@lamentis/naome 1.1.2 → 1.2.0

package/crates/naome-core/src/verification.rs

@@ -1,10 +1,15 @@
+mod render;
+
 use std::collections::HashSet;
 use std::fs;
 use std::path::Path;
 
-use serde_json::Value;
+use serde_json::{json, Value};
 
 use crate::models::NaomeError;
+use render::{
+    indent_block, render_ordered_object, serialize_verification_preserving_order, CHECK_KEYS,
+};
 
 pub fn seed_builtin_verification_checks(root: &Path) -> Result<bool, NaomeError> {
     let verification_path = root.join(".naome").join("verification.json");
@@ -41,21 +46,37 @@ pub fn seed_builtin_verification_checks(root: &Path) -> Result<bool, NaomeError>
         }
     }
 
-    if missing_checks.is_empty() {
+    let wired_change_types = wire_repository_quality_check(verification_object);
+    let phases_added = ensure_default_phases(verification_object);
+
+    if missing_checks.is_empty() && !wired_change_types && !phases_added {
         return Ok(false);
     }
 
-    let next_content = match append_checks_preserving_layout(&original_content, &missing_checks) {
-        Some(content) => content,
-        None => {
-            let checks = verification_object
-                .get_mut("checks")
-                .and_then(serde_json::Value::as_array_mut)
-                .expect("checks must be an array after insertion");
-            for check in &missing_checks {
-                checks.push(check.value());
+    let next_content = if wired_change_types || phases_added {
+        let checks = verification_object
+            .get_mut("checks")
+            .and_then(serde_json::Value::as_array_mut)
+            .expect("checks must be an array after insertion");
+        for check in &missing_checks {
+            checks.push(check.value());
+        }
+        serialize_verification_preserving_order(&verification)
+            .unwrap_or_else(|| original_content.clone())
+    } else {
+        match append_checks_preserving_layout(&original_content, &missing_checks) {
+            Some(content) => content,
+            None => {
+                let checks = verification_object
+                    .get_mut("checks")
+                    .and_then(serde_json::Value::as_array_mut)
+                    .expect("checks must be an array after insertion");
+                for check in &missing_checks {
+                    checks.push(check.value());
+                }
+                serde_json::to_string_pretty(&verification)
+                    .unwrap_or_else(|_| original_content.clone())
             }
-            serde_json::to_string_pretty(&verification).unwrap_or_else(|_| original_content.clone())
         }
     };
 
@@ -63,14 +84,133 @@ pub fn seed_builtin_verification_checks(root: &Path) -> Result<bool, NaomeError>
     Ok(true)
 }
 
