context-budget")?;
+            run_context_budget_check(root)
+        }
+        _ => Err(NaomeError::new(format!(
+            "Quality check {check_id} is not a built-in safe check; NAOME will not execute repository-controlled verification commands."
+        ))),
+    }
+}
+
+fn require_builtin_quality_check(
+    check_id: &str,
+    check: &QualityCheck,
+    expected_command: &str,
+) -> Result<(), NaomeError> {
+    if check.cwd == "." && check.command == expected_command {
+        return Ok(());
+    }
+
+    Err(NaomeError::new(format!(
+        "Quality check {check_id} has an unsafe command or cwd; expected command `{expected_command}` with cwd `.`."
+    )))
+}
+
+fn run_harness_health_check(root: &Path) -> Result<(), NaomeError> {
+    let errors = validate_harness_health(
+        root,
+        HarnessHealthOptions {
+            expected_integrity: packaged_harness_integrity()?,
+            ..HarnessHealthOptions::default()
+        },
+    )?;
+    if errors.is_empty() {
+        Ok(())
     } else {
-        Command::new("sh")
-            .args(["-c", &check.command])
-            .current_dir(cwd)
-            .output()?
-    };
+        Err(NaomeError::new(errors.join("\n")))
+    }
+}
 
-    if output.status.success() {
+fn packaged_harness_integrity() -> Result<std::collections::HashMap<String, String>, NaomeError> {
+    const CHECKER: &str =
+        include_str!("../../../templates/naome-root/.naome/bin/check-harness-health.js");
+    let start_marker = "const expectedMachineOwnedIntegrity = Object.freeze({";
+    let start = CHECKER
+        .find(start_marker)
+        .ok_or_else(|| NaomeError::new("Packaged harness integrity block is missing."))?;
+    let body_start = start + start_marker.len();
+    let end = CHECKER[body_start..]
+        .find("\n});")
+        .map(|offset| body_start + offset)
+        .ok_or_else(|| NaomeError::new("Packaged harness integrity block is incomplete."))?;
+
+    let mut integrity = std::collections::HashMap::new();
+    for line in CHECKER[body_start..end].lines() {
+        let line = line.trim().trim_end_matches(',').trim();
+        if line.is_empty() {
+            continue;
+        }
+        let Some((path, hash)) = line.split_once(':') else {
+            return Err(NaomeError::new(format!(
+                "Packaged harness integrity entry is invalid: {line}"
+            )));
+        };
+        let path: String = serde_json::from_str(path.trim()).map_err(|error| {
+            NaomeError::new(format!(
+                "Packaged harness integrity path is invalid: {error}"
+            ))
+        })?;
+        let hash: String = serde_json::from_str(hash.trim()).map_err(|error| {
+            NaomeError::new(format!(
+                "Packaged harness integrity hash is invalid: {error}"
+            ))
+        })?;
+        integrity.insert(path, hash);
+    }
+
+    if integrity.is_empty() {
+        return Err(NaomeError::new(
+            "Packaged harness integrity block is empty.",
+        ));
+    }
+
+    Ok(integrity)
+}
+
+fn run_template_task_state_check(root: &Path) -> Result<(), NaomeError> {
+    let template_root = template_root(root);
+    let report = validate_task_state(
+        &template_root,
+        TaskStateOptions {
+            mode: TaskStateMode::State,
+            harness_health: Some(HarnessHealthOptions {
+                expected_integrity: packaged_harness_integrity()?,
+                allow_missing_archive: true,
+                ..HarnessHealthOptions::default()
+            }),
+        },
+    )?;
+    if report.errors.is_empty() {
         Ok(())
     } else {
-        Err(NaomeError::new(command_output(&output)))
+        Err(NaomeError::new(report.errors.join("\n")))
+    }
+}
+
+fn run_template_verification_contract_check(root: &Path) -> Result<(), NaomeError> {
+    let errors = validate_verification_contract(&template_root(root))?;
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(NaomeError::new(errors.join("\n")))
+    }
+}
+
+fn run_context_budget_check(root: &Path) -> Result<(), NaomeError> {
+    let template_root = template_root(root);
+    let mut context_files = vec![
+        template_root.join("AGENTS.md"),
+        template_root.join(".naomeignore"),
+    ];
+    context_files.extend(markdown_files(&template_root.join("docs").join("naome"))?);
+    context_files.sort();
+
+    let mut errors = Vec::new();
+    for path in context_files {
+        let content = fs::read_to_string(&path)?;
+        let line_count = count_lines(&content);
+        if line_count > 200 {
+            errors.push(format!(
+                "{}: {line_count} lines",
+                display_repo_path(root, &path)
+            ));
+        }
     }
+
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(NaomeError::new(format!(
+            "NAOME context budget exceeded. Limit: 200 lines per file.\n{}",
+            errors.join("\n")
+        )))
+    }
+}
+
+fn template_root(root: &Path) -> PathBuf {
+    root.join("packages")
+        .join("naome")
+        .join("templates")
+        .join("naome-root")
+}
+
+fn markdown_files(dir: &Path) -> Result<Vec<PathBuf>, NaomeError> {
+    let mut files = Vec::new();
+    for entry in fs::read_dir(dir)? {
+        let entry = entry?;
+        let path = entry.path();
+        if path.is_dir() {
+            files.extend(markdown_files(&path)?);
+        } else if path.is_file() && path.extension().is_some_and(|extension| extension == "md") {
+            files.push(path);
+        }
+    }
+    Ok(files)
+}
+
+fn count_lines(content: &str) -> usize {
+    if content.is_empty() {
+        0
+    } else if content.ends_with('\n') {
+        content.split('\n').count() - 1
+    } else {
+        content.split('\n').count()
+    }
+}
+
+fn display_repo_path(root: &Path, path: &Path) -> String {
+    path.strip_prefix(root)
+        .unwrap_or(path)
+        .to_string_lossy()
+        .to_string()
 }
 
