@lamentis/naome 1.1.2 → 1.2.0

package/crates/naome-core/src/route.rs

@@ -14,6 +14,7 @@ use crate::intent::{evaluate_intent, IntentDecision};
 use crate::journal::{append_task_journal, TaskJournalEntry};
 use crate::models::{Decision, NaomeError};
 use crate::paths;
+use crate::quality::{check_repository_quality, QualityMode};
 use crate::task_state::{
     completed_task_commit_paths, completed_task_harness_refresh_diff, harness_refresh_diff,
     harness_refresh_with_unrelated_diff, validate_task_state, TaskStateMode, TaskStateOptions,
@@ -881,12 +882,47 @@ fn run_quality_check(root: &Path, check_id: &str, check: &QualityCheck) -> Resul
             require_builtin_quality_check(check_id, check, "npm run check:context-budget")?;
             run_context_budget_check(root)
         }
+        "repository-quality-check" => {
+            require_builtin_quality_check_any(
+                check_id,
+                check,
+                &[
+                    "naome quality check --changed",
+                    "node .naome/bin/naome.js quality check --changed",
+                    "npm run check:repository-quality",
+                ],
+            )?;
+            run_repository_quality_check(root)
+        }
         _ => Err(NaomeError::new(format!(
             "Quality check {check_id} is not a built-in safe check; NAOME will not execute repository-controlled verification commands."
         ))),
     }
 }
 
+fn require_builtin_quality_check_any(
+    check_id: &str,
+    check: &QualityCheck,
+    expected_commands: &[&str],
+) -> Result<(), NaomeError> {
+    if check.cwd == "."
+        && expected_commands
+            .iter()
+            .any(|expected_command| check.command == *expected_command)
+    {
+        return Ok(());
+    }
+
+    Err(NaomeError::new(format!(
+        "Quality check {check_id} has an unsafe command or cwd; expected one of [{}] with cwd `.`.",
+        expected_commands
+            .iter()
+            .map(|command| format!("`{command}`"))
+            .collect::<Vec<_>>()
+            .join(", ")
+    )))
+}
+
 fn require_builtin_quality_check(
     check_id: &str,
     check: &QualityCheck,
@@ -901,6 +937,32 @@ fn require_builtin_quality_check(
     )))
 }
 
+fn run_repository_quality_check(root: &Path) -> Result<(), NaomeError> {
+    let report = check_repository_quality(root, QualityMode::Changed)?;
+    if report.ok {
+        return Ok(());
+    }
+
+    let details = report
+        .violations
+        .iter()
+        .take(20)
+        .map(|violation| {
+            let location = violation
+                .line
+                .map(|line| format!("{}:{line}", violation.path))
+                .unwrap_or_else(|| violation.path.clone());
+            format!("{location} {}: {}", violation.check_id, violation.message)
+        })
+        .collect::<Vec<_>>()
+        .join("\n");
+    Err(NaomeError::new(format!(
+        "repository-quality-check failed with {} violation(s).\n{}",
+        report.violations.len(),
+        details
+    )))
+}
+
 fn run_harness_health_check(root: &Path) -> Result<(), NaomeError> {
     let errors = validate_harness_health(
         root,

package/crates/naome-core/src/task_state/admission.rs

@@ -0,0 +1,63 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::completion::validate_complete_task;
+use super::human_review_state::validate_human_review_state;
+use super::progress::{checked_status, validate_clean_git_diff};
+use super::shape::{
+    format_blocker, validate_active_task, validate_active_task_references, validate_blocker,
+    validate_idle_state,
+};
+pub(super) fn validate_admission(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let status = checked_status(task_state, root, errors)?;
+    match status {
+        "idle" => validate_idle_state(task_state, errors),
+        "complete" => {
+            validate_active_task(task_state.get("activeTask"), errors);
+            validate_active_task_references(
+                task_state.get("activeTask"),
+                root,
+                errors,
+                Some(status),
+            )?;
+            validate_complete_task(
+                task_state.get("activeTask"),
+                task_state.get("blocker"),
+                root,
+                errors,
+                &mut Vec::new(),
+            )?;
+        }
+        "needs_human_review" => {
+            let start = errors.len();
+            validate_human_review_state(task_state, root, errors)?;
+            if errors.len() > start {
+                errors.push("Task admission is blocked because needs_human_review state is invalid; fix blocker paths and proof evidence before asking for a human decision.".to_string());
+            } else {
+                errors.push(format_blocker(
+                    "Task admission is blocked",
+                    task_state.get("blocker"),
+                ));
+            }
+        }
+        "blocked" => {
+            validate_blocker(task_state.get("blocker"), errors);
+            errors.push(format_blocker(
+                "Task admission is blocked",
+                task_state.get("blocker"),
+            ));
+        }
+        other => errors.push(format!(
+            "Task admission is blocked because task state is {other}."
+        )),
+    }
+
+    validate_clean_git_diff(task_state, root, errors)
+}

