@lamentis/naome 1.2.0 → 1.3.0

package/bin/naome-node.js

@@ -1,1582 +1,5 @@
 #!/usr/bin/env node
 
-import { chmodSync, copyFileSync, existsSync, lstatSync, mkdirSync, readdirSync, readFileSync, renameSync, statSync, unlinkSync, writeFileSync } from "node:fs";
-import { createHash } from "node:crypto";
-import { spawnSync } from "node:child_process";
-import { createInterface } from "node:readline/promises";
-import { stdin as input, stdout as output } from "node:process";
-import { dirname, join, relative, resolve } from "node:path";
-import { fileURLToPath } from "node:url";
+import { runNaomeNodeCli } from "../installer/main.js";
 
-const packageRoot = dirname(dirname(fileURLToPath(import.meta.url)));
-const templateRoot = join(packageRoot, "templates", "naome-root");
-const targetRoot = process.cwd();
-const packageVersion = JSON.parse(readFileSync(join(packageRoot, "package.json"), "utf8")).version;
-const installed = [];
-const archived = [];
-const updated = [];
-const skipped = [];
-const unsafeSkipped = [];
-const useColor = process.stdout.isTTY && process.env.NO_COLOR !== "1";
-const verboseOutput = process.argv.includes("--verbose");
-const healthCheckerRelativePath = ".naome/bin/check-harness-health.js";
-const taskStateCheckerRelativePath = ".naome/bin/check-task-state.js";
-const naomeCommandRelativePath = ".naome/bin/naome.js";
-const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
-const nativeBinaryRelativePath = process.platform === "win32" ? ".naome/bin/naome-rust.exe" : ".naome/bin/naome-rust";
-const minimumSupportedUpgradeVersion = "0.6.1";
-const integrityBlockPattern = /^const expectedMachineOwnedIntegrity = Object\.freeze\(\{[\s\S]*?\n\}\);\n/m;
-const normalizedIntegrityBlock = "const expectedMachineOwnedIntegrity = Object.freeze({\n  __generated__: \"sha256:generated\"\n});\n";
-const nativeIntegrityPattern = /^const expectedNativeBinaryIntegrity = "(?:sha256:[a-f0-9]{64}|sha256:generated)";\n/m;
-const normalizedNativeIntegrity = 'const expectedNativeBinaryIntegrity = "sha256:generated";\n';
-
-let installPlan = null;
-let machineOwnedPaths = [];
-let projectOwnedPaths = [];
-let localOnlyMachineOwnedPaths = [];
-let localOnlyGitIgnoreEntries = [];
-let localOnlyGitExcludeEntries = [];
-let localOnlyGitUntrackPaths = [];
-
-const executableMachineOwnedPaths = new Set([
-  ".naome/bin/naome.js",
-  ".naome/bin/check-task-state.js",
-  ".naome/bin/check-harness-health.js",
-]);
-
-const color = {
-  bold: (value) => format(value, "1"),
-  dim: (value) => format(value, "2"),
-  green: (value) => format(value, "32"),
-  yellow: (value) => format(value, "33"),
-  red: (value) => format(value, "31"),
-};
-
-const firstRunPrompt = `Run the NAOME first-run protocol for this repository.
-
-Start by reading .naomeignore, then docs/naome/index.md, then .naome/init-state.json.
-Then read .naome/upgrade-state.json, .naome/task-state.json, and docs/naome/execution.md.
-Run node .naome/bin/check-harness-health.js before feature work.
-If initialized is false, follow docs/naome/first-run.md.
-Do not begin feature work until NAOME intake is complete.
-After intake, save the user's next natural-language request to a temporary prompt file, then run node .naome/bin/naome.js route --prompt-file <path> --execute --json.