+fn ensure_default_phases(verification_object: &mut serde_json::Map<String, Value>) -> bool {
+    if verification_object
+        .get("phases")
+        .and_then(Value::as_array)
+        .is_some_and(|phases| !phases.is_empty())
+    {
+        return false;
+    }
+    verification_object.insert(
+        "phases".to_string(),
+        Value::Array(
+            default_phases()
+                .into_iter()
+                .map(|phase| phase.value())
+                .collect(),
+        ),
+    );
+    true
+}
+
+struct BuiltinPhase {
+    id: &'static str,
+    order: u32,
+    check_ids: &'static [&'static str],
+}
+
+impl BuiltinPhase {
+    fn value(&self) -> Value {
+        json!({ "id": self.id, "order": self.order, "checkIds": self.check_ids })
+    }
+}
+
+fn default_phases() -> Vec<BuiltinPhase> {
+    vec![
+        BuiltinPhase {
+            id: "shape-health",
+            order: 10,
+            check_ids: &["naome-harness-health", "naome-task-state"],
+        },
+        BuiltinPhase {
+            id: "quality",
+            order: 20,
+            check_ids: &["repository-quality-check"],
+        },
+        BuiltinPhase {
+            id: "diff-check",
+            order: 60,
+            check_ids: &["diff-check"],
+        },
+    ]
+}
+
+fn wire_repository_quality_check(verification_object: &mut serde_json::Map<String, Value>) -> bool {
+    let Some(change_types) = verification_object
+        .get_mut("changeTypes")
+        .and_then(Value::as_array_mut)
+    else {
+        return false;
+    };
+
+    let mut changed = false;
+    for change_type in change_types {
+        let Some(change_type_object) = change_type.as_object_mut() else {
+            continue;
+        };
+        if !change_type_object
+            .get("paths")
+            .is_some_and(|paths| paths.as_array().is_some_and(|paths| !paths.is_empty()))
+        {
+            continue;
+        }
+        let already_wired = ["requiredChecks", "recommendedChecks"].iter().any(|field| {
+            change_type_object
+                .get(*field)
+                .and_then(Value::as_array)
+                .is_some_and(|checks| {
+                    checks
+                        .iter()
+                        .any(|check| check.as_str() == Some("repository-quality-check"))
+                })
+        });
+        if already_wired {
+            continue;
+        }
+        if !change_type_object
+            .get("requiredChecks")
+            .is_some_and(Value::is_array)
+        {
+            change_type_object.insert("requiredChecks".to_string(), Value::Array(Vec::new()));
+        }
+        let Some(required_checks) = change_type_object
+            .get_mut("requiredChecks")
+            .and_then(Value::as_array_mut)
+        else {
+            continue;
+        };
+        required_checks.push(Value::String("repository-quality-check".to_string()));
+        changed = true;
+    }
+
+    changed
+}
+
 struct BuiltinCheck {
     id: &'static str,
-    content: &'static str,
+    command: &'static str,
+    purpose: &'static str,
+    evidence: &'static [&'static str],
 }
 
 impl BuiltinCheck {
     fn value(&self) -> Value {
-        serde_json::from_str(self.content).expect("built-in verification check must be valid JSON")
+        json!({
+            "id": self.id,
+            "command": self.command,
+            "cwd": ".",
+            "purpose": self.purpose,
+            "cost": "fast",
+            "source": "NAOME built-in",
+            "evidence": self.evidence,
+            "lastVerified": null
+        })
+    }
+
+    fn content(&self) -> String {
+        render_ordered_object(&self.value(), CHECK_KEYS)
+            .expect("built-in verification check must serialize as JSON")
     }
 }
 
@@ -78,47 +218,33 @@ fn builtin_checks() -> Vec<BuiltinCheck> {
     vec![
         BuiltinCheck {
             id: "diff-check",
-            content: r#"{
-  "id": "diff-check",
-  "command": "git diff --check",
-  "cwd": ".",
-  "purpose": "Reject whitespace errors in the current diff.",
-  "cost": "fast",
-  "source": "NAOME built-in",
-  "evidence": [],
-  "lastVerified": null
-}"#,
+            command: "git diff --check",
+            purpose: "Reject whitespace errors in the current diff.",
+            evidence: &[],
         },
         BuiltinCheck {
             id: "naome-harness-health",
-            content: r#"{
-  "id": "naome-harness-health",
-  "command": "node .naome/bin/check-harness-health.js",
-  "cwd": ".",
-  "purpose": "Validate the installed NAOME harness before feature work or task completion.",
-  "cost": "fast",
-  "source": "NAOME built-in",
-  "evidence": [
-    ".naome/bin/check-harness-health.js"
-  ],
-  "lastVerified": null
-}"#,
+            command: "node .naome/bin/check-harness-health.js",
+            purpose: "Validate the installed NAOME harness before feature work or task completion.",
+            evidence: &[".naome/bin/check-harness-health.js"],
         },
         BuiltinCheck {
             id: "naome-task-state",
-            content: r#"{
-  "id": "naome-task-state",
-  "command": "node .naome/bin/check-task-state.js",
-  "cwd": ".",
-  "purpose": "Validate the NAOME task-state contract for the current repository.",
-  "cost": "fast",
-  "source": "NAOME built-in",
-  "evidence": [
-    ".naome/bin/check-task-state.js",
-    ".naome/task-contract.schema.json"
-  ],
-  "lastVerified": null
-}"#,
+            command: "node .naome/bin/check-task-state.js",
+            purpose: "Validate the NAOME task-state contract for the current repository.",
+            evidence: &[
+                ".naome/bin/check-task-state.js",
+                ".naome/task-contract.schema.json",
+            ],
+        },
+        BuiltinCheck {
+            id: "repository-quality-check",
+            command: "node .naome/bin/naome.js quality check --changed",
+            purpose: "Validate changed files against deterministic NAOME repository quality rules.",
+            evidence: &[
+                ".naome/repository-quality.json",
+                ".naome/repository-quality-baseline.json",
+            ],
         },
     ]
 }
@@ -143,7 +269,7 @@ fn append_checks_preserving_layout(
         if index > 0 {
             insertion.push_str(",\n");
         }
-        insertion.push_str(&indent_block(check.content, &item_indent));
+        insertion.push_str(&indent_block(&check.content(), &item_indent));
     }
 
