@lamentis/naome 1.1.1 → 1.2.0

package/crates/naome-core/src/route.rs

@@ -8,15 +8,18 @@ use serde_json::Value;
 
 use crate::decision::{evaluate_decision, EvaluationOptions};
 use crate::git;
+use crate::harness_health::{validate_harness_health, HarnessHealthOptions};
 use crate::install_plan::{LOCAL_NATIVE_BINARY_PATHS, LOCAL_ONLY_MACHINE_OWNED_PATHS};
 use crate::intent::{evaluate_intent, IntentDecision};
 use crate::journal::{append_task_journal, TaskJournalEntry};
 use crate::models::{Decision, NaomeError};
 use crate::paths;
+use crate::quality::{check_repository_quality, QualityMode};
 use crate::task_state::{
     completed_task_commit_paths, completed_task_harness_refresh_diff, harness_refresh_diff,
-    harness_refresh_with_unrelated_diff,
+    harness_refresh_with_unrelated_diff, validate_task_state, TaskStateMode, TaskStateOptions,
 };
+use crate::verification_contract::validate_verification_contract;
 
 const MAX_NAOME_TASK_WORKTREES: usize = 25;
 
@@ -603,7 +606,7 @@ fn run_user_diff_quality_gate(
                     "Quality check {check_id} is referenced but not defined."
                 )));
             };
-            run_quality_check(root, check)?;
+            run_quality_check(root, check_id, check)?;
         }
 
         let current_paths = git::changed_paths(root)?;
@@ -618,7 +621,7 @@ fn run_user_diff_quality_gate(
 
         validate_changed_text_whitespace(root, changed_paths)?;
         if let Some(check) = checks.get("diff-check") {
-            run_quality_check(root, check)?;
+            run_quality_check(root, "diff-check", check)?;
         }
         let current_paths = git::changed_paths(root)?;
         let current_set = sorted_path_set(&current_paths);
@@ -826,27 +829,299 @@ fn push_unique_string(values: &mut Vec<String>, value: &str) {
     }
 }
 
