@lamentis/naome 1.1.1 → 1.2.0

package/crates/naome-core/tests/workflow_integrity.rs

@@ -0,0 +1,85 @@
+mod workflow_support;
+
+use std::fs;
+
+use naome_core::{
+    refresh_integrity, summarize_command_output, verification_phase_plan, CommandCheckResult,
+};
+use serde_json::json;
+use workflow_support::{check, phase, WorkflowFixture};
+
+#[test]
+fn refresh_integrity_is_idempotent_and_repairs_manifest_hash() {
+    let repo = WorkflowFixture::new("refresh-integrity");
+    repo.install_machine_owned_harness();
+    let wrong = "sha256:0000000000000000000000000000000000000000000000000000000000000000";
+    repo.write_manifest_with_integrity(wrong);
+
+    let first = refresh_integrity(repo.path()).unwrap();
+    let after_first = fs::read_to_string(repo.path().join(".naome/manifest.json")).unwrap();
+    let second = refresh_integrity(repo.path()).unwrap();
+    let after_second = fs::read_to_string(repo.path().join(".naome/manifest.json")).unwrap();
+
+    assert!(first.updated);
+    assert!(!second.updated);
+    assert_eq!(after_first, after_second);
+    assert!(!after_first.contains(wrong));
+}
+
+#[test]
+fn failed_early_phase_withholds_expensive_recommendations() {
+    let repo = WorkflowFixture::new("verification-phases");
+    repo.write_verification(json!({
+        "schema": "naome.verification.v1",
+        "version": 1,
+        "status": "ready",
+        "lastUpdated": "2026-05-07",
+        "checks": [
+            check("naome-harness-health", "node .naome/bin/check-harness-health.js", "fast"),
+            check("repository-quality-check", "node .naome/bin/naome.js quality check --changed", "fast"),
+            check("package-dry-run", "npm run pack:dry-run", "medium")
+        ],
+        "phases": [
+            phase("shape-health", 10, ["naome-harness-health"]),
+            phase("quality", 20, ["repository-quality-check"]),
+            phase("package-release", 50, ["package-dry-run"])
+        ],
+        "changeTypes": [],
+        "releaseGates": []
+    }));
+
+    let plan = verification_phase_plan(
+        repo.path(),
+        &[CommandCheckResult {
+            check_id: "naome-harness-health".to_string(),
+            exit_code: 1,
+        }],
+    )
+    .unwrap();
+
+    assert_eq!(plan.recommended_check_ids, vec!["naome-harness-health"]);
+    assert!(plan
+        .withheld_check_ids
+        .contains(&"package-dry-run".to_string()));
+}
+
+#[test]
+fn long_command_output_is_stably_summarized() {
+    let output = (0..80)
+        .map(|index| {
+            if index == 42 {
+                "error: src/main.rs failed to compile".to_string()
+            } else {
+                format!("line {index}")
+            }
+        })
+        .collect::<Vec<_>>()
+        .join("\n");
+
+    let summary = summarize_command_output("cargo test", ".", 101, &output, 8);
+
+    assert!(summary.truncated);
+    assert_eq!(summary.exit_code, 101);
+    assert!(summary.relevant_lines[0].contains("error: src/main.rs"));
+    assert!(summary.affected_paths.contains(&"src/main.rs".to_string()));
+}