     insertion.push('\n');
@@ -207,11 +333,3 @@ fn line_indent_before(content: &str, index: usize) -> String {
         .take_while(|character| *character == ' ' || *character == '\t')
         .collect()
 }
-
-fn indent_block(content: &str, indent: &str) -> String {
-    content
-        .lines()
-        .map(|line| format!("{indent}{line}"))
-        .collect::<Vec<_>>()
-        .join("\n")
-}

package/crates/naome-core/src/verification_contract.rs

@@ -22,10 +22,12 @@ const ALLOWED_TOP_LEVEL_KEYS: &[&str] = &[
     "status",
     "lastUpdated",
     "checks",
+    "phases",
     "changeTypes",
     "releaseGates",
 ];
 const MAX_CHECKS: usize = 20;
+const MAX_PHASES: usize = 8;
 const MAX_CHANGE_TYPES: usize = 12;
 const MAX_RELEASE_GATES: usize = 10;
 
@@ -125,6 +127,12 @@ fn validate_contract_shape(contract: &Value, errors: &mut Vec<String>) {
     validate_array_limit(release_gates, "releaseGates", MAX_RELEASE_GATES, errors);
 
     let check_ids = validate_checks(checks, errors);
+    if let Some(phases) = object.get("phases").and_then(Value::as_array) {
+        validate_array_limit(phases, "phases", MAX_PHASES, errors);
+        validate_phases(phases, &check_ids, errors);
+    } else if object.get("phases").is_some() {
+        errors.push("phases must be an array when present.".to_string());
+    }
     validate_change_types(change_types, &check_ids, errors);
     validate_release_gates(release_gates, &check_ids, errors);
 
@@ -143,6 +151,26 @@ fn validate_contract_shape(contract: &Value, errors: &mut Vec<String>) {
     }
 }
 
+fn validate_phases(phases: &[Value], check_ids: &HashSet<String>, errors: &mut Vec<String>) {
+    let mut phase_ids = HashSet::new();
+    for (index, phase) in phases.iter().enumerate() {
+        let prefix = format!("phases[{index}]");
+        let Some(object) = phase.as_object() else {
+            errors.push(format!("{prefix} must be an object."));
+            continue;
+        };
+        match object.get("id").and_then(Value::as_str) {
+            Some(id) if is_id(id) && phase_ids.insert(id.to_string()) => {}
+            Some(id) if is_id(id) => errors.push(format!("{prefix}.id duplicates phase id: {id}")),
+            _ => errors.push(format!("{prefix}.id must be kebab-case lowercase.")),
+        }
+        if object.get("order").and_then(Value::as_u64).is_none() {
+            errors.push(format!("{prefix}.order must be a non-negative integer."));
+        }
+        validate_check_reference_array(object, "checkIds", &prefix, check_ids, errors, true);
+    }
+}
+
 fn validate_array<'a>(
     object: &'a serde_json::Map<String, Value>,
     name: &str,
@@ -327,22 +355,7 @@ fn require_string_array(
     prefix: &str,
     errors: &mut Vec<String>,
 ) {
-    let Some(values) = object.get(field).and_then(Value::as_array) else {
-        errors.push(format!(
-            "{prefix}.{field} must be a non-empty string array."
-        ));
-        return;
-    };
-
-    if values.is_empty()
-        || values
-            .iter()
-            .any(|value| !value.as_str().is_some_and(|entry| !entry.trim().is_empty()))
-    {
-        errors.push(format!(
-            "{prefix}.{field} must be a non-empty string array."
-        ));
-    }
+    require_string_array_shape(object, field, prefix, errors, true);
 }
 