-fn run_quality_check(root: &Path, check: &QualityCheck) -> Result<(), NaomeError> {
-    let cwd = root.join(&check.cwd);
-    let output = if cfg!(windows) {
-        Command::new("cmd")
-            .args(["/C", &check.command])
-            .current_dir(cwd)
-            .output()?
+fn run_quality_check(root: &Path, check_id: &str, check: &QualityCheck) -> Result<(), NaomeError> {
+    match check_id {
+        "installer-tests" => require_builtin_quality_check(
+            check_id,
+            check,
+            "npm run test:naome-installer",
+        ),
+        "rust-build" => require_builtin_quality_check(check_id, check, "npm run build:rust"),
+        "decision-engine-tests" => {
+            require_builtin_quality_check(check_id, check, "npm run test:decision-engine")
+        }
+        "package-dry-run" => require_builtin_quality_check(check_id, check, "npm run pack:dry-run"),
+        "diff-check" => {
+            require_builtin_quality_check(check_id, check, "git diff --check")?;
+            let output = Command::new("git")
+                .args(["diff", "--check"])
+                .current_dir(root)
+                .output()?;
+
+            if output.status.success() {
+                Ok(())
+            } else {
+                Err(NaomeError::new(command_output(&output)))
+            }
+        }
+        "naome-harness-health" => {
+            require_builtin_quality_check(
+                check_id,
+                check,
+                "node .naome/bin/check-harness-health.js",
+            )?;
+            run_harness_health_check(root)
+        }
+        "dogfood-health" => {
+            require_builtin_quality_check(check_id, check, "npm run dogfood:health")?;
+            run_harness_health_check(root)
+        }
+        "task-state-check" => {
+            require_builtin_quality_check(check_id, check, "npm run check:task-state")?;
+            run_template_task_state_check(root)
+        }
+        "verification-contract-check" => {
+            require_builtin_quality_check(
+                check_id,
+                check,
+                "npm run check:verification-contract",
+            )?;
+            run_template_verification_contract_check(root)
+        }
+        "context-budget-check" => {
+            require_builtin_quality_check(check_id, check, "npm run check:context-budget")?;
+            run_context_budget_check(root)
+        }
+        "repository-quality-check" => {
+            require_builtin_quality_check_any(
+                check_id,
+                check,
+                &[
+                    "naome quality check --changed",
+                    "node .naome/bin/naome.js quality check --changed",
+                    "npm run check:repository-quality",
+                ],
+            )?;
+            run_repository_quality_check(root)
+        }
+        _ => Err(NaomeError::new(format!(
+            "Quality check {check_id} is not a built-in safe check; NAOME will not execute repository-controlled verification commands."
+        ))),
+    }
+}
+
+fn require_builtin_quality_check_any(
+    check_id: &str,
+    check: &QualityCheck,
+    expected_commands: &[&str],
+) -> Result<(), NaomeError> {
+    if check.cwd == "."
+        && expected_commands
+            .iter()
+            .any(|expected_command| check.command == *expected_command)
+    {
+        return Ok(());
+    }
+
+    Err(NaomeError::new(format!(
+        "Quality check {check_id} has an unsafe command or cwd; expected one of [{}] with cwd `.`.",
+        expected_commands
+            .iter()
+            .map(|command| format!("`{command}`"))
+            .collect::<Vec<_>>()
+            .join(", ")
+    )))
+}
+
+fn require_builtin_quality_check(
+    check_id: &str,
+    check: &QualityCheck,
+    expected_command: &str,
+) -> Result<(), NaomeError> {
+    if check.cwd == "." && check.command == expected_command {
+        return Ok(());
+    }
+
+    Err(NaomeError::new(format!(
+        "Quality check {check_id} has an unsafe command or cwd; expected command `{expected_command}` with cwd `.`."
+    )))
+}
+
+fn run_repository_quality_check(root: &Path) -> Result<(), NaomeError> {
+    let report = check_repository_quality(root, QualityMode::Changed)?;
+    if report.ok {
+        return Ok(());
+    }
+
+    let details = report
+        .violations
+        .iter()
+        .take(20)
+        .map(|violation| {
+            let location = violation
+                .line
+                .map(|line| format!("{}:{line}", violation.path))
+                .unwrap_or_else(|| violation.path.clone());
+            format!("{location} {}: {}", violation.check_id, violation.message)
+        })
+        .collect::<Vec<_>>()
+        .join("\n");
+    Err(NaomeError::new(format!(
+        "repository-quality-check failed with {} violation(s).\n{}",
+        report.violations.len(),
+        details
+    )))
+}
+
+fn run_harness_health_check(root: &Path) -> Result<(), NaomeError> {
+    let errors = validate_harness_health(
+        root,
+        HarnessHealthOptions {
+            expected_integrity: packaged_harness_integrity()?,
+            ..HarnessHealthOptions::default()
+        },
+    )?;
+    if errors.is_empty() {
+        Ok(())
     } else {
-        Command::new("sh")
-            .args(["-c", &check.command])
-            .current_dir(cwd)
-            .output()?
-    };
+        Err(NaomeError::new(errors.join("\n")))
+    }
+}
 