-Follow userMessage, humanOptions, requiredContext, and canCreateTask from the route output before creating the requested task.`;
-
-let summaryTitle = "NAOME intake harness installed";
-let nextStepPrompt = firstRunPrompt;
-
-function format(value, code) {
-  return useColor ? `\u001b[${code}m${value}\u001b[0m` : value;
-}
-
-function walk(dir) {
-  const entries = readdirSync(dir, { withFileTypes: true });
-  const files = [];
-
-  for (const entry of entries) {
-    const fullPath = join(dir, entry.name);
-    if (entry.isDirectory()) {
-      files.push(...walk(fullPath));
-    } else if (entry.isFile()) {
-      files.push(fullPath);
-    }
-  }
-
-  return files;
-}
-
-function copyTemplateFile(sourcePath) {
-  const relativePath = relative(templateRoot, sourcePath);
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    skipped.push(relativePath);
-    unsafeSkipped.push(relativePath);
-    return;
-  }
-
-  if (existsSync(targetPath)) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  mkdirSync(dirname(targetPath), { recursive: true });
-  copyFileSync(sourcePath, targetPath);
-  installed.push(relativePath);
-}
-
-function ensureExecutableMachineOwnedFiles() {
-  for (const relativePath of executableMachineOwnedPaths) {
-    const targetPath = join(targetRoot, relativePath);
-    if (!existsSync(targetPath) || hasSymlinkInTargetPath(relativePath)) {
-      continue;
-    }
-
-    chmodSync(targetPath, 0o755);
-  }
-}
-
-function configureGitHooks() {
-  const gitCheck = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (gitCheck.status !== 0 || gitCheck.stdout.trim() !== "true") {
-    skipped.push("local git hooks");
-    return;
-  }
-
-  const currentHooksPath = spawnSync("git", ["config", "--local", "--get", "core.hooksPath"], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-  const currentValue = currentHooksPath.status === 0 ? currentHooksPath.stdout.trim() : "";
-
-  if (currentValue && currentValue !== ".naome/git-hooks") {
-    skipped.push(`git core.hooksPath (${currentValue})`);
-    return;
-  }
-
-  if (currentValue === ".naome/git-hooks") {
-    const unsetResult = spawnSync("git", ["config", "--local", "--unset", "core.hooksPath"], {
-      cwd: targetRoot,
-      encoding: "utf8",
-    });
-
-    if (unsetResult.status !== 0) {
-      skipped.push("git core.hooksPath unset");
-      unsafeSkipped.push("git core.hooksPath unset");
-      return;
-    }
-
-    updated.push("git core.hooksPath unset");
-  }
-
-  const gitDirResult = spawnSync("git", ["rev-parse", "--absolute-git-dir"], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (gitDirResult.status !== 0 || !gitDirResult.stdout.trim()) {
-    skipped.push("local git hooks");
-    unsafeSkipped.push("local git hooks");
-    return;
-  }
-
-  const gitDir = gitDirResult.stdout.trim();
-  const hooksDir = join(gitDir, "hooks");
-  mkdirSync(hooksDir, { recursive: true });
-
-  const localNative = installLocalGitNativeBinary(gitDir);
-  if (!localNative) {
-    skipped.push("local git hooks native binary");
-    unsafeSkipped.push("local git hooks native binary");
-    return;
-  }
-
-  installLocalGitHook(hooksDir, "pre-commit", "--commit-gate", localNative);
-  installLocalGitHook(hooksDir, "pre-push", "--push-gate", localNative);
-}
-
-function installLocalGitNativeBinary(gitDir) {
-  const sourcePath = findNativeDecisionBinary();
-  if (!sourcePath) {
-    return null;
-  }
-
-  const localDir = join(gitDir, "naome");
-  const localPath = join(localDir, process.platform === "win32" ? "naome-rust.exe" : "naome-rust");
-  const sourceContent = readFileSync(sourcePath);
-  const sourceHash = sha256(sourceContent);
-  mkdirSync(localDir, { recursive: true });
-
-  const currentHash = existsSync(localPath) && lstatSync(localPath).isFile() ? sha256(readFileSync(localPath)) : null;
-  if (currentHash !== sourceHash) {
-    copyFileSync(sourcePath, localPath);
-    updated.push(".git/naome/naome-rust");
-  } else {
-    skipped.push(".git/naome/naome-rust");
-  }
-
-  chmodSync(localPath, 0o755);
-  return {
-    path: localPath,
-    hash: sourceHash,
-  };
-}
-
-function installLocalGitHook(hooksDir, hookName, mode, localNative) {
-  const hookPath = join(hooksDir, hookName);
-  const nextContent = localGitHookContent(hookName, mode, localNative);
-
-  if (existsSync(hookPath)) {
-    const stats = lstatSync(hookPath);
-    if (stats.isSymbolicLink() || !stats.isFile()) {
-      skipped.push(`.git/hooks/${hookName}`);
-      unsafeSkipped.push(`.git/hooks/${hookName}`);
-      return;
-    }
-
-    const currentContent = readFileSync(hookPath, "utf8");
-    if (!currentContent.includes("NAOME managed local git hook")) {
-      skipped.push(`.git/hooks/${hookName}`);
-      return;
-    }
-
-    if (currentContent === nextContent) {
-      skipped.push(`.git/hooks/${hookName}`);
-      return;
-    }
-  }
-
-  writeFileSync(hookPath, nextContent);
-  chmodSync(hookPath, 0o755);
-  updated.push(`.git/hooks/${hookName}`);
-}
-
-function localGitHookContent(hookName, mode, localNative) {
-  const expectedIntegrityJson = JSON.stringify(templateIntegrity());
-  return `#!/bin/sh
-# NAOME managed local git hook: ${hookName}
-# Run naome sync after reviewing harness changes to refresh this hook.