 fn require_string_array_allow_empty(
@@ -350,20 +363,35 @@ fn require_string_array_allow_empty(
     field: &str,
     prefix: &str,
     errors: &mut Vec<String>,
+) {
+    require_string_array_shape(object, field, prefix, errors, false);
+}
+
+fn require_string_array_shape(
+    object: &serde_json::Map<String, Value>,
+    field: &str,
+    prefix: &str,
+    errors: &mut Vec<String>,
+    require_non_empty: bool,
 ) {
     let Some(values) = object.get(field).and_then(Value::as_array) else {
-        errors.push(format!("{prefix}.{field} must be a string array."));
+        errors.push(string_array_error(prefix, field, require_non_empty));
         return;
     };
 
-    if values
+    let invalid = values
         .iter()
-        .any(|value| !value.as_str().is_some_and(|entry| !entry.trim().is_empty()))
-    {
-        errors.push(format!("{prefix}.{field} must be a string array."));
+        .any(|value| !value.as_str().is_some_and(|entry| !entry.trim().is_empty()));
+    if invalid || (require_non_empty && values.is_empty()) {
+        errors.push(string_array_error(prefix, field, require_non_empty));
     }
 }
 
+fn string_array_error(prefix: &str, field: &str, require_non_empty: bool) -> String {
+    let qualifier = if require_non_empty { "non-empty " } else { "" };
+    format!("{prefix}.{field} must be a {qualifier}string array.")
+}
+
 fn is_id(value: &str) -> bool {
     let mut chars = value.chars();
     let Some(first) = chars.next() else {

