@lamentis/naome 1.1.1 → 1.2.0

package/crates/naome-core/src/workflow/integrity_support.rs

@@ -0,0 +1,110 @@
+use std::collections::BTreeMap;
+use std::fs;
+use std::path::Path;
+
+use crate::models::NaomeError;
+
+use super::integrity_normalize::{
+    HEALTH_CHECKER_PATH, NAOME_COMMAND_PATH, TASK_STATE_CHECKER_PATH,
+};
+
+#[cfg(windows)]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust.exe";
+#[cfg(not(windows))]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust";
+
+pub(super) fn refresh_support_files(
+    root: &Path,
+    integrity: &BTreeMap<String, String>,
+) -> Result<Vec<String>, NaomeError> {
+    let mut changed = Vec::new();
+    for path in [HEALTH_CHECKER_PATH, TASK_STATE_CHECKER_PATH] {
+        if replace_expected_integrity_block(root, path, integrity)? {
+            changed.push(path.to_string());
+        }
+    }
+    if replace_native_integrity(root, integrity)? {
+        changed.push(NAOME_COMMAND_PATH.to_string());
+    }
+    Ok(changed)
+}
+
+fn replace_expected_integrity_block(
+    root: &Path,
+    relative_path: &str,
+    integrity: &BTreeMap<String, String>,
+) -> Result<bool, NaomeError> {
+    let path = root.join(relative_path);
+    if !path.is_file() {
+        return Ok(false);
+    }
+    let original = fs::read_to_string(&path)?;
+    let Some(next) = expected_integrity_replacement(&original, integrity) else {
+        return Ok(false);
+    };
+    if next == original {
+        return Ok(false);
+    }
+    fs::write(path, next)?;
+    Ok(true)
+}
+
+fn expected_integrity_replacement(
+    content: &str,
+    integrity: &BTreeMap<String, String>,
+) -> Option<String> {
+    let marker = "const expectedMachineOwnedIntegrity = Object.freeze({\n";
+    let start = content.find(marker)?;
+    let after_start = start + marker.len();
+    let end = after_start + content[after_start..].find("\n});\n")? + "\n});\n".len();
+    let replacement = render_expected_integrity_block(integrity);
+    let mut next = String::with_capacity(content.len() + replacement.len());
+    next.push_str(&content[..start]);
+    next.push_str(&replacement);
+    next.push_str(&content[end..]);
+    Some(next)
+}
+
+fn render_expected_integrity_block(integrity: &BTreeMap<String, String>) -> String {
+    let body = integrity
+        .iter()
+        .map(|(path, hash)| format!("  {path:?}: {hash:?}"))
+        .collect::<Vec<_>>()
+        .join(",\n");
+    format!("const expectedMachineOwnedIntegrity = Object.freeze({{\n{body}\n}});\n")
+}
+
+fn replace_native_integrity(
+    root: &Path,
+    integrity: &BTreeMap<String, String>,
+) -> Result<bool, NaomeError> {
+    let Some(native_hash) = integrity.get(NATIVE_BINARY_PATH) else {
+        return Ok(false);
+    };
+    let path = root.join(NAOME_COMMAND_PATH);
+    if !path.is_file() {
+        return Ok(false);
+    }
+    let original = fs::read_to_string(&path)?;
+    let Some(next) = native_integrity_replacement(&original, native_hash) else {
+        return Ok(false);
+    };
+    if next == original {
+        return Ok(false);
+    }
+    fs::write(path, next)?;
+    Ok(true)
+}
+
+fn native_integrity_replacement(content: &str, native_hash: &str) -> Option<String> {
+    let prefix = "const expectedNativeBinaryIntegrity = \"";
+    let start = content.find(prefix)?;
+    let end = start + content[start..].find(";\n")? + ";\n".len();
+    let replacement = format!("const expectedNativeBinaryIntegrity = \"{native_hash}\";\n");
+    Some(format!(
+        "{}{}{}",
+        &content[..start],
+        replacement,
+        &content[end..]
+    ))
+}

package/crates/naome-core/src/workflow/mod.rs

@@ -0,0 +1,18 @@
+mod integrity;
+mod integrity_normalize;
+mod integrity_support;
+mod mutation;
+mod output;
+mod phase_inference;
+mod phases;
+mod policy;
+mod processes;
+mod types;
+
+pub use integrity::{refresh_integrity, IntegrityRefreshReport};
+pub use mutation::classify_mutations;
+pub use output::{summarize_command_output, CommandOutputSummary};
+pub use phases::{verification_phase_plan, CommandCheckResult, VerificationPhasePlan};
+pub use policy::{safe_rg_args, validate_read_boundaries, validate_search_command};
+pub use processes::{tracked_process_report, ProcessReport};
+pub use types::{MutationClassification, ReadActivity, WorkflowFinding};