-    if output.status.success() {
+fn packaged_harness_integrity() -> Result<std::collections::HashMap<String, String>, NaomeError> {
+    const CHECKER: &str =
+        include_str!("../../../templates/naome-root/.naome/bin/check-harness-health.js");
+    let start_marker = "const expectedMachineOwnedIntegrity = Object.freeze({";
+    let start = CHECKER
+        .find(start_marker)
+        .ok_or_else(|| NaomeError::new("Packaged harness integrity block is missing."))?;
+    let body_start = start + start_marker.len();
+    let end = CHECKER[body_start..]
+        .find("\n});")
+        .map(|offset| body_start + offset)
+        .ok_or_else(|| NaomeError::new("Packaged harness integrity block is incomplete."))?;
+
+    let mut integrity = std::collections::HashMap::new();
+    for line in CHECKER[body_start..end].lines() {
+        let line = line.trim().trim_end_matches(',').trim();
+        if line.is_empty() {
+            continue;
+        }
+        let Some((path, hash)) = line.split_once(':') else {
+            return Err(NaomeError::new(format!(
+                "Packaged harness integrity entry is invalid: {line}"
+            )));
+        };
+        let path: String = serde_json::from_str(path.trim()).map_err(|error| {
+            NaomeError::new(format!(
+                "Packaged harness integrity path is invalid: {error}"
+            ))
+        })?;
+        let hash: String = serde_json::from_str(hash.trim()).map_err(|error| {
+            NaomeError::new(format!(
+                "Packaged harness integrity hash is invalid: {error}"
+            ))
+        })?;
+        integrity.insert(path, hash);
+    }
+
+    if integrity.is_empty() {
+        return Err(NaomeError::new(
+            "Packaged harness integrity block is empty.",
+        ));
+    }
+
+    Ok(integrity)
+}
+
+fn run_template_task_state_check(root: &Path) -> Result<(), NaomeError> {
+    let template_root = template_root(root);
+    let report = validate_task_state(
+        &template_root,
+        TaskStateOptions {
+            mode: TaskStateMode::State,
+            harness_health: Some(HarnessHealthOptions {
+                expected_integrity: packaged_harness_integrity()?,
+                allow_missing_archive: true,
+                ..HarnessHealthOptions::default()
+            }),
+        },
+    )?;
+    if report.errors.is_empty() {
         Ok(())
     } else {
-        Err(NaomeError::new(command_output(&output)))
+        Err(NaomeError::new(report.errors.join("\n")))
+    }
+}
+
+fn run_template_verification_contract_check(root: &Path) -> Result<(), NaomeError> {
+    let errors = validate_verification_contract(&template_root(root))?;
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(NaomeError::new(errors.join("\n")))
+    }
+}
+
+fn run_context_budget_check(root: &Path) -> Result<(), NaomeError> {
+    let template_root = template_root(root);
+    let mut context_files = vec![
+        template_root.join("AGENTS.md"),
+        template_root.join(".naomeignore"),
+    ];
+    context_files.extend(markdown_files(&template_root.join("docs").join("naome"))?);
+    context_files.sort();
+
+    let mut errors = Vec::new();
+    for path in context_files {
+        let content = fs::read_to_string(&path)?;
+        let line_count = count_lines(&content);
+        if line_count > 200 {
+            errors.push(format!(
+                "{}: {line_count} lines",
+                display_repo_path(root, &path)
+            ));
+        }
+    }
+
+    if errors.is_empty() {
+        Ok(())
+    } else {
+        Err(NaomeError::new(format!(
+            "NAOME context budget exceeded. Limit: 200 lines per file.\n{}",
+            errors.join("\n")
+        )))
     }
 }
 
+fn template_root(root: &Path) -> PathBuf {
+    root.join("packages")
+        .join("naome")
+        .join("templates")
+        .join("naome-root")
+}
+
+fn markdown_files(dir: &Path) -> Result<Vec<PathBuf>, NaomeError> {
+    let mut files = Vec::new();
+    for entry in fs::read_dir(dir)? {
+        let entry = entry?;
+        let path = entry.path();
+        if path.is_dir() {
+            files.extend(markdown_files(&path)?);
+        } else if path.is_file() && path.extension().is_some_and(|extension| extension == "md") {
+            files.push(path);
+        }
+    }
+    Ok(files)
+}
+
+fn count_lines(content: &str) -> usize {
+    if content.is_empty() {
+        0
+    } else if content.ends_with('\n') {
+        content.split('\n').count() - 1
+    } else {
+        content.split('\n').count()
+    }
+}
+
+fn display_repo_path(root: &Path, path: &Path) -> String {
+    path.strip_prefix(root)
+        .unwrap_or(path)
+        .to_string_lossy()
+        .to_string()
+}
+
 fn git_commit(root: &Path, message: &str) -> Result<(), NaomeError> {
     let output = Command::new("git")
         .args(["commit", "-m", message])