package/crates/naome-core/tests/workflow_policy.rs

@@ -0,0 +1,139 @@
+mod workflow_support;
+
+use std::collections::HashMap;
+
+use naome_core::{
+    classify_mutations, safe_rg_args, tracked_process_report, validate_read_boundaries,
+    validate_search_command, validate_task_state, ReadActivity, TaskStateMode, TaskStateOptions,
+};
+use serde_json::json;
+use workflow_support::WorkflowFixture;
+
+#[test]
+fn read_boundary_violation_is_detected_from_activity() {
+    let repo = WorkflowFixture::new("read-boundary");
+    repo.write(".naomeignore", ".naome/archive/\n.local-cache/\n");
+
+    let findings = validate_read_boundaries(
+        repo.path(),
+        &[ReadActivity {
+            command: "rg --hidden panic .".to_string(),
+            paths: vec![".naome/archive/old-task.json".to_string()],
+        }],
+    )
+    .unwrap();
+
+    assert_eq!(findings[0].check_id, "read-boundary");
+    assert!(findings[0]
+        .paths
+        .contains(&".naome/archive/old-task.json".to_string()));
+}
+
+#[test]
+fn safe_search_profile_excludes_default_boundaries() {
+    let repo = WorkflowFixture::new("safe-search-profile");
+    repo.write(".naomeignore", ".naome/archive/\n.local-cache/\n");
+
+    let args = safe_rg_args(repo.path()).unwrap().join(" ");
+
+    assert!(args.contains("!.git/**"));
+    assert!(args.contains("!.naome/archive/**"));
+    assert!(args.contains("!node_modules/**"));
+    assert!(args.contains("!.local-cache/**"));
+}
+
+#[test]
+fn unsafe_hidden_search_is_workflow_finding() {
+    let repo = WorkflowFixture::new("unsafe-search");
+
+    let findings = validate_search_command(repo.path(), "rg --hidden TODO .").unwrap();
+
+    assert!(findings
+        .iter()
+        .any(|finding| finding.check_id == "unsafe-search-command"));
+}
+
+#[test]
+fn scope_drift_is_reported_during_progress_gate() {
+    let repo = WorkflowFixture::new("scope-drift");
+    repo.init_git();
+    repo.write_task_state("implementing", &["src/owned.rs"], &["diff-check"]);
+    repo.write("src/outside.rs", "pub fn outside() {}\n");
+
+    let report = validate_task_state(
+        repo.path(),
+        TaskStateOptions {
+            mode: TaskStateMode::Progress,
+            ..TaskStateOptions::default()
+        },
+    )
+    .unwrap();
+    let joined = report.errors.join("\n");
+
+    assert!(joined.contains("Changed files outside allowedPaths"));
+    assert!(joined.contains("src/outside.rs"));
+    assert!(joined.contains("request_scope_change"));
+}
+
+#[test]
+fn tracked_running_process_blocks_completion_until_documented() {
+    let repo = WorkflowFixture::new("process-tracking");
+    repo.write(
+        ".naome/processes.json",
+        &format!(
+            "{}\n",
+            serde_json::to_string_pretty(&json!({
+                "schema": "naome.processes.v1",
+                "processes": [{
+                    "pid": std::process::id(),
+                    "command": "npm run dev",
+                    "cwd": ".",
+                    "startedAt": "2026-05-07T12:00:00.000Z",
+                    "status": "running",
+                    "allowAfterCompletion": false
+                }]
+            }))
+            .unwrap()
+        ),
+    );
+
+    let report = tracked_process_report(repo.path()).unwrap();
+
+    assert_eq!(report.active.len(), 1);
+    assert!(report.active[0].command.contains("npm run dev"));
+}
+
+#[test]
+fn mutation_classifier_recognizes_core_classes() {
+    let repo = WorkflowFixture::new("mutation-classes");
+
+    let classes = classify_mutations(
+        repo.path(),
+        &[
+            "src/lib.rs".to_string(),
+            ".naome/manifest.json".to_string(),
+            ".naome/archive/repair/AGENTS.md".to_string(),
+            "coverage/report.json".to_string(),
+            "packages/naome/native/darwin-arm64/naome".to_string(),
+            "notes/manual.md".to_string(),
+        ],
+    )
+    .unwrap();
+    let by_path = classes
+        .iter()
+        .map(|entry| (entry.path.as_str(), entry.mutation_class.as_str()))
+        .collect::<HashMap<_, _>>();
+
+    assert_eq!(by_path["src/lib.rs"], "source change");
+    assert_eq!(by_path[".naome/manifest.json"], "generated refresh");
+    assert_eq!(
+        by_path[".naome/archive/repair/AGENTS.md"],
+        "local-only repair"
+    );
+    assert_eq!(by_path["coverage/report.json"], "test artifact");
+    assert_eq!(
+        by_path["packages/naome/native/darwin-arm64/naome"],
+        "release artifact"
+    );
+    assert_eq!(by_path["notes/manual.md"], "user edit");
+}