package/crates/naome-core/src/workflow/integrity.rs

@@ -0,0 +1,123 @@
+use std::collections::{BTreeMap, BTreeSet};
+use std::fs;
+use std::path::Path;
+
+use serde::Serialize;
+use serde_json::Value;
+
+use crate::models::NaomeError;
+
+use super::integrity_normalize::integrity_hash;
+use super::integrity_support::refresh_support_files;
+#[cfg(windows)]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust.exe";
+#[cfg(not(windows))]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust";
+
+#[derive(Debug, Clone, PartialEq, Eq, Serialize)]
+#[serde(rename_all = "camelCase")]
+pub struct IntegrityRefreshReport {
+    pub schema: String,
+    pub updated: bool,
+    pub changed_paths: Vec<String>,
+    pub refreshed_integrity_paths: Vec<String>,
+}
+
+pub fn refresh_integrity(root: &Path) -> Result<IntegrityRefreshReport, NaomeError> {
+    let manifest_path = root.join(".naome/manifest.json");
+    let original_manifest = fs::read_to_string(&manifest_path)?;
+    let mut manifest: Value = serde_json::from_str(&original_manifest)?;
+    let refresh_paths = refresh_paths(root, &manifest);
+    let integrity = compute_integrity(root, &refresh_paths)?;
+    let changed_support_files = refresh_support_files(root, &integrity)?;
+    set_manifest_integrity(root, &mut manifest, &integrity);
+
+    let next_manifest = format!("{}\n", serde_json::to_string_pretty(&manifest)?);
+    let mut changed_paths = changed_support_files;
+    if next_manifest != original_manifest {
+        fs::write(&manifest_path, next_manifest)?;
+        changed_paths.push(".naome/manifest.json".to_string());
+    }
+    changed_paths.sort();
+    changed_paths.dedup();
+
+    Ok(IntegrityRefreshReport {
+        schema: "naome.integrity-refresh.v1".to_string(),
+        updated: !changed_paths.is_empty(),
+        changed_paths,
+        refreshed_integrity_paths: integrity.keys().cloned().collect(),
+    })
+}
+
+fn refresh_paths(root: &Path, manifest: &Value) -> Vec<String> {
+    let mut paths = BTreeSet::new();
+    add_string_array(manifest.get("machineOwned"), &mut paths);
+    if let Some(integrity) = manifest.get("integrity").and_then(Value::as_object) {
+        paths.extend(integrity.keys().cloned());
+    }
+    if root.join(NATIVE_BINARY_PATH).is_file() {
+        paths.insert(NATIVE_BINARY_PATH.to_string());
+    }
+    paths
+        .into_iter()
+        .filter(|path| root.join(path).is_file())
+        .collect()
+}
+
+fn add_string_array(value: Option<&Value>, paths: &mut BTreeSet<String>) {
+    if let Some(values) = value.and_then(Value::as_array) {
+        paths.extend(
+            values
+                .iter()
+                .filter_map(Value::as_str)
+                .map(ToString::to_string),
+        );
+    }
+}
+
+fn compute_integrity(
+    root: &Path,
+    refresh_paths: &[String],
+) -> Result<BTreeMap<String, String>, NaomeError> {
+    let mut integrity = BTreeMap::new();
+    for path in refresh_paths {
+        let content = fs::read(root.join(path))?;
+        integrity.insert(path.clone(), integrity_hash(path, &content));
+    }
+    Ok(integrity)
+}
+
+fn set_manifest_integrity(root: &Path, manifest: &mut Value, integrity: &BTreeMap<String, String>) {
+    let machine_owned = manifest
+        .get("machineOwned")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(Value::as_str)
+        .map(ToString::to_string)
+        .collect::<BTreeSet<_>>();
+    let object = manifest
+        .as_object_mut()
+        .expect("manifest must be a JSON object after parsing");
+    let mut merged = object
+        .get("integrity")
+        .and_then(Value::as_object)
+        .map(|existing| {
+            existing
+                .iter()
+                .filter_map(|(path, hash)| {
+                    if root.join(path).is_file() || machine_owned.contains(path) {
+                        hash.as_str()
+                            .map(|hash| (path.clone(), Value::String(hash.to_string())))
+                    } else {
+                        None
+                    }
+                })
+                .collect::<serde_json::Map<String, Value>>()
+        })
+        .unwrap_or_default();
+    for (path, hash) in integrity {
+        merged.insert(path.clone(), Value::String(hash.clone()));
+    }
+    object.insert("integrity".to_string(), Value::Object(merged));
+}

package/crates/naome-core/src/workflow/integrity_normalize.rs

@@ -0,0 +1,7 @@
+pub(super) const HEALTH_CHECKER_PATH: &str = ".naome/bin/check-harness-health.js";
+pub(super) const TASK_STATE_CHECKER_PATH: &str = ".naome/bin/check-task-state.js";
+pub(super) const NAOME_COMMAND_PATH: &str = ".naome/bin/naome.js";
+
+pub(super) fn integrity_hash(relative_path: &str, content: &[u8]) -> String {
+    crate::harness_health::machine_integrity_hash(relative_path, content)
+}