package/crates/naome-core/src/task_state/admission_proof.rs

@@ -0,0 +1,72 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::git_io::git_commit_exists;
+use super::util::{is_iso_datetime, require_string, require_string_array_allow_empty};
+
+pub(super) fn validate_admission_proof(
+    admission: Option<&Value>,
+    root: &Path,
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let Some(object) = admission.and_then(Value::as_object) else {
+        errors.push(
+            "activeTask.admission must be an object recorded from a passed admission check."
+                .to_string(),
+        );
+        return Ok(());
+    };
+    let prefix = "activeTask.admission";
+
+    require_string(object.get("command"), &format!("{prefix}.command"), errors);
+    require_string(object.get("cwd"), &format!("{prefix}.cwd"), errors);
+    require_string_array_allow_empty(
+        object.get("changedPaths"),
+        &format!("{prefix}.changedPaths"),
+        errors,
+    );
+    require_string(object.get("gitHead"), &format!("{prefix}.gitHead"), errors);
+
+    if object.get("command").and_then(Value::as_str)
+        != Some("node .naome/bin/check-task-state.js --admission")
+    {
+        errors.push(format!(
+            "{prefix}.command must be node .naome/bin/check-task-state.js --admission."
+        ));
+    }
+
+    if object.get("cwd").and_then(Value::as_str) != Some(".") {
+        errors.push(format!("{prefix}.cwd must be \".\"."));
+    }
+
+    match object.get("exitCode").and_then(Value::as_i64) {
+        Some(0) => {}
+        Some(_) => errors.push(format!("{prefix}.exitCode must be 0.")),
+        None => errors.push(format!("{prefix}.exitCode must be an integer.")),
+    }
+
+    if !object
+        .get("checkedAt")
+        .and_then(Value::as_str)
+        .is_some_and(is_iso_datetime)
+    {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+    }
+
+    if let Some(changed_paths) = object.get("changedPaths").and_then(Value::as_array) {
+        if !changed_paths.is_empty() {
+            errors.push(format!("{prefix}.changedPaths must be empty because task admission requires a clean git diff."));
+        }
+    }
+
+    if let Some(git_head) = object.get("gitHead").and_then(Value::as_str) {
+        if !git_head.trim().is_empty() && !git_commit_exists(root, git_head)? {
+            errors.push(format!("{prefix}.gitHead must be an existing git commit."));
+        }
+    }
+
+    Ok(())
+}