 fn git_commit(root: &Path, message: &str) -> Result<(), NaomeError> {

package/crates/naome-core/tests/route.rs

@@ -203,6 +203,50 @@ fn execute_route_commits_user_diff_after_quality_gate_passes() {
     assert!(route.user_message.contains("quality gates passed"));
 }
 
+#[test]
+fn execute_route_commits_product_diff_with_declared_safe_quality_checks() {
+    let repo = TestRepo::new("route-product-diff-quality-pass");
+    repo.init_git();
+    repo.write_file(
+        "packages/naome/crates/naome-core/src/route.rs",
+        "pub fn baseline() {}\n",
+    );
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_product_quality_verification();
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    repo.write_file(
+        "packages/naome/crates/naome-core/src/route.rs",
+        "pub fn changed() {}\n",
+    );
+
+    let route = evaluate_route(
+        repo.path(),
+        "commit my changes",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.policy_action, "commit_user_diff_with_quality_gate");
+    assert!(route.allowed);
+    assert!(route.mutation_performed);
+    assert_eq!(
+        route.executed_actions,
+        vec![
+            "run_user_diff_quality_gate".to_string(),
+            "commit_user_diff".to_string()
+        ]
+    );
+    assert_eq!(repo.git_status_short(), "");
+
+    let committed_paths = repo.git_stdout(&["show", "--name-only", "--format=", "HEAD"]);
+    assert!(committed_paths.contains("packages/naome/crates/naome-core/src/route.rs"));
+    assert!(route.user_message.contains("quality gates passed"));
+}
+
 #[test]
 fn execute_route_preserves_staged_rename_when_committing_user_diff() {
     let repo = TestRepo::new("route-user-diff-staged-rename");
@@ -334,11 +378,17 @@ fn execute_route_refuses_user_diff_commit_when_check_mutates_after_diff_check()
     assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
     assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
     assert!(repo.git_status_short().contains("README.md"));
-    assert!(route.user_message.contains("trailing whitespace"));
+    assert_eq!(
+        fs::read_to_string(repo.path().join("README.md")).unwrap(),
+        "# Manual edit\n"
+    );
+    assert!(route
+        .user_message
+        .contains("will not execute repository-controlled verification commands"));
 }
 
 #[test]
-fn execute_route_refuses_user_diff_commit_when_diff_check_adds_paths() {
+fn execute_route_refuses_user_diff_commit_when_diff_check_command_is_unsafe() {
     let repo = TestRepo::new("route-user-diff-mutating-diff-check");
     repo.init_git();
     repo.write_file("README.md", "# Baseline\n");
@@ -394,10 +444,10 @@ fn execute_route_refuses_user_diff_commit_when_diff_check_adds_paths() {
     assert!(!route.mutation_performed);
     assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
     assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
-    assert!(repo.git_status_short().contains("NEW.md"));
+    assert!(!repo.path().join("NEW.md").exists());
     assert!(route
         .user_message
-        .contains("Quality checks changed the diff path set"));
+        .contains("Quality check diff-check has an unsafe command or cwd"));
 }
 