package/crates/naome-core/src/workflow/mutation.rs

@@ -0,0 +1,68 @@
+use std::path::Path;
+
+use crate::models::NaomeError;
+
+use super::types::MutationClassification;
+
+pub fn classify_mutations(
+    _root: &Path,
+    paths: &[String],
+) -> Result<Vec<MutationClassification>, NaomeError> {
+    Ok(paths
+        .iter()
+        .map(|path| {
+            let normalized = path.replace('\\', "/");
+            MutationClassification {
+                mutation_class: mutation_class(&normalized).to_string(),
+                path: normalized,
+            }
+        })
+        .collect())
+}
+
+fn mutation_class(path: &str) -> &'static str {
+    if path == ".naome/manifest.json"
+        || path == ".naome/task-contract.schema.json"
+        || path.ends_with("/manifest.json")
+        || path.ends_with("/generated.json")
+    {
+        return "generated refresh";
+    }
+    if path.starts_with(".naome/archive/")
+        || path.starts_with(".git/")
+        || path == ".git/info/exclude"
+    {
+        return "local-only repair";
+    }
+    if path.starts_with("packages/naome/templates/") || path.starts_with(".naome/bin/") {
+        return "harness template";
+    }
+    if path.ends_with(".tgz")
+        || path.starts_with("dist/")
+        || path.contains("/dist/")
+        || path.starts_with("packages/naome/native/")
+        || path.starts_with("native/")
+    {
+        return "release artifact";
+    }
+    if path.starts_with("coverage/")
+        || path.contains("/coverage/")
+        || path.starts_with("test-results/")
+        || path.ends_with(".snap")
+    {
+        return "test artifact";
+    }
+    if is_source_path(path) {
+        return "source change";
+    }
+    "user edit"
+}
+
+fn is_source_path(path: &str) -> bool {
+    [
+        ".rs", ".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs", ".py", ".go", ".swift", ".kt",
+        ".java", ".c", ".cc", ".cpp", ".h", ".hpp", ".rb", ".php", ".cs", ".sh",
+    ]
+    .iter()
+    .any(|extension| path.ends_with(extension))
+}

package/crates/naome-core/src/workflow/output.rs

@@ -0,0 +1,111 @@
+use std::collections::BTreeSet;
+
+use serde::{Deserialize, Serialize};
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct CommandOutputSummary {
+    pub command: String,
+    pub cwd: String,
+    pub exit_code: i32,
+    pub truncated: bool,
+    pub omitted_line_count: usize,
+    pub relevant_lines: Vec<String>,
+    pub affected_paths: Vec<String>,
+    pub artifacts: Vec<String>,
+}
+
+pub fn summarize_command_output(
+    command: &str,
+    cwd: &str,
+    exit_code: i32,
+    output: &str,
+    max_lines: usize,
+) -> CommandOutputSummary {
+    let lines = output.lines().map(ToString::to_string).collect::<Vec<_>>();
+    let truncated = lines.len() > max_lines;
+    let omitted_line_count = lines.len().saturating_sub(max_lines);
+    let mut relevant = lines
+        .iter()
+        .filter(|line| is_relevant_line(line))
+        .take(max_lines)
+        .cloned()
+        .collect::<Vec<_>>();
+
+    if relevant.is_empty() {
+        let head = max_lines.saturating_sub(2).max(1);
+        relevant.extend(lines.iter().take(head).cloned());
+        if truncated {
+            relevant.extend(lines.iter().rev().take(2).cloned().rev());
+        }
+    }
+
+    relevant.truncate(max_lines);
+    let affected_paths = collect_paths(&relevant);
+    let artifacts = affected_paths
+        .iter()
+        .filter(|path| is_artifact_path(path))
+        .cloned()
+        .collect::<Vec<_>>();
+
+    CommandOutputSummary {
+        command: command.to_string(),
+        cwd: cwd.to_string(),
+        exit_code,
+        truncated,
+        omitted_line_count,
+        relevant_lines: relevant,
+        affected_paths,
+        artifacts,
+    }
+}
+
+fn is_relevant_line(line: &str) -> bool {
+    let lower = line.to_ascii_lowercase();
+    [
+        "error",
+        "failed",
+        "failure",
+        "panic",
+        "violation",
+        "outside allowedpaths",
+        "denied",
+        "missing",
+    ]
+    .iter()
+    .any(|needle| lower.contains(needle))
+}
+
+fn collect_paths(lines: &[String]) -> Vec<String> {
+    let mut paths = BTreeSet::new();
+    for line in lines {
+        for token in line.split_whitespace() {
+            let cleaned = token.trim_matches(|ch: char| {
+                matches!(
+                    ch,
+                    '"' | '\'' | '`' | ':' | ',' | ';' | '(' | ')' | '[' | ']'
+                )
+            });
+            if looks_like_path(cleaned) {
+                paths.insert(cleaned.replace('\\', "/"));
+            }
+        }
+    }
+    paths.into_iter().collect()
+}
+
+fn looks_like_path(token: &str) -> bool {
+    (token.contains('/') || token.starts_with(".naome/"))
+        && token.contains('.')
+        && !token.starts_with("http://")
+        && !token.starts_with("https://")
+}
+
+fn is_artifact_path(path: &str) -> bool {
+    path.ends_with(".log")
+        || path.ends_with(".json")
+        || path.ends_with(".xml")
+        || path.ends_with(".tgz")
+        || path.contains("target/")
+        || path.contains("coverage/")
+}

