@lamentis/naome 1.1.1 → 1.2.0

package/crates/naome-core/src/task_state/commit_gate.rs

@@ -0,0 +1,138 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use super::completion::validate_complete_task_against_entries;
+use super::diff::task_diff_from_entries;
+use super::git_io::read_git_staged_changed_entries;
+use super::process_guard::{validate_no_active_processes, ProcessGate};
+use super::progress::{validate_init_complete, validate_upgrade_complete};
+use super::reconcile::{
+    is_deterministic_harness_refresh_diff, is_harness_repair_diff,
+    is_install_or_upgrade_baseline_diff,
+};
+use super::shape::{
+    read_verification_check_ids, validate_active_task, validate_active_task_references,
+    validate_blocker, validate_pending_upgrade, validate_required_check_ids,
+};
+use super::types::ChangedEntry;
+use crate::models::NaomeError;
+pub(super) fn validate_commit_gate(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let staged_entries = read_git_staged_changed_entries(root)?;
+    let changed_paths: Vec<String> = staged_entries
+        .iter()
+        .map(|entry| entry.path.clone())
+        .collect();
+    if changed_paths.is_empty() {
+        return Ok(());
+    }
+
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if status == "complete" && is_deterministic_harness_refresh_diff(&changed_paths) {
+        validate_pending_upgrade(task_state, root, errors)?;
+        validate_completed_task_for_harness_refresh(task_state, root, &staged_entries, errors)?;
+        return Ok(());
+    }
+
+    if status == "complete" {
+        validate_active_task(task_state.get("activeTask"), errors);
+        validate_active_task_references(task_state.get("activeTask"), root, errors, Some(status))?;
+        if !task_state.get("blocker").is_some_and(Value::is_null) {
+            errors.push("complete task state must have blocker set to null.".to_string());
+        }
+        if let Some(active_task) = task_state.get("activeTask") {
+            let check_ids = read_verification_check_ids(root, errors)?;
+            validate_required_check_ids(active_task, &check_ids, errors);
+            validate_no_active_processes(root, errors, ProcessGate::Commit)?;
+            validate_complete_task_against_entries(
+                active_task,
+                root,
+                &check_ids,
+                &staged_entries,
+                errors,
+            )?;
+            if errors.is_empty() {
+                notices.push(format!(
+                    "Commit gate accepted task-owned staged paths: {}.",
+                    changed_paths.join(", ")
+                ));
+            }
+        }
+        return Ok(());
+    }
+
+    if status == "idle" && is_install_or_upgrade_baseline_diff(root, &changed_paths)? {
+        return Ok(());
+    }
+
+    if status == "idle" && is_harness_repair_diff(root, &changed_paths)? {
+        return Ok(());
+    }
+
+    validate_init_complete(root, errors)?;
+    validate_upgrade_complete(root, errors)?;
+
+    if status == "idle" {
+        errors.push(format!("NAOME commit gate blocked: changed paths are not owned by a completed task state. Changed paths: {}. Finish a NAOME task and use naome commit, or reconcile the diff before committing.", changed_paths.join(", ")));
+        return Ok(());
+    }
+
+    if status == "blocked" || status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), errors);
+    }
+
+    errors.push(format!("NAOME commit gate blocked because task state is {status}. Finish or revise the active task, set it to complete with fresh proof, then use naome commit. Human options: continue_current_task, request_task_changes, mark_task_blocked, cancel_task_state."));
+    Ok(())
+}
+
+pub(super) fn validate_completed_task_for_harness_refresh(
+    task_state: &Value,
+    root: &Path,
+    staged_entries: &[ChangedEntry],
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    validate_active_task(task_state.get("activeTask"), errors);
+    validate_active_task_references(task_state.get("activeTask"), root, errors, Some("complete"))?;
+    if !task_state.get("blocker").is_some_and(Value::is_null) {
+        errors.push("complete task state must have blocker set to null.".to_string());
+    }
+
+    let Some(active_task) = task_state.get("activeTask") else {
+        return Ok(());
+    };
+
+    let check_ids = read_verification_check_ids(root, errors)?;
+    validate_required_check_ids(active_task, &check_ids, errors);
+
+    let mut validation_errors = Vec::new();
+    validate_no_active_processes(root, &mut validation_errors, ProcessGate::Commit)?;
+    validate_complete_task_against_entries(
+        active_task,
+        root,
+        &check_ids,
+        staged_entries,
+        &mut validation_errors,
+    )?;
+
+    let staged_harness_paths = task_diff_from_entries(active_task, staged_entries).outside_paths;
+    let allowed_scope_error = format!(
+        "Changed files outside allowedPaths: {}. Human options: request_scope_change, move_changes_to_new_task, revert_out_of_scope_changes.",
+        staged_harness_paths.join(", ")
+    );
+
+    errors.extend(
+        validation_errors
+            .into_iter()
+            .filter(|error| error != &allowed_scope_error),
+    );
+
+    Ok(())
+}