 #[test]
@@ -432,6 +482,79 @@ fn execute_route_refuses_user_diff_commit_when_quality_gate_fails() {
     assert!(route.user_message.contains("quality gate failed"));
 }
 
+#[test]
+fn execute_route_refuses_user_diff_commit_when_dogfood_health_finds_integrity_mismatch() {
+    let repo = TestRepo::from_template("route-user-diff-dogfood-health-integrity");
+    repo.init_git();
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_dogfood_readme_quality_verification();
+    repo.write_file(
+        ".naome/bin/check-task-state.js",
+        "#!/usr/bin/env node\nconsole.log('already tampered');\n",
+    );
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    repo.write_file("README.md", "# Local edit\n");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+
+    let route = evaluate_route(
+        repo.path(),
+        "commit my changes",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.policy_action, "commit_user_diff_with_quality_gate");
+    assert!(!route.allowed);
+    assert!(!route.mutation_performed);
+    assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
+    assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
+    assert!(repo.git_status_short().contains("README.md"));
+    assert!(route.user_message.contains("quality gate failed"));
+    assert!(route.user_message.contains("integrity mismatch"));
+}
+
+#[test]
+fn execute_route_refuses_user_diff_commit_when_task_state_check_finds_template_integrity_mismatch()
+{
+    let repo = TestRepo::new("route-user-diff-task-state-integrity");
+    repo.init_git();
+    repo.write_file("README.md", "# Baseline\n");
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_task_state_readme_quality_verification();
+    repo.copy_packaged_template_to_route_template_root();
+    repo.write_file(
+        "packages/naome/templates/naome-root/.naome/bin/check-task-state.js",
+        "#!/usr/bin/env node\nconsole.log('already tampered');\n",
+    );
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    repo.write_file("README.md", "# Local edit\n");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+
+    let route = evaluate_route(
+        repo.path(),
+        "commit my changes",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.policy_action, "commit_user_diff_with_quality_gate");
+    assert!(!route.allowed);
+    assert!(!route.mutation_performed);
+    assert_eq!(route.executed_actions, vec!["run_user_diff_quality_gate"]);
+    assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before_head);
+    assert!(repo.git_status_short().contains("README.md"));
+    assert!(route.user_message.contains("quality gate failed"));
+    assert!(route.user_message.contains("integrity mismatch"));
+}
+
 #[test]
 fn execute_route_baselines_harness_refresh_before_dirty_repo_worktree() {
     let repo = TestRepo::new("route-dirty-harness-refresh-worktree");
@@ -926,6 +1049,27 @@ impl TestRepo {
         Self { root }
     }
 
+    fn from_template(name: &str) -> Self {
+        let repo = Self::new(name);
+        let template_root = packaged_template_root();
+        copy_dir(&template_root, repo.path());
+        fs::create_dir_all(repo.path().join(".naome/archive")).unwrap();
+        repo
+    }
+
+    fn copy_packaged_template_to_route_template_root(&self) {
+        copy_dir(&packaged_template_root(), &self.route_template_root());
+        fs::create_dir_all(self.route_template_root().join(".naome/archive")).unwrap();
+    }
+
+    fn route_template_root(&self) -> PathBuf {
+        self.root
+            .join("packages")
+            .join("naome")
+            .join("templates")
+            .join("naome-root")
+    }
+
     fn completed_task_with_diff(name: &str) -> Self {
         let repo = Self::new(name);
         repo.init_git();
@@ -1050,6 +1194,153 @@ impl TestRepo {
         );
     }
 