-set -eu
-
-REPO_ROOT="$(git rev-parse --show-toplevel 2>/dev/null || pwd)"
-cd "$REPO_ROOT"
-
-NODE_BIN=${shellSingleQuote(process.execPath)}
-if [ ! -x "$NODE_BIN" ]; then
-  NODE_BIN="node"
-fi
-
-NATIVE_BIN=${shellSingleQuote(localNative.path)}
-EXPECTED_SHA=${shellSingleQuote(localNative.hash)}
-NAOME_EXPECTED_INTEGRITY_JSON=${shellSingleQuote(expectedIntegrityJson)}
-export NAOME_EXPECTED_INTEGRITY_JSON
-ACTUAL_SHA="$("$NODE_BIN" -e 'const fs = require("node:fs"); const crypto = require("node:crypto"); const file = process.argv[1]; process.stdout.write(crypto.createHash("sha256").update(fs.readFileSync(file)).digest("hex"));' "$NATIVE_BIN" 2>/dev/null || true)"
-
-if [ "$ACTUAL_SHA" != "$EXPECTED_SHA" ]; then
-  echo "NAOME hook refused to run because its local native binary integrity does not match the installed hook." >&2
-  echo "Run naome sync after reviewing harness changes." >&2
-  exit 1
-fi
-
-exec "$NATIVE_BIN" check-task-state --root "$REPO_ROOT" ${mode}
-`;
-}
-
-function shellSingleQuote(value) {
-  return `'${String(value).replace(/'/g, `'\\''`)}'`;
-}
-
-function installNativeDecisionBinary() {
-  const targetPath = join(targetRoot, nativeBinaryRelativePath);
-
-  if (hasSymlinkInTargetPath(nativeBinaryRelativePath)) {
-    skipped.push(nativeBinaryRelativePath);
-    unsafeSkipped.push(nativeBinaryRelativePath);
-    return;
-  }
-
-  const sourcePath = findNativeDecisionBinary();
-  if (!sourcePath) {
-    printError("NAOME native decision binary is unavailable.");
-    console.error("Install Cargo or provide NAOME_NATIVE_BIN with a built naome binary, then rerun naome sync.");
-    process.exit(1);
-  }
-
-  if (usesSourceNativeFallback()) {
-    patchNaomeCommandNativeIntegrity("sha256:generated");
-    skipped.push(nativeBinaryRelativePath);
-    return;
-  }
-
-  mkdirSync(dirname(targetPath), { recursive: true });
-  const sourceHash = sha256(readFileSync(sourcePath));
-  const targetHash = existsSync(targetPath) && lstatSync(targetPath).isFile() ? sha256(readFileSync(targetPath)) : null;
-
-  if (sourceHash !== targetHash) {
-    copyFileSync(sourcePath, targetPath);
-    updated.push(nativeBinaryRelativePath);
-  } else {
-    skipped.push(nativeBinaryRelativePath);
-  }
-
-  chmodSync(targetPath, 0o755);
-  patchNaomeCommandNativeIntegrity(`sha256:${sourceHash}`);
-}
-
-function findNativeDecisionBinary() {
-  const candidates = [];
-
-  if (process.env.NAOME_NATIVE_BIN) {
-    candidates.push(resolve(targetRoot, process.env.NAOME_NATIVE_BIN));
-  }
-
-  candidates.push(join(packageRoot, "native", `${process.platform}-${process.arch}`, nativeBinaryName));
-  candidates.push(join(packageRoot, "target", "release", nativeBinaryName));
-
-  for (const candidate of candidates) {
-    if (existsSync(candidate) && lstatSync(candidate).isFile()) {
-      return candidate;
-    }
-  }
-
-  return buildNativeDecisionBinary();
-}
-
-function loadInstallPlan() {
-  if (installPlan) {
-    return installPlan;
-  }
-
-  const nativePath = findNativeDecisionBinary();
-  if (!nativePath) {
-    printError("NAOME native installer policy is unavailable.");
-    console.error("Install Cargo or provide NAOME_NATIVE_BIN with a built naome binary, then rerun naome sync.");
-    process.exit(1);
-  }
-
-  const result = spawnSync(nativePath, ["install-plan", "--harness-version", packageVersion], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (result.status !== 0) {
-    printError("NAOME could not load its Rust install plan.");
-    if (result.stdout.trim()) {
-      console.error(result.stdout.trim());
-    }
-    if (result.stderr.trim()) {
-      console.error(result.stderr.trim());
-    }
-    process.exit(1);
-  }
-
-  try {