package/crates/naome-core/tests/workflow_support/mod.rs

@@ -0,0 +1,194 @@
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::process::Command;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use serde_json::json;
+
+static FIXTURE_COUNTER: AtomicU64 = AtomicU64::new(0);
+
+pub struct WorkflowFixture {
+    root: PathBuf,
+}
+
+impl WorkflowFixture {
+    pub fn new(name: &str) -> Self {
+        let nonce = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let root = std::env::temp_dir().join(format!(
+            "naome-workflow-{name}-{}-{}-{nonce}",
+            std::process::id(),
+            FIXTURE_COUNTER.fetch_add(1, Ordering::SeqCst)
+        ));
+        fs::create_dir_all(root.join(".naome")).unwrap();
+        fs::create_dir_all(root.join("docs/naome")).unwrap();
+        let fixture = Self { root };
+        fixture.write(".naomeignore", ".naome/archive/\n");
+        fixture.write(
+            ".naome/init-state.json",
+            "{\"initialized\":true,\"intakeStatus\":\"complete\"}\n",
+        );
+        fixture.write(".naome/upgrade-state.json", "{\"status\":\"complete\"}\n");
+        fixture.write_verification(default_verification());
+        fixture
+    }
+
+    pub fn path(&self) -> &Path {
+        &self.root
+    }
+
+    pub fn init_git(&self) {
+        run_git(&self.root, &["init"]);
+        run_git(&self.root, &["config", "user.email", "test@example.com"]);
+        run_git(&self.root, &["config", "user.name", "Test User"]);
+        self.write("README.md", "# Baseline\n");
+        run_git(&self.root, &["add", "."]);
+        run_git(&self.root, &["commit", "-m", "baseline"]);
+    }
+
+    pub fn install_machine_owned_harness(&self) {
+        for path in ["AGENTS.md", ".naome/bin/naome.js", "docs/naome/index.md"] {
+            self.write(path, &format!("# {path}\n"));
+        }
+    }
+
+    pub fn write_manifest_with_integrity(&self, integrity: &str) {
+        self.write(
+            ".naome/manifest.json",
+            &pretty(json!({
+                "name": "naome",
+                "harnessVersion": "1.2.0",
+                "profile": "standard",
+                "installedAt": null,
+                "machineOwned": ["AGENTS.md", ".naome/bin/naome.js", "docs/naome/index.md"],
+                "projectOwned": [".naome/manifest.json"],
+                "integrity": {
+                    "AGENTS.md": integrity,
+                    ".naome/bin/naome.js": integrity,
+                    "docs/naome/index.md": integrity
+                }
+            })),
+        );
+    }
+
+    pub fn write_task_state(&self, status: &str, allowed_paths: &[&str], checks: &[&str]) {
+        let active_task = active_task_state(
+            allowed_paths,
+            checks,
+            git_text(&self.root, &["rev-parse", "HEAD"]),
+        );
+        self.write(
+            ".naome/task-state.json",
+            &pretty(json!({
+                "schema": "naome.task-state.v2",
+                "version": 2,
+                "status": status,
+                "activeTask": active_task,