package/crates/naome-core/src/workflow/phase_inference.rs

@@ -0,0 +1,73 @@
+use std::collections::{HashMap, HashSet};
+
+use serde_json::Value;
+
+use super::phases::{CheckDefinition, PhaseDefinition};
+
+pub(super) fn infer_phases(
+    verification: &Value,
+    checks: &[CheckDefinition],
+) -> Vec<PhaseDefinition> {
+    let release_gate_ids = verification
+        .get("releaseGates")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(|gate| gate.get("checkId").and_then(Value::as_str))
+        .collect::<HashSet<_>>();
+    let phase_order = [
+        ("shape-health", 10),
+        ("quality", 20),
+        ("focused-tests", 30),
+        ("broad-tests", 40),
+        ("package-release", 50),
+        ("diff-check", 60),
+    ];
+    let mut grouped = phase_order
+        .iter()
+        .map(|(id, order)| ((*id).to_string(), (*order, Vec::new())))
+        .collect::<HashMap<_, _>>();
+
+    for check in checks {
+        let phase = inferred_phase(check, &release_gate_ids);
+        if let Some((_, ids)) = grouped.get_mut(phase) {
+            ids.push(check.id.clone());
+        }
+    }
+
+    phase_order
+        .into_iter()
+        .filter_map(|(id, _)| {
+            let (order, check_ids) = grouped.remove(id)?;
+            (!check_ids.is_empty()).then_some(PhaseDefinition {
+                id: id.to_string(),
+                order,
+                check_ids,
+            })
+        })
+        .collect()
+}
+
+fn inferred_phase<'a>(check: &'a CheckDefinition, release_gate_ids: &HashSet<&str>) -> &'a str {
+    let id = check.id.as_str();
+    let command = check.command.as_str();
+    if id == "diff-check" || command.contains("diff --check") {
+        return "diff-check";
+    }
+    if id.contains("quality") {
+        return "quality";
+    }
+    if id.contains("health") || id.contains("task-state") || command.contains("check-task-state") {
+        return "shape-health";
+    }
+    if release_gate_ids.contains(id) || id.contains("package") || command.contains("pack") {
+        return "package-release";
+    }
+    if id.contains("test") && check.cost == "fast" {
+        return "focused-tests";
+    }
+    if id.contains("test") || id.contains("build") {
+        return "broad-tests";
+    }
+    "focused-tests"
+}