package/crates/naome-core/src/task_state/api.rs

@@ -0,0 +1,130 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::completion::{
+    validate_admission, validate_commit_gate, validate_complete_task, validate_progress,
+};
+use super::diff::validate_human_review_blocker_paths;
+use super::proof::validate_proof_evidence_covers_changed_paths;
+use super::reconcile::validate_push_gate;
+use super::shape::{
+    format_blocker, validate_active_task, validate_active_task_references, validate_blocker,
+    validate_idle_state, validate_pending_upgrade, validate_task_state_shape,
+};
+use super::task_diff_api::validate_harness_health_gate;
+use super::types::*;
+use super::util::read_json;
+pub fn validate_task_state(
+    root: &Path,
+    options: TaskStateOptions,
+) -> Result<TaskStateReport, NaomeError> {
+    let mut report = TaskStateReport {
+        errors: Vec::new(),
+        notices: Vec::new(),
+    };
+    let Some(task_state) = read_json(root, ".naome/task-state.json", &mut report.errors)? else {
+        return Ok(report);
+    };
+
+    validate_task_state_shape(&task_state, &mut report.errors);
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if !ALLOWED_STATUS.contains(&status) {
+        return Ok(report);
+    }
+
+    validate_harness_health_gate(root, &options, &mut report.errors)?;
+    if !report.errors.is_empty() {
+        return Ok(report);
+    }
+
+    if validate_requested_mode(&task_state, root, options.mode, &mut report)? {
+        return Ok(report);
+    }
+
+    if status == "idle" {
+        validate_idle_state(&task_state, &mut report.errors);
+        return Ok(report);
+    }
+
+    let active_error_start = report.errors.len();
+    validate_active_task(task_state.get("activeTask"), &mut report.errors);
+    validate_pending_upgrade(&task_state, root, &mut report.errors)?;
+    validate_active_task_references(
+        task_state.get("activeTask"),
+        root,
+        &mut report.errors,
+        Some(status),
+    )?;
+
+    if status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), &mut report.errors);
+        validate_human_review_blocker_paths(
+            task_state.get("activeTask"),
+            task_state.get("blocker"),
+            root,
+            &mut report.errors,
+        )?;
+        validate_proof_evidence_covers_changed_paths(
+            task_state.get("activeTask"),
+            root,
+            &mut report.errors,
+        )?;
+        if report.errors.len() > active_error_start {
+            report.errors.push("needs_human_review task state is invalid; fix blocker paths and proof evidence before asking for a human decision.".to_string());
+        } else {
+            report.errors.push(format_blocker(
+                "Human review required",
+                task_state.get("blocker"),
+            ));
+        }
+        return Ok(report);
+    }
+
+    if status == "blocked" {
+        validate_blocker(task_state.get("blocker"), &mut report.errors);
+        report
+            .errors
+            .push(format_blocker("Task is blocked", task_state.get("blocker")));
+        return Ok(report);
+    }
+
+    if BLOCKING_STATUS.contains(&status) {
+        report.errors.push(format!(
+            "Task is still {status}; new work must wait until the active task is complete or resolved."
+        ));
+        return Ok(report);
+    }
+
+    validate_complete_task(
+        task_state.get("activeTask"),
+        task_state.get("blocker"),
+        root,
+        &mut report.errors,
+        &mut report.notices,
+    )?;
+    Ok(report)
+}
+
+fn validate_requested_mode(
+    task_state: &Value,
+    root: &Path,
+    mode: TaskStateMode,
+    report: &mut TaskStateReport,
+) -> Result<bool, NaomeError> {
+    match mode {
+        TaskStateMode::Admission => validate_admission(task_state, root, &mut report.errors)?,
+        TaskStateMode::Progress => validate_progress(task_state, root, &mut report.errors)?,
+        TaskStateMode::CommitGate => {
+            validate_commit_gate(task_state, root, &mut report.errors, &mut report.notices)?;
+        }
+        TaskStateMode::PushGate => validate_push_gate(task_state, &mut report.errors),
+        TaskStateMode::State => return Ok(false),
+    }
+    Ok(true)
+}