package/crates/naome-core/src/task_state/admission.rs

@@ -0,0 +1,63 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::completion::validate_complete_task;
+use super::human_review_state::validate_human_review_state;
+use super::progress::{checked_status, validate_clean_git_diff};
+use super::shape::{
+    format_blocker, validate_active_task, validate_active_task_references, validate_blocker,
+    validate_idle_state,
+};
+pub(super) fn validate_admission(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let status = checked_status(task_state, root, errors)?;
+    match status {
+        "idle" => validate_idle_state(task_state, errors),
+        "complete" => {
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_active_task_references(
+                task_state.get("activeTask"),
+                root,
+                errors,
+                Some(status),
+            )?;
+            validate_complete_task(
+                task_state.get("activeTask"),
+                task_state.get("blocker"),
+                root,
+                errors,
+                &mut Vec::new(),
+            )?;
+        }
+        "needs_human_review" => {
+            let start = errors.len();
+            validate_human_review_state(task_state, root, errors)?;
+            if errors.len() > start {
+                errors.push("Task admission is blocked because needs_human_review state is invalid; fix blocker paths and proof evidence before asking for a human decision.".to_string());
+            } else {
+                errors.push(format_blocker(
+                    "Task admission is blocked",
+                    task_state.get("blocker"),
+                ));
+            }
+        }
+        "blocked" => {
+            validate_blocker(task_state.get("blocker"), errors);
+            errors.push(format_blocker(
+                "Task admission is blocked",
+                task_state.get("blocker"),
+            ));
+        }
+        other => errors.push(format!(
+            "Task admission is blocked because task state is {other}."
+        )),
+    }
+
+    validate_clean_git_diff(task_state, root, errors)
+}

package/crates/naome-core/src/task_state/admission_proof.rs

@@ -0,0 +1,72 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::git_io::git_commit_exists;
+use super::util::{is_iso_datetime, require_string, require_string_array_allow_empty};
+
+pub(super) fn validate_admission_proof(
+    admission: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(object) = admission.and_then(Value::as_object) else {
+        errors.push(
+            "activeTask.admission must be an object recorded from a passed admission check."
+                .to_string(),
+        );
+        return Ok(());
+    };
+    let prefix = "activeTask.admission";
+
+    require_string(object.get("command"), &format!("{prefix}.command"), errors);
+    require_string(object.get("cwd"), &format!("{prefix}.cwd"), errors);
+    require_string_array_allow_empty(
+        object.get("changedPaths"),
+        &format!("{prefix}.changedPaths"),
+        errors,
+    );
+    require_string(object.get("gitHead"), &format!("{prefix}.gitHead"), errors);
+
+    if object.get("command").and_then(Value::as_str)
+        != Some("node .naome/bin/check-task-state.js --admission")
+    {
+        errors.push(format!(
+            "{prefix}.command must be node .naome/bin/check-task-state.js --admission."
+        ));
+    }
+
+    if object.get("cwd").and_then(Value::as_str) != Some(".") {
+        errors.push(format!("{prefix}.cwd must be \".\"."));
+    }
+
+    match object.get("exitCode").and_then(Value::as_i64) {
+        Some(0) => {}
+        Some(_) => errors.push(format!("{prefix}.exitCode must be 0.")),
+        None => errors.push(format!("{prefix}.exitCode must be an integer.")),
+    }
+
+    if !object
+        .get("checkedAt")
+        .and_then(Value::as_str)
+        .is_some_and(is_iso_datetime)
+    {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+    }
+
+    if let Some(changed_paths) = object.get("changedPaths").and_then(Value::as_array) {
+        if !changed_paths.is_empty() {
+            errors.push(format!("{prefix}.changedPaths must be empty because task admission requires a clean git diff."));
+        }
+    }
+
+    if let Some(git_head) = object.get("gitHead").and_then(Value::as_str) {
+        if !git_head.trim().is_empty() && !git_commit_exists(root, git_head)? {
+            errors.push(format!("{prefix}.gitHead must be an existing git commit."));
+        }
+    }
+
+    Ok(())
+}