package/crates/naome-core/src/task_state/compact_proof.rs

@@ -0,0 +1,160 @@
+use std::collections::HashMap;
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::proof::{
+    validate_control_state_paths, validate_evidence_array, validate_evidence_paths,
+};
+use super::proof_model::{CanonicalProof, VerificationDefaults};
+use super::proof_sources::read_path_sets;
+use super::util::{is_iso_datetime, require_string};
+
+pub(super) fn compact_proofs(
+    active_task: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+    defaults: &HashMap<String, VerificationDefaults>,
+) -> Result<Vec<CanonicalProof>, NaomeError> {
+    let path_sets = read_path_sets(active_task, root, errors)?;
+    let Some(batches) = active_task.get("proofBatches") else {
+        return Ok(Vec::new());
+    };
+    let Some(batches) = batches.as_array() else {
+        errors.push("activeTask.proofBatches must be an array when present.".to_string());
+        return Ok(Vec::new());
+    };
+
+    let mut proofs = Vec::new();
+    for (batch_index, batch) in batches.iter().enumerate() {
+        let prefix = format!("activeTask.proofBatches[{batch_index}]");
+        let Some(batch_object) = batch.as_object() else {
+            errors.push(format!("{prefix} must be an object."));
+            continue;
+        };
+        let batch_checked_at = batch_object.get("checkedAt").and_then(Value::as_str);
+        if batch_checked_at.is_some_and(|value| !is_iso_datetime(value)) {
+            errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+        }
+        let batch_ref = batch_object.get("evidencePathSet").and_then(Value::as_str);
+        let Some(batch_proofs) = batch_object.get("proofs").and_then(Value::as_array) else {
+            errors.push(format!("{prefix}.proofs must be an array."));
+            continue;
+        };
+
+        for (proof_index, proof) in batch_proofs.iter().enumerate() {
+            let proof_prefix = format!("{prefix}.proofs[{proof_index}]");
+            if let Some(proof) = compact_proof(
+                proof,
+                &proof_prefix,
+                batch,
+                batch_checked_at,
+                batch_ref,
+                &path_sets,
+                defaults,
+                errors,
+            ) {
+                validate_evidence_paths(
+                    Some(&Value::Array(proof.evidence.clone())),
+                    &format!("{proof_prefix}.evidence"),
+                    root,
+                    errors,
+                    active_task,
+                )?;
+                proofs.push(proof);
+            }
+        }
+    }
+    Ok(proofs)
+}
+
+fn compact_proof(
+    proof: &Value,
+    prefix: &str,
+    batch: &Value,
+    batch_checked_at: Option<&str>,
+    batch_ref: Option<&str>,
+    path_sets: &HashMap<String, Vec<Value>>,
+    defaults: &HashMap<String, VerificationDefaults>,