+                "blocker": null,
+                "updatedAt": "2026-05-07T12:00:00.000Z"
+            })),
+        );
+    }
+
+    pub fn write_verification(&self, value: serde_json::Value) {
+        self.write(".naome/verification.json", &pretty(value));
+    }
+
+    pub fn write(&self, relative_path: &str, content: &str) {
+        let path = self.root.join(relative_path);
+        if let Some(parent) = path.parent() {
+            fs::create_dir_all(parent).unwrap();
+        }
+        fs::write(path, content).unwrap();
+    }
+}
+
+impl Drop for WorkflowFixture {
+    fn drop(&mut self) {
+        let _ = fs::remove_dir_all(&self.root);
+    }
+}
+
+pub fn default_verification() -> serde_json::Value {
+    json!({
+        "schema": "naome.verification.v1",
+        "version": 1,
+        "status": "ready",
+        "lastUpdated": "2026-05-07",
+        "checks": [check("diff-check", "git diff --check", "fast")],
+        "changeTypes": [],
+        "releaseGates": []
+    })
+}
+
+pub fn check(id: &str, command: &str, cost: &str) -> serde_json::Value {
+    json!({
+        "id": id,
+        "command": command,
+        "cwd": ".",
+        "purpose": "Test check.",
+        "cost": cost,
+        "source": "test",
+        "evidence": [],
+        "lastVerified": null
+    })
+}
+
+pub fn phase<const N: usize>(id: &str, order: usize, check_ids: [&str; N]) -> serde_json::Value {
+    json!({ "id": id, "order": order, "checkIds": check_ids.to_vec() })
+}
+
+fn active_task_state(
+    allowed_paths: &[&str],
+    checks: &[&str],
+    git_head: String,
+) -> serde_json::Value {
+    json!({
+        "id": "workflow-test",
+        "request": "Test workflow gates.",
+        "userPrompt": { "receivedAt": "2026-05-07T12:00:00.000Z", "text": "Test workflow gates." },
+        "admission": admission_record(git_head),
+        "allowedPaths": allowed_paths,
+        "declaredChangeTypes": ["source"],
+        "requiredCheckIds": checks,
+        "humanReview": { "required": false, "approved": false, "reason": null },
+        "proofResults": []
+    })
+}
+
+fn admission_record(git_head: String) -> serde_json::Value {
+    json!({
+        "command": "node .naome/bin/check-task-state.js --admission",
+        "cwd": ".",
+        "exitCode": 0,
+        "checkedAt": "2026-05-07T12:00:00.000Z",
+        "gitHead": git_head,
+        "changedPaths": []
+    })
+}
+
+fn pretty(value: serde_json::Value) -> String {
+    format!("{}\n", serde_json::to_string_pretty(&value).unwrap())
+}
+
+fn run_git(root: &Path, args: &[&str]) {
+    let output = Command::new("git")
+        .args(args)
+        .current_dir(root)
+        .output()
+        .unwrap();
+    assert!(output.status.success(), "git {} failed", args.join(" "));
+}
+
+fn git_text(root: &Path, args: &[&str]) -> String {
+    let output = Command::new("git")
+        .args(args)
+        .current_dir(root)
+        .output()
+        .unwrap();
+    assert!(output.status.success());
+    String::from_utf8_lossy(&output.stdout).trim().to_string()
+}