package/crates/naome-core/src/workflow/phases.rs

@@ -0,0 +1,169 @@
+use std::collections::{HashMap, HashSet};
+use std::fs;
+use std::path::Path;
+
+use serde::{Deserialize, Serialize};
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::phase_inference::infer_phases;
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct CommandCheckResult {
+    pub check_id: String,
+    pub exit_code: i32,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct VerificationPhasePlan {
+    pub schema: String,
+    pub phases: Vec<VerificationPhaseStatus>,
+    pub recommended_check_ids: Vec<String>,
+    pub withheld_check_ids: Vec<String>,
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+#[serde(rename_all = "camelCase")]
+pub struct VerificationPhaseStatus {
+    pub id: String,
+    pub order: u32,
+    pub check_ids: Vec<String>,
+    pub status: String,
+    pub blocked_by: Vec<String>,
+}
+
+#[derive(Debug, Clone)]
+pub(super) struct CheckDefinition {
+    pub(super) id: String,
+    pub(super) command: String,
+    pub(super) cost: String,
+}
+
+#[derive(Debug, Clone)]
+pub(super) struct PhaseDefinition {
+    pub(super) id: String,
+    pub(super) order: u32,
+    pub(super) check_ids: Vec<String>,
+}
+
+pub fn verification_phase_plan(
+    root: &Path,
+    completed: &[CommandCheckResult],
+) -> Result<VerificationPhasePlan, NaomeError> {
+    let verification = read_verification(root)?;
+    let checks = read_checks(&verification);
+    let mut phases = read_phases(&verification);
+    if phases.is_empty() {
+        phases = infer_phases(&verification, &checks);
+    }
+
+    phases.sort_by(|left, right| left.order.cmp(&right.order).then(left.id.cmp(&right.id)));
+    let results = completed
+        .iter()
+        .map(|result| (result.check_id.as_str(), result.exit_code))
+        .collect::<HashMap<_, _>>();
+    let failed = completed
+        .iter()
+        .filter(|result| result.exit_code != 0)
+        .map(|result| result.check_id.clone())
+        .collect::<HashSet<_>>();
+
+    let mut recommended = Vec::new();
+    let mut withheld = Vec::new();
+    let mut statuses = Vec::new();
+    let mut blocking_phase = None::<String>;
+
+    for phase in phases {
+        let phase_failed = phase
+            .check_ids
+            .iter()
+            .any(|check_id| failed.contains(check_id));
+        let missing = phase
+            .check_ids
+            .iter()
+            .filter(|check_id| results.get(check_id.as_str()).copied() != Some(0))
+            .cloned()
+            .collect::<Vec<_>>();
+        let status = if let Some(blocked_by) = &blocking_phase {
+            withheld.extend(phase.check_ids.clone());
+            statuses.push(VerificationPhaseStatus {
+                id: phase.id,
+                order: phase.order,
+                check_ids: phase.check_ids,
+                status: "withheld".to_string(),
+                blocked_by: vec![blocked_by.clone()],
+            });
+            continue;
+        } else if phase_failed {
+            blocking_phase = Some(phase.id.clone());
+            recommended = missing;
+            "failed"
+        } else if missing.is_empty() {
+            "passed"
+        } else {
+            blocking_phase = Some(phase.id.clone());
+            recommended = missing;
+            "pending"
+        };
+
+        statuses.push(VerificationPhaseStatus {
+            id: phase.id,
+            order: phase.order,
+            check_ids: phase.check_ids,
+            status: status.to_string(),
+            blocked_by: Vec::new(),
+        });
+    }
+
+    Ok(VerificationPhasePlan {
+        schema: "naome.verification-phase-plan.v1".to_string(),
+        phases: statuses,
+        recommended_check_ids: recommended,
+        withheld_check_ids: withheld,
+    })
+}
+
+fn read_verification(root: &Path) -> Result<Value, NaomeError> {
+    let content = fs::read_to_string(root.join(".naome/verification.json"))?;
+    Ok(serde_json::from_str(&content)?)
+}
+
+fn read_checks(verification: &Value) -> Vec<CheckDefinition> {
+    verification
+        .get("checks")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(|check| {
+            Some(CheckDefinition {
+                id: check.get("id")?.as_str()?.to_string(),
+                command: check.get("command")?.as_str()?.to_string(),
+                cost: check.get("cost")?.as_str()?.to_string(),
+            })
+        })
+        .collect()
+}
+
+fn read_phases(verification: &Value) -> Vec<PhaseDefinition> {
+    verification
+        .get("phases")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(|phase| {
+            Some(PhaseDefinition {
+                id: phase.get("id")?.as_str()?.to_string(),
+                order: phase.get("order")?.as_u64()? as u32,
+                check_ids: phase
+                    .get("checkIds")?
+                    .as_array()?
+                    .iter()
+                    .filter_map(|check| check.as_str().map(ToString::to_string))
+                    .collect(),
+            })
+        })
+        .collect()
+}