package/crates/naome-core/src/task_state/commit_gate.rs

@@ -0,0 +1,138 @@
+use std::path::Path;
+
+use serde_json::Value;
+
+use super::completion::validate_complete_task_against_entries;
+use super::diff::task_diff_from_entries;
+use super::git_io::read_git_staged_changed_entries;
+use super::process_guard::{validate_no_active_processes, ProcessGate};
+use super::progress::{validate_init_complete, validate_upgrade_complete};
+use super::reconcile::{
+    is_deterministic_harness_refresh_diff, is_harness_repair_diff,
+    is_install_or_upgrade_baseline_diff,
+};
+use super::shape::{
+    read_verification_check_ids, validate_active_task, validate_active_task_references,
+    validate_blocker, validate_pending_upgrade, validate_required_check_ids,
+};
+use super::types::ChangedEntry;
+use crate::models::NaomeError;
+pub(super) fn validate_commit_gate(
+    task_state: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+    notices: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    let staged_entries = read_git_staged_changed_entries(root)?;
+    let changed_paths: Vec<String> = staged_entries
+        .iter()
+        .map(|entry| entry.path.clone())
+        .collect();
+    if changed_paths.is_empty() {
+        return Ok(());
+    }
+
+    let status = task_state
+        .get("status")
+        .and_then(Value::as_str)
+        .unwrap_or("invalid");
+    if status == "complete" && is_deterministic_harness_refresh_diff(&changed_paths) {
+        validate_pending_upgrade(task_state, root, errors)?;
+        validate_completed_task_for_harness_refresh(task_state, root, &staged_entries, errors)?;
+        return Ok(());
+    }
+
+    if status == "complete" {
+        validate_active_task(task_state.get("activeTask"), errors);
+        validate_active_task_references(task_state.get("activeTask"), root, errors, Some(status))?;
+        if !task_state.get("blocker").is_some_and(Value::is_null) {
+            errors.push("complete task state must have blocker set to null.".to_string());
+        }
+        if let Some(active_task) = task_state.get("activeTask") {
+            let check_ids = read_verification_check_ids(root, errors)?;
+            validate_required_check_ids(active_task, &check_ids, errors);
+            validate_no_active_processes(root, errors, ProcessGate::Commit)?;
+            validate_complete_task_against_entries(
+                active_task,
+                root,
+                &check_ids,
+                &staged_entries,
+                errors,
+            )?;
+            if errors.is_empty() {
+                notices.push(format!(
+                    "Commit gate accepted task-owned staged paths: {}.",
+                    changed_paths.join(", ")
+                ));
+            }
+        }
+        return Ok(());
+    }
+
+    if status == "idle" && is_install_or_upgrade_baseline_diff(root, &changed_paths)? {
+        return Ok(());
+    }
+
+    if status == "idle" && is_harness_repair_diff(root, &changed_paths)? {
+        return Ok(());
+    }
+
+    validate_init_complete(root, errors)?;
+    validate_upgrade_complete(root, errors)?;
+
+    if status == "idle" {
+        errors.push(format!("NAOME commit gate blocked: changed paths are not owned by a completed task state. Changed paths: {}. Finish a NAOME task and use naome commit, or reconcile the diff before committing.", changed_paths.join(", ")));
+        return Ok(());
+    }
+
+    if status == "blocked" || status == "needs_human_review" {
+        validate_blocker(task_state.get("blocker"), errors);
+    }
+
+    errors.push(format!("NAOME commit gate blocked because task state is {status}. Finish or revise the active task, set it to complete with fresh proof, then use naome commit. Human options: continue_current_task, request_task_changes, mark_task_blocked, cancel_task_state."));
+    Ok(())
+}
+
+pub(super) fn validate_completed_task_for_harness_refresh(
+    task_state: &Value,
+    root: &Path,
+    staged_entries: &[ChangedEntry],
+    errors: &mut Vec<String>,
+) -> Result<(), NaomeError> {
+    validate_active_task(task_state.get("activeTask"), errors);
+    validate_active_task_references(task_state.get("activeTask"), root, errors, Some("complete"))?;
+    if !task_state.get("blocker").is_some_and(Value::is_null) {
+        errors.push("complete task state must have blocker set to null.".to_string());
+    }
+
+    let Some(active_task) = task_state.get("activeTask") else {
+        return Ok(());
+    };
+
+    let check_ids = read_verification_check_ids(root, errors)?;
+    validate_required_check_ids(active_task, &check_ids, errors);
+
+    let mut validation_errors = Vec::new();
+    validate_no_active_processes(root, &mut validation_errors, ProcessGate::Commit)?;
+    validate_complete_task_against_entries(
+        active_task,
+        root,
+        &check_ids,
+        staged_entries,
+        &mut validation_errors,
+    )?;
+
+    let staged_harness_paths = task_diff_from_entries(active_task, staged_entries).outside_paths;
+    let allowed_scope_error = format!(
+        "Changed files outside allowedPaths: {}. Human options: request_scope_change, move_changes_to_new_task, revert_out_of_scope_changes.",
+        staged_harness_paths.join(", ")
+    );
+
+    errors.extend(
+        validation_errors
+            .into_iter()
+            .filter(|error| error != &allowed_scope_error),
+    );
+
+    Ok(())
+}