+    errors: &mut Vec<String>,
+) -> Option<CanonicalProof> {
+    let object = proof.as_object()?;
+    let check_id = object.get("checkId").and_then(Value::as_str)?;
+    let defaults = defaults.get(check_id);
+    let command = resolved_text(proof, batch, "command")
+        .or_else(|| defaults.map(|check| check.command.as_str()));
+    let cwd =
+        resolved_text(proof, batch, "cwd").or_else(|| defaults.map(|check| check.cwd.as_str()));
+    let checked_at = object
+        .get("checkedAt")
+        .and_then(Value::as_str)
+        .or(batch_checked_at);
+    let evidence = resolved_evidence(proof, batch_ref, path_sets, prefix, errors);
+
+    require_string(object.get("checkId"), &format!("{prefix}.checkId"), errors);
+    if command.is_none() {
+        errors.push(format!(
+            "{prefix}.command must be explicit or resolvable from .naome/verification.json."
+        ));
+    }
+    if cwd.is_none() {
+        errors.push(format!(
+            "{prefix}.cwd must be explicit or resolvable from .naome/verification.json."
+        ));
+    }
+    let Some(exit_code) = object.get("exitCode").and_then(Value::as_i64) else {
+        errors.push(format!("{prefix}.exitCode must be an integer."));
+        return None;
+    };
+    let Some(checked_at) = checked_at else {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+        return None;
+    };
+    if !is_iso_datetime(checked_at) {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+    }
+    Some(CanonicalProof {
+        check_id: check_id.to_string(),
+        command: command?.to_string(),
+        cwd: cwd?.to_string(),
+        exit_code,
+        checked_at: checked_at.to_string(),
+        evidence: evidence?,
+    })
+}
+
+fn resolved_text<'a>(proof: &'a Value, batch: &'a Value, field: &str) -> Option<&'a str> {
+    proof
+        .get(field)
+        .and_then(Value::as_str)
+        .or_else(|| batch.get(field).and_then(Value::as_str))
+}
+
+fn resolved_evidence(
+    proof: &Value,
+    batch_ref: Option<&str>,
+    path_sets: &HashMap<String, Vec<Value>>,
+    prefix: &str,
+    errors: &mut Vec<String>,
+) -> Option<Vec<Value>> {
+    if let Some(evidence) = proof.get("evidence") {
+        validate_evidence_array(Some(evidence), &format!("{prefix}.evidence"), errors);
+        validate_control_state_paths(Some(evidence), &format!("{prefix}.evidence"), errors);
+        return evidence.as_array().cloned();
+    }
+    let path_set = proof
+        .get("evidencePathSet")
+        .and_then(Value::as_str)
+        .or(batch_ref);
+    match path_set.and_then(|name| path_sets.get(name)) {
+        Some(paths) => Some(paths.clone()),
+        None => {
+            errors.push(format!(
+                "{prefix}.evidence must be an evidence array or path-set reference."
+            ));
+            None
+        }
+    }
+}