package/crates/naome-core/src/workflow/integrity_support.rs

@@ -0,0 +1,110 @@
+use std::collections::BTreeMap;
+use std::fs;
+use std::path::Path;
+
+use crate::models::NaomeError;
+
+use super::integrity_normalize::{
+    HEALTH_CHECKER_PATH, NAOME_COMMAND_PATH, TASK_STATE_CHECKER_PATH,
+};
+
+#[cfg(windows)]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust.exe";
+#[cfg(not(windows))]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust";
+
+pub(super) fn refresh_support_files(
+    root: &Path,
+    integrity: &BTreeMap<String, String>,
+) -> Result<Vec<String>, NaomeError> {
+    let mut changed = Vec::new();
+    for path in [HEALTH_CHECKER_PATH, TASK_STATE_CHECKER_PATH] {
+        if replace_expected_integrity_block(root, path, integrity)? {
+            changed.push(path.to_string());
+        }
+    }
+    if replace_native_integrity(root, integrity)? {
+        changed.push(NAOME_COMMAND_PATH.to_string());
+    }
+    Ok(changed)
+}
+
+fn replace_expected_integrity_block(
+    root: &Path,
+    relative_path: &str,
+    integrity: &BTreeMap<String, String>,
+) -> Result<bool, NaomeError> {
+    let path = root.join(relative_path);
+    if !path.is_file() {
+        return Ok(false);
+    }
+    let original = fs::read_to_string(&path)?;
+    let Some(next) = expected_integrity_replacement(&original, integrity) else {
+        return Ok(false);
+    };
+    if next == original {
+        return Ok(false);
+    }
+    fs::write(path, next)?;
+    Ok(true)
+}
+
+fn expected_integrity_replacement(
+    content: &str,
+    integrity: &BTreeMap<String, String>,
+) -> Option<String> {
+    let marker = "const expectedMachineOwnedIntegrity = Object.freeze({\n";
+    let start = content.find(marker)?;
+    let after_start = start + marker.len();
+    let end = after_start + content[after_start..].find("\n});\n")? + "\n});\n".len();
+    let replacement = render_expected_integrity_block(integrity);
+    let mut next = String::with_capacity(content.len() + replacement.len());
+    next.push_str(&content[..start]);
+    next.push_str(&replacement);
+    next.push_str(&content[end..]);
+    Some(next)
+}
+
+fn render_expected_integrity_block(integrity: &BTreeMap<String, String>) -> String {
+    let body = integrity
+        .iter()
+        .map(|(path, hash)| format!("  {path:?}: {hash:?}"))
+        .collect::<Vec<_>>()
+        .join(",\n");
+    format!("const expectedMachineOwnedIntegrity = Object.freeze({{\n{body}\n}});\n")
+}
+
+fn replace_native_integrity(
+    root: &Path,
+    integrity: &BTreeMap<String, String>,
+) -> Result<bool, NaomeError> {
+    let Some(native_hash) = integrity.get(NATIVE_BINARY_PATH) else {
+        return Ok(false);
+    };
+    let path = root.join(NAOME_COMMAND_PATH);
+    if !path.is_file() {
+        return Ok(false);
+    }
+    let original = fs::read_to_string(&path)?;
+    let Some(next) = native_integrity_replacement(&original, native_hash) else {
+        return Ok(false);
+    };
+    if next == original {
+        return Ok(false);
+    }
+    fs::write(path, next)?;
+    Ok(true)
+}
+
+fn native_integrity_replacement(content: &str, native_hash: &str) -> Option<String> {
+    let prefix = "const expectedNativeBinaryIntegrity = \"";
+    let start = content.find(prefix)?;
+    let end = start + content[start..].find(";\n")? + ";\n".len();
+    let replacement = format!("const expectedNativeBinaryIntegrity = \"{native_hash}\";\n");
+    Some(format!(
+        "{}{}{}",
+        &content[..start],
+        replacement,
+        &content[end..]
+    ))
+}

package/crates/naome-core/src/workflow/mod.rs

@@ -0,0 +1,18 @@
+mod integrity;
+mod integrity_normalize;
+mod integrity_support;
+mod mutation;
+mod output;
+mod phase_inference;
+mod phases;
+mod policy;
+mod processes;
+mod types;
+
+pub use integrity::{refresh_integrity, IntegrityRefreshReport};
+pub use mutation::classify_mutations;
+pub use output::{summarize_command_output, CommandOutputSummary};
+pub use phases::{verification_phase_plan, CommandCheckResult, VerificationPhasePlan};
+pub use policy::{safe_rg_args, validate_read_boundaries, validate_search_command};
+pub use processes::{tracked_process_report, ProcessReport};
+pub use types::{MutationClassification, ReadActivity, WorkflowFinding};