package/package.json

@@ -1,8 +1,8 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.1.1",
+  "version": "1.2.0",
   "description": "Native-first CLI for the NAOME agent harness.",
-  "license": "MIT",
+  "license": "Apache-2.0",
   "type": "module",
   "keywords": [
     "agent",

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -1,158 +1,141 @@
 #!/usr/bin/env node
 
-const { existsSync, readFileSync } = require("node:fs");
-const { createHash } = require("node:crypto");
-const { dirname, join, resolve } = require("node:path");
-const { spawnSync } = require("node:child_process");
+const fs = require("node:fs");
+const crypto = require("node:crypto");
+const childProcess = require("node:child_process");
+const path = require("node:path");
 
-const nativeBinaryRelativePath = process.platform === "win32" ? ".naome/bin/naome-rust.exe" : ".naome/bin/naome-rust";
+const nativeBinaryPath = process.platform === "win32" ? ".naome/bin/naome-rust.exe" : ".naome/bin/naome-rust";
 const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
 
 const expectedMachineOwnedIntegrity = Object.freeze({
-  "AGENTS.md": "sha256:84ce882fa6798a144c8c74673d4304fc6bf235b1cc417f7649eea9f7461775de",
-  ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
-  ".naome/bin/naome.js": "sha256:7894690ad47700a9a5e7ecb5a94ba42c1a12e2637d2c9f41f0023b1bd8bd22b6",
+  ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
   ".naome/bin/check-task-state.js": "sha256:43c02868072d0d13499aefba2e9a5ec9517d59539fd19ff0f11e3e4623a51b44",
-  ".naome/bin/check-harness-health.js": "sha256:dce2a380022dd63d86bd762869debafbc635ab3d7e8fae985e2d429d8ee437ad",
-  ".naome/task-contract.schema.json": "sha256:c806416d4944eaed6dc48b3760fd0dd5b9b5a7c9ab895697fe36b54c41c1332f",
-  "docs/naome/index.md": "sha256:d04691b25ed377c2a3aa2c56965d0db276539aeadcfdd2a2ec1be7ff7706dd6f",
+  ".naome/bin/naome.js": "sha256:5675f729be6da3cbda1d8b9e0b36821cc98409aae95dff0603ed9161a5eb3b38",
+  ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
+  ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
+  "AGENTS.md": "sha256:9192ea81f90bb19f8043513c49b5da9e9598ee694da8356f345e7ccbca0e28df",
+  "docs/naome/agent-workflow.md": "sha256:802eb34cf268fc9c5e7aefc28192efef4bf60302d30b3f78e5a61b876ce8a098",
+  "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:a1dd0bd17ec9d71955a473cd2c4a615538e89a7d81e8f4e1015a50ab9efe3558",
-  "docs/naome/agent-workflow.md": "sha256:43ba8a6814068e1b932b12a392de70b39841dc82df0acdaac459d6714c501b9d",
-  "docs/naome/execution.md": "sha256:ad66611b2878d1ba8fe05ddc4cfe9de7fd41de172a0de8295c36227a2700631a",
-  "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1",
-  ".naome/bin/naome-rust": "sha256:cc754ae59477577dfc0130cc21c286beaf3f19e2852278bb8f1e8724277eb44b"
+  "docs/naome/index.md": "sha256:7d917f1fa368874653bb458384bd9d0b221529e19644028a3143db3d3c144213",
+  "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"
 });
 
-function main() {
-  const root = findHarnessRoot(process.cwd()) || resolve(__dirname, "..", "..");
-  const nativeBinary = resolveNativeDecisionBinary(root);
+const root = findRoot(process.cwd()) || path.resolve(__dirname, "..", "..");
+const binary = selectBinary(root);
+const result = childProcess.spawnSync(binary, ["check-harness-health", "--root", root], {
+  cwd: root,
+  encoding: "utf8",
+  env: {
+    ...process.env,
+    NAOME_EXPECTED_INTEGRITY_JSON: JSON.stringify(expectedMachineOwnedIntegrity)
+  },
+  stdio: "inherit"
+});
 
-  const result = spawnSync(nativeBinary, ["check-harness-health", "--root", root], {
-    cwd: root,
-    encoding: "utf8",
-    env: {
-      ...process.env,
-      NAOME_EXPECTED_INTEGRITY_JSON: JSON.stringify(expectedMachineOwnedIntegrity)
-    },
-    stdio: "inherit"
-  });
+process.exit(result.status === null ? 1 : result.status);
 
-  process.exit(result.status === null ? 1 : result.status);
-}
-
-function resolveNativeDecisionBinary(root) {
-  const expectedIntegrity = expectedNativeIntegrity(root);
+function selectBinary(rootDir) {
+  const wantedHash = manifestNativeHash(rootDir);
   const candidates = [
     process.env.NAOME_NATIVE_BIN,
-    join(root, nativeBinaryRelativePath),
-    join(root, "packages", "naome", "target", "release", nativeBinaryName),
-    join(root, "packages", "naome", "target", "debug", nativeBinaryName)
+    path.join(rootDir, nativeBinaryPath),
+    path.join(rootDir, "packages", "naome", "target", "release", nativeBinaryName),
+    path.join(rootDir, "packages", "naome", "target", "debug", nativeBinaryName)
   ].filter(Boolean);
 
   for (const candidate of candidates) {
-    if (isUsableNativeBinary(candidate, root, expectedIntegrity)) {
+    if (canRun(candidate, rootDir, wantedHash)) {
       return candidate;
     }
   }
 
-  if (expectedIntegrity) {
-    fail(`No runnable NAOME native harness health binary matched ${expectedIntegrity}. Run naome sync again.`);
+  if (wantedHash) {
+    stop(`No runnable NAOME native harness health binary matched ${wantedHash}. Run naome sync again.`);
   }
 
-  const built = buildSourceNativeBinary(root);
-  if (built && isUsableNativeBinary(built, root, null)) {
+  const built = buildFromSource(rootDir);
+  if (built && canRun(built, rootDir, null)) {
     return built;
   }
 
-  fail("NAOME native harness health binary is missing or incompatible. Run naome sync again.");
+  stop("NAOME native harness health binary is missing or incompatible. Run naome sync again.");
 }
 