package/crates/naome-core/src/task_state/completed_refresh.rs

@@ -0,0 +1,89 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::api::validate_task_state;
+use super::git_io::read_git_changed_paths;
+use super::repair::is_safe_harness_refresh_path;
+use super::types::{
+    CompletedTaskHarnessRefreshDiff, TaskStateMode, TaskStateOptions, CONTROL_STATE_PATH,
+};
+use super::util::{matches_any_pattern, read_json, string_array};
+pub(super) fn add_completed_task_diff_notice(
+    root: &Path,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let changed_paths = read_git_changed_paths(root)?;
+    if changed_paths.is_empty() {
+        return Ok(());
+    }
+
+    notices.push(format!("Task is complete and verified. Changed paths: {}. NAOME intent can baseline it automatically before the next distinct task; only surface human choices when intent blocks or the user explicitly asks to review, revise, cancel, or commit.", changed_paths.join(", ")));
+    Ok(())
+}
+
+pub fn completed_task_harness_refresh_diff(
+    root: &Path,
+) -> Result<Option<CompletedTaskHarnessRefreshDiff>, NaomeError> {
+    let mut read_errors = Vec::new();
+    let Some(task_state) = read_json(root, ".naome/task-state.json", &mut read_errors)? else {
+        return Ok(None);
+    };
+    if !read_errors.is_empty() {
+        return Ok(None);
+    }
+    if task_state.get("status").and_then(Value::as_str) != Some("complete") {
+        return Ok(None);
+    }
+    let Some(active_task) = task_state.get("activeTask") else {
+        return Ok(None);
+    };
+
+    let allowed_paths = string_array(active_task.get("allowedPaths")).unwrap_or_default();
+    let mut harness_paths = Vec::new();
+    let mut task_paths = Vec::new();
+    let mut other_paths = Vec::new();
+
+    for path in read_git_changed_paths(root)? {
+        if path == CONTROL_STATE_PATH {
+            continue;
+        }
+        if matches_any_pattern(&path, &allowed_paths) {
+            task_paths.push(path);
+        } else if is_safe_harness_refresh_path(&path) {
+            harness_paths.push(path);
+        } else {
+            other_paths.push(path);
+        }
+    }
+
+    if task_paths.is_empty() || harness_paths.is_empty() || !other_paths.is_empty() {
+        return Ok(None);
+    }
+
+    let report = validate_task_state(
+        root,
+        TaskStateOptions {
+            mode: TaskStateMode::State,
+            harness_health: None,
+        },
+    )?;
+    let allowed_scope_error = format!(
+        "Changed files outside allowedPaths: {}. Human options: request_scope_change, move_changes_to_new_task, revert_out_of_scope_changes.",
+        harness_paths.join(", ")
+    );
+    if report
+        .errors
+        .iter()
+        .all(|error| error == &allowed_scope_error)
+    {
+        Ok(Some(CompletedTaskHarnessRefreshDiff {
+            harness_paths,
+            task_paths,
+        }))
+    } else {
+        Ok(None)
+    }
+}

package/crates/naome-core/src/task_state/completion.rs

@@ -0,0 +1,72 @@
+use std::collections::HashSet;
+use std::path::Path;
+
+use serde_json::Value;
+
+pub(super) use super::admission::validate_admission;
+pub(super) use super::commit_gate::validate_commit_gate;
+use super::diff::validate_changed_entries;
+use super::git_io::read_git_changed_entries;
+use super::process_guard::{validate_no_active_processes, ProcessGate};
+pub(super) use super::progress::validate_progress;
+use super::proof::{validate_proof_evidence_covers_changed_entries, validate_proof_results};
+use super::reconcile::add_completed_task_diff_notice;
+use super::shape::{read_verification_check_ids, validate_required_check_ids};
+use super::types::ChangedEntry;
+use crate::models::NaomeError;
+pub(super) fn validate_complete_task(
+    active_task: Option<&Value>,
+    blocker: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let error_start = errors.len();
+
+    if !blocker.is_some_and(Value::is_null) {
+        errors.push("complete task state must have blocker set to null.".to_string());
+    }
+
+    let Some(active_task) = active_task else {
+        return Ok(());
+    };
+
+    if active_task
+        .get("humanReview")
+        .and_then(|review| review.get("required"))
+        .and_then(Value::as_bool)
+        == Some(true)
+        && active_task
+            .get("humanReview")
+            .and_then(|review| review.get("approved"))
+            .and_then(Value::as_bool)
+            != Some(true)
+    {
+        errors.push("complete task requires human review approval before completion.".to_string());
+    }
+
+    let check_ids = read_verification_check_ids(root, errors)?;
+    validate_required_check_ids(active_task, &check_ids, errors);
+    validate_no_active_processes(root, errors, ProcessGate::Completion)?;
+    let entries = read_git_changed_entries(root)?;
+    validate_complete_task_against_entries(active_task, root, &check_ids, &entries, errors)?;
+
+    if errors.len() == error_start {
+        add_completed_task_diff_notice(root, notices)?;
+    }
+
+    Ok(())
+}
+
+pub(super) fn validate_complete_task_against_entries(
+    active_task: &Value,
+    root: &Path,
+    check_ids: &HashSet<String>,
+    entries: &[ChangedEntry],
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    validate_proof_results(active_task, check_ids, root, errors)?;
+    validate_changed_entries(active_task, entries, errors)?;
+    validate_proof_evidence_covers_changed_entries(active_task, root, entries, errors)?;
+    Ok(())
+}