package/crates/naome-core/src/task_state/api.rs

@@ -0,0 +1,130 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::completion::{
+    validate_admission, validate_commit_gate, validate_complete_task, validate_progress,
+};
+use super::diff::validate_human_review_blocker_paths;
+use super::proof::validate_proof_evidence_covers_changed_paths;
+use super::reconcile::validate_push_gate;
+use super::shape::{
+    format_blocker, validate_active_task, validate_active_task_references, validate_blocker,
+    validate_idle_state, validate_pending_upgrade, validate_task_state_shape,
+};
+use super::task_diff_api::validate_harness_health_gate;
+use super::types::*;
+use super::util::read_json;
+pub fn validate_task_state(
+    root: &Path,
+    options: TaskStateOptions,
+) -> Result<TaskStateReport, NaomeError> {
+    let mut report = TaskStateReport {
+        errors: Vec::new(),
+        notices: Vec::new(),
+    };
+    let Some(task_state) = read_json(root, ".naome/task-state.json", &mut report.errors)? else {
+        return Ok(report);
+    };
+
+    validate_task_state_shape(&task_state, &mut report.errors);
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if !ALLOWED_STATUS.contains(&status) {
+        return Ok(report);
+    }
+
+    validate_harness_health_gate(root, &options, &mut report.errors)?;
+    if !report.errors.is_empty() {
+        return Ok(report);
+    }
+
+    if validate_requested_mode(&task_state, root, options.mode, &mut report)? {
+        return Ok(report);
+    }
+
+    if status == "idle" {
+        validate_idle_state(&task_state, &mut report.errors);
+        return Ok(report);
+    }
+
+    let active_error_start = report.errors.len();
+    validate_active_task(task_state.get("activeTask"), &mut report.errors);
+    validate_pending_upgrade(&task_state, root, &mut report.errors)?;
+    validate_active_task_references(
+        task_state.get("activeTask"),
+        root,
+        &mut report.errors,
+        Some(status),
+    )?;
+
+    if status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), &mut report.errors);
+        validate_human_review_blocker_paths(
+            task_state.get("activeTask"),
+            task_state.get("blocker"),
+            root,
+            &mut report.errors,
+        )?;
+        validate_proof_evidence_covers_changed_paths(
+            task_state.get("activeTask"),
+            root,
+            &mut report.errors,
+        )?;
+        if report.errors.len() > active_error_start {
+            report.errors.push("needs_human_review task state is invalid; fix blocker paths and proof evidence before asking for a human decision.".to_string());
+        } else {
+            report.errors.push(format_blocker(
+                "Human review required",
+                task_state.get("blocker"),
+            ));
+        }
+        return Ok(report);
+    }
+
+    if status == "blocked" {
+        validate_blocker(task_state.get("blocker"), &mut report.errors);
+        report
+            .errors
+            .push(format_blocker("Task is blocked", task_state.get("blocker")));
+        return Ok(report);
+    }
+
+    if BLOCKING_STATUS.contains(&status) {
+        report.errors.push(format!(
+            "Task is still {status}; new work must wait until the active task is complete or resolved."
+        ));
+        return Ok(report);
+    }
+
+    validate_complete_task(
+        task_state.get("activeTask"),
+        task_state.get("blocker"),
+        root,
+        &mut report.errors,
+        &mut report.notices,
+    )?;
+    Ok(report)
+}
+
+fn validate_requested_mode(
+    task_state: &Value,
+    root: &Path,
+    mode: TaskStateMode,
+    report: &mut TaskStateReport,
+) -> Result<bool, NaomeError> {
+    match mode {
+        TaskStateMode::Admission => validate_admission(task_state, root, &mut report.errors)?,
+        TaskStateMode::Progress => validate_progress(task_state, root, &mut report.errors)?,
+        TaskStateMode::CommitGate => {
+            validate_commit_gate(task_state, root, &mut report.errors, &mut report.notices)?;
+        }
+        TaskStateMode::PushGate => validate_push_gate(task_state, &mut report.errors),
+        TaskStateMode::State => return Ok(false),
+    }
+    Ok(true)
+}