-    installPlan = JSON.parse(result.stdout);
-  } catch (error) {
-    printError("NAOME Rust install plan is not valid JSON.");
-    console.error(error.message);
-    process.exit(1);
-  }
-
-  assertInstallPlanArray("machineOwned");
-  assertInstallPlanArray("projectOwned");
-  assertInstallPlanArray("localOnlyMachineOwned");
-  assertInstallPlanArray("gitignoreEntries");
-  assertInstallPlanArray("gitExcludeEntries");
-  assertInstallPlanArray("gitUntrackPaths");
-
-  machineOwnedPaths = installPlan.machineOwned;
-  projectOwnedPaths = installPlan.projectOwned;
-  localOnlyMachineOwnedPaths = installPlan.localOnlyMachineOwned;
-  localOnlyGitIgnoreEntries = installPlan.gitignoreEntries;
-  localOnlyGitExcludeEntries = installPlan.gitExcludeEntries;
-  localOnlyGitUntrackPaths = installPlan.gitUntrackPaths;
-
-  return installPlan;
-}
-
-function assertInstallPlanArray(key) {
-  if (!Array.isArray(installPlan?.[key]) || installPlan[key].some((entry) => typeof entry !== "string" || entry.length === 0)) {
-    printError(`NAOME Rust install plan has invalid ${key}.`);
-    process.exit(1);
-  }
-}
-
-function buildNativeDecisionBinary() {
-  const manifestPath = join(packageRoot, "Cargo.toml");
-  if (!existsSync(manifestPath)) {
-    return null;
-  }
-
-  const result = spawnSync("cargo", ["build", "--release", "--manifest-path", manifestPath, "-p", "naome-cli"], {
-    cwd: packageRoot,
-    encoding: "utf8",
-  });
-
-  if (result.status !== 0) {
-    skipped.push("native decision binary build");
-    return null;
-  }
-
-  const builtPath = join(packageRoot, "target", "release", nativeBinaryName);
-  return existsSync(builtPath) && lstatSync(builtPath).isFile() ? builtPath : null;
-}
-
-function patchNaomeCommandNativeIntegrity(expectedIntegrity) {
-  const commandPath = join(targetRoot, naomeCommandRelativePath);
-  if (!existsSync(commandPath) || hasSymlinkInTargetPath(naomeCommandRelativePath)) {
-    return;
-  }
-
-  const content = readFileSync(commandPath, "utf8");
-  const nextContent = content.replace(
-    nativeIntegrityPattern,
-    `const expectedNativeBinaryIntegrity = "${expectedIntegrity}";\n`
-  );
-
-  if (nextContent !== content) {
-    writeFileSync(commandPath, nextContent);
-    updated.push(naomeCommandRelativePath);
-  }
-}
-
-function patchInstalledMachineOwnedIntegrity() {
-  const integrityBlock = formatExpectedIntegrityBlock(templateIntegrity());
-
-  for (const relativePath of [healthCheckerRelativePath, taskStateCheckerRelativePath]) {
-    const targetPath = join(targetRoot, relativePath);
-    if (!existsSync(targetPath) || hasSymlinkInTargetPath(relativePath)) {
-      continue;
-    }
-
-    const content = readFileSync(targetPath, "utf8");
-    const nextContent = content.replace(integrityBlockPattern, integrityBlock);
-    if (nextContent !== content) {
-      writeFileSync(targetPath, nextContent);
-      updated.push(relativePath);
-    }
-  }
-}
-
-function formatExpectedIntegrityBlock(integrity) {
-  const entries = Object.entries(integrity)
-    .map(([relativePath, expectedHash]) => `  ${JSON.stringify(relativePath)}: ${JSON.stringify(expectedHash)}`)
-    .join(",\n");
-  return `const expectedMachineOwnedIntegrity = Object.freeze({\n${entries}\n});\n`;
-}
-
-function usesSourceNativeFallback() {
-  return existsSync(join(targetRoot, "packages", "naome", "Cargo.toml"))
-    && existsSync(join(targetRoot, "packages", "naome", "crates", "naome-cli", "src", "main.rs"));
-}
-
-function patchManifestDate() {
-  const manifestPath = join(targetRoot, ".naome", "manifest.json");
-  if (
-    !existsSync(manifestPath) ||
-    skipped.includes(".naome/manifest.json") ||
-    hasSymlinkInTargetPath(".naome/manifest.json")
-  ) {