-function expectedNativeIntegrity(root) {
-  if (isIntegrityHash(process.env.NAOME_EXPECTED_NATIVE_INTEGRITY)) {
+function manifestNativeHash(rootDir) {
+  if (isSha(process.env.NAOME_EXPECTED_NATIVE_INTEGRITY)) {
     return process.env.NAOME_EXPECTED_NATIVE_INTEGRITY;
   }
 
-  const manifestPath = join(root, ".naome", "manifest.json");
-  if (!existsSync(manifestPath)) {
-    return null;
-  }
-
-  let manifest;
   try {
-    manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
+    const manifest = JSON.parse(fs.readFileSync(path.join(rootDir, ".naome", "manifest.json"), "utf8"));
+    return isSha(manifest.integrity?.[nativeBinaryPath]) ? manifest.integrity[nativeBinaryPath] : null;
   } catch {
     return null;
   }
-
-  const expected = manifest.integrity?.[nativeBinaryRelativePath];
-  if (!isIntegrityHash(expected)) {
-    return null;
-  }
-
-  return expected;
 }
 
-function isUsableNativeBinary(candidate, root, expectedIntegrity) {
-  if (!candidate || !existsSync(candidate)) {
+function canRun(candidate, rootDir, wantedHash) {
+  if (!candidate || !fs.existsSync(candidate)) {
     return false;
   }
 
-  if (expectedIntegrity) {
-    const actual = `sha256:${createHash("sha256").update(readFileSync(candidate)).digest("hex")}`;
-    if (actual !== expectedIntegrity) {
-      return false;
-    }
+  if (wantedHash && fileSha(candidate) !== wantedHash) {
+    return false;
   }
 
-  const probe = spawnSync(candidate, [], {
-    cwd: root,
+  const probe = childProcess.spawnSync(candidate, [], {
+    cwd: rootDir,
     encoding: "utf8",
     stdio: "ignore"
   });
   return !probe.error && probe.status !== null;
 }
 
-function buildSourceNativeBinary(root) {
-  const manifestPath = join(root, "packages", "naome", "Cargo.toml");
-  if (!existsSync(manifestPath)) {
+function buildFromSource(rootDir) {
+  const manifest = path.join(rootDir, "packages", "naome", "Cargo.toml");
+  if (!fs.existsSync(manifest)) {
     return null;
   }
 
-  const result = spawnSync("cargo", ["build", "--release", "--manifest-path", manifestPath, "-p", "naome-cli"], {
-    cwd: root,
+  const build = childProcess.spawnSync("cargo", ["build", "--release", "--manifest-path", manifest, "-p", "naome-cli"], {
+    cwd: rootDir,
     encoding: "utf8",
     stdio: "ignore"
   });
-  if (result.status !== 0) {
+  if (build.status !== 0) {
     return null;
   }
 
-  const builtPath = join(root, "packages", "naome", "target", "release", nativeBinaryName);
-  return existsSync(builtPath) ? builtPath : null;
+  const binaryPath = path.join(rootDir, "packages", "naome", "target", "release", nativeBinaryName);
+  return fs.existsSync(binaryPath) ? binaryPath : null;
 }
 
-function findHarnessRoot(startPath) {
-  let current = resolve(startPath);
-
-  while (true) {
-    if (existsSync(join(current, ".naome", "manifest.json"))) {
+function findRoot(startDir) {
+  for (let current = path.resolve(startDir); ;) {
+    if (fs.existsSync(path.join(current, ".naome", "manifest.json"))) {
       return current;
     }
 
-    const parent = dirname(current);
+    const parent = path.dirname(current);
     if (parent === current) {
       return null;
     }
-
     current = parent;
   }
 }
 
-function isIntegrityHash(value) {
+function isSha(value) {
   return typeof value === "string" && /^sha256:[a-f0-9]{64}$/.test(value);
 }
 
-function fail(message) {
+function fileSha(filePath) {
+  const digest = crypto.createHash("sha256").update(fs.readFileSync(filePath)).digest("hex");
+  return `sha256:${digest}`;
+}
+
+function stop(message) {
   console.error("NAOME harness health check failed.");
   console.error(`- ${message}`);
   console.error("");
@@ -160,5 +143,3 @@ function fail(message) {
   console.error("Run naome sync to repair machine-owned files after review.");
   process.exit(1);
 }
-
-main();