package/crates/naome-core/src/workflow/policy.rs

@@ -0,0 +1,156 @@
+use std::fs;
+use std::path::Path;
+
+use crate::{models::NaomeError, paths};
+
+use super::types::{ReadActivity, WorkflowFinding};
+
+const DEFAULT_BOUNDARIES: &str = r#"
+.git/**
+.naome/archive/**
+node_modules/**
+**/node_modules/**
+.npm/**
+target/**
+**/target/**
+dist/**
+**/dist/**
+build/**
+**/build/**
+.cache/**
+**/.cache/**
+coverage/**
+**/coverage/**
+"#;
+
+const REQUIRED_RG_EXCLUDES: &[&str] = &[".git/**", ".naome/archive/**", "node_modules/**"];
+
+pub fn validate_read_boundaries(
+    root: &Path,
+    activities: &[ReadActivity],
+) -> Result<Vec<WorkflowFinding>, NaomeError> {
+    let patterns = boundary_patterns(root);
+    let mut findings = Vec::new();
+
+    for activity in activities {
+        let denied_paths = activity
+            .paths
+            .iter()
+            .map(|path| normalize_path(path))
+            .filter(|path| paths::matches_any(path, &patterns))
+            .collect::<Vec<_>>();
+        if denied_paths.is_empty() {
+            continue;
+        }
+
+        findings.push(WorkflowFinding::blocking(
+            "read-boundary",
+            "Read activity touched ignored or generated repository paths.",
+            denied_paths,
+            Some(activity.command.clone()),
+        ));
+    }
+
+    Ok(findings)
+}
+
+pub fn safe_rg_args(root: &Path) -> Result<Vec<String>, NaomeError> {
+    let mut args = vec!["rg".to_string(), "--hidden".to_string()];
+    for pattern in boundary_patterns(root) {
+        args.push("--glob".to_string());
+        args.push(format!("!{pattern}"));
+    }
+    Ok(args)
+}
+
+pub fn validate_search_command(
+    root: &Path,
+    command: &str,
+) -> Result<Vec<WorkflowFinding>, NaomeError> {
+    let trimmed = command.trim();
+    if !is_rg_command(trimmed) || !trimmed.contains("--hidden") {
+        return Ok(Vec::new());
+    }
+
+    let mut required = REQUIRED_RG_EXCLUDES
+        .iter()
+        .map(|pattern| (*pattern).to_string())
+        .collect::<Vec<_>>();
+    for pattern in naomeignore_patterns(root) {
+        if !required.contains(&pattern) {
+            required.push(pattern);
+        }
+    }
+
+    let missing = required
+        .into_iter()
+        .filter(|pattern| !command_has_exclude(trimmed, pattern))
+        .collect::<Vec<_>>();
+    if missing.is_empty() {
+        return Ok(Vec::new());
+    }
+
+    Ok(vec![WorkflowFinding::blocking(
+        "unsafe-search-command",
+        format!(
+            "Hidden ripgrep search is missing deterministic excludes: {}.",
+            missing.join(", ")
+        ),
+        missing,
+        Some(trimmed.to_string()),
+    )])
+}
+
+pub(crate) fn boundary_patterns(root: &Path) -> Vec<String> {
+    let mut patterns = listed_patterns(DEFAULT_BOUNDARIES);
+    for pattern in naomeignore_patterns(root) {
+        if !patterns.contains(&pattern) {
+            patterns.push(pattern);
+        }
+    }
+    patterns
+}
+
+fn listed_patterns(patterns: &str) -> Vec<String> {
+    patterns
+        .lines()
+        .map(str::trim)
+        .filter(|pattern| !pattern.is_empty())
+        .map(ToString::to_string)
+        .collect()
+}
+
+fn naomeignore_patterns(root: &Path) -> Vec<String> {
+    let Ok(content) = fs::read_to_string(root.join(".naomeignore")) else {
+        return Vec::new();
+    };
+    content
+        .lines()
+        .map(str::trim)
+        .filter(|line| !line.is_empty() && !line.starts_with('#') && !line.starts_with('!'))
+        .map(|line| {
+            let normalized = normalize_path(line.trim_start_matches("./"));
+            if normalized.ends_with('/') {
+                format!("{normalized}**")
+            } else {
+                normalized
+            }
+        })
+        .collect()
+}
+
+fn is_rg_command(command: &str) -> bool {
+    command == "rg" || command.starts_with("rg ") || command.ends_with("/rg")
+}
+
+fn command_has_exclude(command: &str, pattern: &str) -> bool {
+    let excluded = format!("!{pattern}");
+    command.contains(&excluded)
+        || command.contains(&format!("--glob={excluded}"))
+        || command.contains(&format!("--glob '{excluded}'"))
+        || command.contains(&format!("--glob \"{excluded}\""))
+}
+
+fn normalize_path(path: &str) -> String {
+    path.replace('\\', "/")
+}