-    return;
-  }
-
-  const manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
-  applyManifestHealthMetadata(manifest);
-  manifest.installedAt = new Date().toISOString();
-  writeFileSync(manifestPath, `${JSON.stringify(manifest, null, 2)}\n`);
-}
-
-function readExistingInstall() {
-  const manifestPath = join(targetRoot, ".naome", "manifest.json");
-  if (!existsSync(manifestPath)) {
-    return null;
-  }
-
-  if (hasSymlinkInTargetPath(".naome/manifest.json")) {
-    printError("NAOME cannot read .naome/manifest.json safely.");
-    console.error(".naome/manifest.json must be a regular file.");
-    process.exit(1);
-  }
-
-  let manifest;
-  try {
-    manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
-  } catch (error) {
-    printError("NAOME manifest is not valid JSON.");
-    console.error(error.message);
-    process.exit(1);
-  }
-
-  if (!isVersion(manifest.harnessVersion)) {
-    printError("NAOME manifest has no valid harnessVersion.");
-    console.error(".naome/manifest.json must contain a semver harnessVersion.");
-    process.exit(1);
-  }
-
-  return {
-    manifest,
-    version: manifest.harnessVersion,
-  };
-}
-
-async function runFreshInstall() {
-  await confirmAgentsTakeover();
-
-  for (const sourcePath of walk(templateRoot)) {
-    copyTemplateFile(sourcePath);
-  }
-
-  installNativeDecisionBinary();
-  patchInstalledMachineOwnedIntegrity();
-  ensureBuiltInVerificationChecks();
-  patchManifestDate();
-  ensureCompleteUpgradeState(null);
-  ensureArchiveDirectory();
-  takeoverExistingAgents();
-  ensureLocalOnlySourceControlBoundary();
-}
-
-function runExistingInstall(existingInstall) {
-  const comparison = compareVersions(existingInstall.version, packageVersion);
-
-  if (comparison > 0) {
-    printError("This repository already uses a newer NAOME harness.");
-    console.error(`Installed: v${existingInstall.version}`);
-    console.error(`Package:   v${packageVersion}`);
-    console.error("Run `naome update`, then rerun `naome sync` from the repository root.");
-    process.exit(1);
-  }
-
-  if (comparison < 0) {
-    if (compareVersions(existingInstall.version, minimumSupportedUpgradeVersion) < 0) {
-      rejectUnsupportedHistoricalInstall(existingInstall.version);
-    }
-
-    ensureArchiveDirectory();
-    runRepair(existingInstall.version, { fromVersion: existingInstall.version });
-  } else {
-    ensureArchiveDirectory();
-    runRepair(existingInstall.version);
-  }
-}
-
-function rejectUnsupportedHistoricalInstall(version) {
-  printError("Installed NAOME harness version is outside the supported upgrade range.");
-  console.error(`Installed: v${version}`);
-  console.error(`Package:   v${packageVersion}`);
-  console.error(`Minimum supported upgrade version: v${minimumSupportedUpgradeVersion}`);
-  console.error("Create a clean NAOME baseline instead of upgrading a pre-Rust harness in place.");
-  process.exit(1);
-}
-
-function runRepair(version, options = {}) {
-  summaryTitle = "NAOME harness checked";
-  ensureCoreHarnessFiles(`repair-${version}`);
-  ensureTaskControlHarnessFiles(`repair-${version}`);
-  ensureHarnessHealthFiles(`repair-${version}`);
-  installNativeDecisionBinary();
-  patchInstalledMachineOwnedIntegrity();
-  ensureBuiltInVerificationChecks();
-  ensureTestingProofHarnessSections();
-  refreshManifestHealthMetadata();
-  ensureCompleteUpgradeState(options.fromVersion ?? null);
-  ensureLocalOnlySourceControlBoundary();
-}
-
-function readUpgradeState() {
-  const relativePath = ".naome/upgrade-state.json";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (!existsSync(targetPath)) {
-    return null;
-  }
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot read .naome/upgrade-state.json safely.");