+    fn write_product_quality_verification(&self) {
+        self.write_naome_json(
+            "verification.json",
+            json!({
+                "schema": "naome.verification.v1",
+                "version": 1,
+                "status": "ready",
+                "checks": [
+                    {
+                        "id": "installer-tests",
+                        "command": "npm run test:naome-installer",
+                        "cwd": ".",
+                        "purpose": "Validate installer behavior.",
+                        "cost": "medium",
+                        "source": "test",
+                        "evidence": ["scripts/naome-installer.test.js"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "rust-build",
+                        "command": "npm run build:rust",
+                        "cwd": ".",
+                        "purpose": "Build native CLI.",
+                        "cost": "medium",
+                        "source": "test",
+                        "evidence": ["packages/naome/Cargo.toml"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "decision-engine-tests",
+                        "command": "npm run test:decision-engine",
+                        "cwd": ".",
+                        "purpose": "Validate route decisions.",
+                        "cost": "fast",
+                        "source": "test",
+                        "evidence": ["packages/naome/crates/naome-core/tests/route.rs"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "package-dry-run",
+                        "command": "npm run pack:dry-run",
+                        "cwd": ".",
+                        "purpose": "Validate package metadata.",
+                        "cost": "medium",
+                        "source": "test",
+                        "evidence": ["packages/naome/package.json"],
+                        "lastVerified": null
+                    },
+                    {
+                        "id": "diff-check",
+                        "command": "git diff --check",
+                        "cwd": ".",
+                        "purpose": "Reject whitespace errors.",
+                        "cost": "fast",
+                        "source": "test",
+                        "evidence": ["packages/naome/crates/naome-core/src/route.rs"],
+                        "lastVerified": null
+                    }
+                ],
+                "changeTypes": [
+                    {
+                        "id": "product-installer-or-template",
+                        "description": "NAOME product changes.",
+                        "paths": ["packages/naome/**", "scripts/**"],
+                        "requiredChecks": [
+                            "installer-tests",
+                            "rust-build",
+                            "decision-engine-tests",
+                            "package-dry-run"
+                        ],
+                        "recommendedChecks": [],
+                        "humanReview": false
+                    }
+                ],
+                "releaseGates": []
+            }),
+        );
+    }
+
+    fn write_dogfood_readme_quality_verification(&self) {
+        self.write_naome_json(
+            "verification.json",
+            json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "ready",
+            "checks": [
+                {
+                    "id": "dogfood-health",
+                    "command": "npm run dogfood:health",
+                    "cwd": ".",
+                    "purpose": "Validate installed harness integrity.",
+                    "cost": "fast",
+                    "source": "test",
+                    "evidence": [".naome/bin/check-task-state.js"],
+                    "lastVerified": null
+                }
+            ],
+            "changeTypes": [
+                {
+                    "id": "installed-self-hosted-harness",
+                    "description": "Installed harness files.",
+                    "paths": ["README.md"],
+                    "requiredChecks": ["dogfood-health"],
+                    "recommendedChecks": [],
+                    "humanReview": false
+                }
+            ],
+                "releaseGates": []
+            }),
+        );
+    }
+
+    fn write_task_state_readme_quality_verification(&self) {
+        self.write_naome_json(
+            "verification.json",
+            json!({
+                "schema": "naome.verification.v1",
+                "version": 1,
+                "status": "ready",
+                "checks": [
+                    {
+                        "id": "task-state-check",
+                        "command": "npm run check:task-state",
+                        "cwd": ".",
+                        "purpose": "Validate template task-state and harness integrity.",
+                        "cost": "fast",
+                        "source": "test",
+                        "evidence": ["packages/naome/templates/naome-root/.naome/bin/check-task-state.js"],
+                        "lastVerified": null
+                    }
+                ],
+                "changeTypes": [
+                    {
+                        "id": "installed-self-hosted-harness",
+                        "description": "Installed harness files.",
+                        "paths": ["README.md"],
+                        "requiredChecks": ["task-state-check"],
+                        "recommendedChecks": [],
+                        "humanReview": false
+                    }
+                ],
+                "releaseGates": []
+            }),
+        );
+    }
+
     fn write_naome_json(&self, file_name: &str, value: serde_json::Value) {
         let path = self.root.join(".naome").join(file_name);
         fs::write(
@@ -1113,6 +1404,32 @@ impl TestRepo {
     }
 }
 
+fn packaged_template_root() -> PathBuf {
+    PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+        .join("..")
+        .join("..")
+        .join("templates")
+        .join("naome-root")
+}
+
+fn copy_dir(from: &Path, to: &Path) {
+    fs::create_dir_all(to).unwrap();
+    for entry in fs::read_dir(from).unwrap() {
+        let entry = entry.unwrap();
+        let from_path = entry.path();
+        let to_path = to.join(entry.file_name());
+        let file_type = entry.file_type().unwrap();
+        if file_type.is_dir() {
+            copy_dir(&from_path, &to_path);
+        } else if file_type.is_file() {
+            if let Some(parent) = to_path.parent() {
+                fs::create_dir_all(parent).unwrap();
+            }
+            fs::copy(&from_path, &to_path).unwrap();
+        }
+    }
+}
+
 fn completed_task_state(admission_head: &str) -> serde_json::Value {
     json!({
         "schema": "naome.task-state.v1",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.1.1",
+  "version": "1.1.2",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "MIT",
   "type": "module",