package/crates/naome-core/src/task_state/compact_proof.rs

@@ -0,0 +1,160 @@
+use std::collections::HashMap;
+use std::path::Path;
+
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::proof::{
+    validate_control_state_paths, validate_evidence_array, validate_evidence_paths,
+};
+use super::proof_model::{CanonicalProof, VerificationDefaults};
+use super::proof_sources::read_path_sets;
+use super::util::{is_iso_datetime, require_string};
+
+pub(super) fn compact_proofs(
+    active_task: &Value,
+    root: &Path,
+    errors: &mut Vec<String>,
+    defaults: &HashMap<String, VerificationDefaults>,
+) -> Result<Vec<CanonicalProof>, NaomeError> {
+    let path_sets = read_path_sets(active_task, root, errors)?;
+    let Some(batches) = active_task.get("proofBatches") else {
+        return Ok(Vec::new());
+    };
+    let Some(batches) = batches.as_array() else {
+        errors.push("activeTask.proofBatches must be an array when present.".to_string());
+        return Ok(Vec::new());
+    };
+
+    let mut proofs = Vec::new();
+    for (batch_index, batch) in batches.iter().enumerate() {
+        let prefix = format!("activeTask.proofBatches[{batch_index}]");
+        let Some(batch_object) = batch.as_object() else {
+            errors.push(format!("{prefix} must be an object."));
+            continue;
+        };
+        let batch_checked_at = batch_object.get("checkedAt").and_then(Value::as_str);
+        if batch_checked_at.is_some_and(|value| !is_iso_datetime(value)) {
+            errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+        }
+        let batch_ref = batch_object.get("evidencePathSet").and_then(Value::as_str);
+        let Some(batch_proofs) = batch_object.get("proofs").and_then(Value::as_array) else {
+            errors.push(format!("{prefix}.proofs must be an array."));
+            continue;
+        };
+
+        for (proof_index, proof) in batch_proofs.iter().enumerate() {
+            let proof_prefix = format!("{prefix}.proofs[{proof_index}]");
+            if let Some(proof) = compact_proof(
+                proof,
+                &proof_prefix,
+                batch,
+                batch_checked_at,
+                batch_ref,
+                &path_sets,
+                defaults,
+                errors,
+            ) {
+                validate_evidence_paths(
+                    Some(&Value::Array(proof.evidence.clone())),
+                    &format!("{proof_prefix}.evidence"),
+                    root,
+                    errors,
+                    active_task,
+                )?;
+                proofs.push(proof);
+            }
+        }
+    }
+    Ok(proofs)
+}
+
+fn compact_proof(
+    proof: &Value,
+    prefix: &str,
+    batch: &Value,
+    batch_checked_at: Option<&str>,
+    batch_ref: Option<&str>,
+    path_sets: &HashMap<String, Vec<Value>>,
+    defaults: &HashMap<String, VerificationDefaults>,
+    errors: &mut Vec<String>,
+) -> Option<CanonicalProof> {
+    let object = proof.as_object()?;
+    let check_id = object.get("checkId").and_then(Value::as_str)?;
+    let defaults = defaults.get(check_id);
+    let command = resolved_text(proof, batch, "command")
+        .or_else(|| defaults.map(|check| check.command.as_str()));
+    let cwd =
+        resolved_text(proof, batch, "cwd").or_else(|| defaults.map(|check| check.cwd.as_str()));
+    let checked_at = object
+        .get("checkedAt")
+        .and_then(Value::as_str)
+        .or(batch_checked_at);
+    let evidence = resolved_evidence(proof, batch_ref, path_sets, prefix, errors);
+
+    require_string(object.get("checkId"), &format!("{prefix}.checkId"), errors);
+    if command.is_none() {
+        errors.push(format!(
+            "{prefix}.command must be explicit or resolvable from .naome/verification.json."
+        ));
+    }
+    if cwd.is_none() {
+        errors.push(format!(
+            "{prefix}.cwd must be explicit or resolvable from .naome/verification.json."
+        ));
+    }
+    let Some(exit_code) = object.get("exitCode").and_then(Value::as_i64) else {
+        errors.push(format!("{prefix}.exitCode must be an integer."));
+        return None;
+    };
+    let Some(checked_at) = checked_at else {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+        return None;
+    };
+    if !is_iso_datetime(checked_at) {
+        errors.push(format!("{prefix}.checkedAt must be an ISO timestamp."));
+    }
+    Some(CanonicalProof {
+        check_id: check_id.to_string(),
+        command: command?.to_string(),
+        cwd: cwd?.to_string(),
+        exit_code,
+        checked_at: checked_at.to_string(),
+        evidence: evidence?,
+    })
+}
+
+fn resolved_text<'a>(proof: &'a Value, batch: &'a Value, field: &str) -> Option<&'a str> {
+    proof
+        .get(field)
+        .and_then(Value::as_str)
+        .or_else(|| batch.get(field).and_then(Value::as_str))
+}
+
+fn resolved_evidence(
+    proof: &Value,
+    batch_ref: Option<&str>,
+    path_sets: &HashMap<String, Vec<Value>>,
+    prefix: &str,
+    errors: &mut Vec<String>,
+) -> Option<Vec<Value>> {
+    if let Some(evidence) = proof.get("evidence") {
+        validate_evidence_array(Some(evidence), &format!("{prefix}.evidence"), errors);
+        validate_control_state_paths(Some(evidence), &format!("{prefix}.evidence"), errors);
+        return evidence.as_array().cloned();
+    }
+    let path_set = proof
+        .get("evidencePathSet")
+        .and_then(Value::as_str)
+        .or(batch_ref);
+    match path_set.and_then(|name| path_sets.get(name)) {
+        Some(paths) => Some(paths.clone()),
+        None => {
+            errors.push(format!(
+                "{prefix}.evidence must be an evidence array or path-set reference."
+            ));
+            None
+        }
+    }
+}