-    process.exit(1);
-  }
-
-  try {
-    return JSON.parse(readFileSync(targetPath, "utf8"));
-  } catch (error) {
-    printError("NAOME upgrade state is not valid JSON.");
-    console.error(error.message);
-    process.exit(1);
-  }
-}
-
-function ensureCoreHarnessFiles(archiveDirName) {
-  ensureNaomeIgnore();
-  ensureTemplateFile(".naome/verification.json");
-  replaceHarnessFile("AGENTS.md", archiveDirName);
-  replaceHarnessFile("docs/naome/index.md", archiveDirName);
-  replaceHarnessFile("docs/naome/first-run.md", archiveDirName);
-  replaceHarnessFile("docs/naome/agent-workflow.md", archiveDirName);
-  ensureTemplateFile("docs/naome/security.md");
-  replaceHarnessFile("docs/naome/upgrade.md", archiveDirName);
-}
-
-function ensureTaskControlHarnessFiles(archiveDirName) {
-  ensureTemplateFile(".naome/task-state.json");
-  replaceHarnessFile(".naome/task-contract.schema.json", archiveDirName);
-  replaceHarnessFile(".naome/bin/check-task-state.js", archiveDirName);
-  replaceHarnessFile("AGENTS.md", archiveDirName);
-  replaceHarnessFile("docs/naome/index.md", archiveDirName);
-  replaceHarnessFile("docs/naome/agent-workflow.md", archiveDirName);
-  replaceHarnessFile("docs/naome/execution.md", archiveDirName);
-  replaceHarnessFile("docs/naome/upgrade.md", archiveDirName);
-}
-
-function ensureHarnessHealthFiles(archiveDirName) {
-  replaceHarnessFile("AGENTS.md", archiveDirName);
-  replaceHarnessFile(".naome/package.json", archiveDirName);
-  replaceHarnessFile(".naome/bin/naome.js", archiveDirName);
-  replaceHarnessFile(".naome/bin/check-task-state.js", archiveDirName);
-  replaceHarnessFile(".naome/bin/check-harness-health.js", archiveDirName);
-  removeBranchControlledHookShim(".naome/git-hooks/pre-commit", archiveDirName);
-  removeBranchControlledHookShim(".naome/git-hooks/pre-push", archiveDirName);
-  replaceHarnessFile(".naome/task-contract.schema.json", archiveDirName);
-  replaceHarnessFile("docs/naome/index.md", archiveDirName);
-  replaceHarnessFile("docs/naome/first-run.md", archiveDirName);
-  replaceHarnessFile("docs/naome/agent-workflow.md", archiveDirName);
-  replaceHarnessFile("docs/naome/execution.md", archiveDirName);
-  ensureTemplateFile("docs/naome/security.md");
-  replaceHarnessFile("docs/naome/upgrade.md", archiveDirName);
-  ensureNaomeIgnore();
-}
-
-function removeBranchControlledHookShim(relativePath, archiveDirName) {
-  const targetPath = join(targetRoot, relativePath);
-  if (!existsSync(targetPath)) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  if (hasSymlinkInTargetPath(relativePath) || !lstatSync(targetPath).isFile()) {
-    skipped.push(relativePath);
-    unsafeSkipped.push(relativePath);
-    return;
-  }
-
-  const archivePath = archiveUpgradePath(archiveDirName, relativePath);
-  mkdirSync(dirname(archivePath), { recursive: true });
-  copyFileSync(targetPath, archivePath);
-  unlinkSync(targetPath);
-  updated.push(relativePath);
-  archived.push({
-    from: relativePath,
-    to: relative(targetRoot, archivePath),
-  });
-}
-
-function ensureTemplateFile(relativePath) {
-  const sourcePath = join(templateRoot, relativePath);
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError(`NAOME cannot write ${relativePath} safely.`);
-    console.error(`${relativePath} must be a regular file or must not exist.`);
-    process.exit(1);
-  }
-
-  if (existsSync(targetPath)) {
-    if (!lstatSync(targetPath).isFile()) {
-      printError(`NAOME cannot write ${relativePath} because that path is not a file.`);
-      process.exit(1);
-    }
-
-    skipped.push(relativePath);
-    return;
-  }
-
-  mkdirSync(dirname(targetPath), { recursive: true });