package/crates/naome-core/src/task_state/deleted_paths.rs

@@ -0,0 +1,47 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::git_io::{git_commit_exists, parse_name_status_output, read_git_head, run_git};
+
+pub(super) fn read_historical_deleted_paths(
+    active_task: &Value,
+    root: &Path,
+) -> Result<Vec<String>, NaomeError> {
+    let Some(admission_head) = active_task
+        .get("admission")
+        .and_then(|admission| admission.get("gitHead"))
+        .and_then(Value::as_str)
+        .filter(|head| !head.trim().is_empty())
+    else {
+        return Ok(Vec::new());
+    };
+
+    if !git_commit_exists(root, admission_head)? {
+        return Ok(Vec::new());
+    }
+
+    let Some(current_head) = read_git_head(root)? else {
+        return Ok(Vec::new());
+    };
+
+    if current_head == admission_head {
+        return Ok(Vec::new());
+    }
+
+    let output = run_git(
+        root,
+        ["diff", "--name-status", "-z", admission_head, &current_head],
+    )?;
+    if !output.status.success() {
+        return Ok(Vec::new());
+    }
+
+    Ok(parse_name_status_output(&output.stdout)
+        .into_iter()
+        .filter(|entry| entry.status == "deleted")
+        .map(|entry| entry.path)
+        .collect())
+}

package/crates/naome-core/src/task_state/diff.rs

@@ -0,0 +1,95 @@
+use std::collections::HashSet;
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::git_io::read_git_changed_entries;
+use super::types::{ChangedEntry, TaskDiff, CONTROL_STATE_PATH};
+use super::util::{matches_any_pattern, normalize_path, string_array};
+pub(super) fn validate_changed_paths(
+    active_task: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let entries = read_git_changed_entries(root)?;
+    validate_changed_entries(active_task, &entries, errors)
+}
+
+pub(super) fn validate_changed_entries(
+    active_task: &Value,
+    entries: &[ChangedEntry],
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let diff = task_diff_from_entries(active_task, entries);
+    if !diff.outside_paths.is_empty() {
+        errors.push(format!(
+            "Changed files outside allowedPaths: {}. Human options: request_scope_change, move_changes_to_new_task, revert_out_of_scope_changes.",
+            diff.outside_paths.join(", ")
+        ));
+    }
+    Ok(())
+}
+
+pub(super) fn validate_human_review_blocker_paths(
+    active_task: Option<&Value>,
+    blocker: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let (Some(active_task), Some(blocker)) = (active_task, blocker) else {
+        return Ok(());
+    };
+    let diff = read_task_diff(active_task, root)?;
+    if diff.outside_paths.is_empty() {
+        return Ok(());
+    }
+
+    let blocker_paths: HashSet<String> = blocker
+        .get("paths")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(Value::as_str)
+        .map(normalize_path)
+        .collect();
+    let missing_paths: Vec<String> = diff
+        .outside_paths
+        .into_iter()
+        .filter(|path| !blocker_paths.contains(path))
+        .collect();
+
+    if !missing_paths.is_empty() {
+        errors.push(format!(
+            "blocker.paths missing actual scope violations: {}",
+            missing_paths.join(", ")
+        ));
+    }
+
+    Ok(())
+}
+
+pub(super) fn read_task_diff(active_task: &Value, root: &Path) -> Result<TaskDiff, NaomeError> {
+    let entries = read_git_changed_entries(root)?;
+    Ok(task_diff_from_entries(active_task, &entries))
+}
+
+pub(super) fn task_diff_from_entries(active_task: &Value, entries: &[ChangedEntry]) -> TaskDiff {
+    let allowed_paths = string_array(active_task.get("allowedPaths")).unwrap_or_default();
+    let diff_paths: Vec<String> = entries
+        .iter()
+        .map(|entry| entry.path.clone())
+        .filter(|path| path != CONTROL_STATE_PATH)
+        .collect();
+    let outside_paths = diff_paths
+        .iter()
+        .filter(|path| !matches_any_pattern(path, &allowed_paths))
+        .cloned()
+        .collect();
+
+    TaskDiff {
+        diff_paths,
+        outside_paths,
+    }
+}