-  copyFileSync(sourcePath, targetPath);
-  installed.push(relativePath);
-}
-
-function ensureBuiltInVerificationChecks() {
-  const relativePath = ".naome/verification.json";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot update .naome/verification.json safely.");
-    console.error(".naome/verification.json must be a regular file or must not exist.");
-    process.exit(1);
-  }
-
-  if (!existsSync(targetPath)) {
-    mkdirSync(dirname(targetPath), { recursive: true });
-    copyFileSync(join(templateRoot, relativePath), targetPath);
-    installed.push(relativePath);
-  }
-
-  if (!lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot update .naome/verification.json because that path is not a file.");
-    process.exit(1);
-  }
-
-  const nativePath = usesSourceNativeFallback()
-    ? findNativeDecisionBinary()
-    : join(targetRoot, nativeBinaryRelativePath);
-  if (
-    !nativePath ||
-    !existsSync(nativePath) ||
-    (!usesSourceNativeFallback() && hasSymlinkInTargetPath(nativeBinaryRelativePath)) ||
-    !lstatSync(nativePath).isFile()
-  ) {
-    printError("NAOME native decision binary is unavailable for verification seeding.");
-    console.error(`Expected ${nativeBinaryRelativePath} to be installed before seeding verification checks.`);
-    process.exit(1);
-  }
-
-  const result = spawnSync(nativePath, ["seed-verification"], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (result.status !== 0) {
-    printError("NAOME could not seed built-in verification checks.");
-    if (result.stdout.trim()) {
-      console.error(result.stdout.trim());
-    }
-    if (result.stderr.trim()) {
-      console.error(result.stderr.trim());
-    }
-    process.exit(1);
-  }
-
-  if (!result.stdout.includes("updated")) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  removeSkipped(relativePath);
-  updated.push(relativePath);
-}
-
-function replaceHarnessFile(relativePath, archiveDirName) {
-  const sourcePath = join(templateRoot, relativePath);
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError(`NAOME cannot update ${relativePath} safely.`);
-    console.error(`${relativePath} must be a regular file or must not exist.`);
-    process.exit(1);
-  }
-
-  if (!existsSync(targetPath)) {
-    mkdirSync(dirname(targetPath), { recursive: true });
-    copyFileSync(sourcePath, targetPath);
-    installed.push(relativePath);
-    return;
-  }
-
-  if (!lstatSync(targetPath).isFile()) {
-    printError(`NAOME cannot update ${relativePath} because that path is not a file.`);
-    process.exit(1);
-  }
-
-  const nextContent = readFileSync(sourcePath);
-  const currentContent = readFileSync(targetPath);
-  if (currentContent.equals(nextContent)) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  if (
-    !hasGeneratedIntegrity(relativePath) &&
-    machineFileHash(relativePath, currentContent) === machineFileHash(relativePath, nextContent)
-  ) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  const archivePath = archiveUpgradePath(archiveDirName, relativePath);
-  mkdirSync(dirname(archivePath), { recursive: true });
-  copyFileSync(targetPath, archivePath);
-  writeFileSync(targetPath, nextContent);
-  updated.push(relativePath);
-  archived.push({
-    from: relativePath,
-    to: relative(targetRoot, archivePath),
-  });
-}
-
-function hasGeneratedIntegrity(relativePath) {
-  return relativePath === healthCheckerRelativePath || relativePath === taskStateCheckerRelativePath;
-}
-
-function archiveUpgradePath(archiveDirName, relativePath) {
-  return join(targetRoot, ".naome", "archive", archiveDirName, relativePath);
-}
-
-function ensureNaomeIgnore() {
-  const relativePath = ".naomeignore";
-  const sourcePath = join(templateRoot, relativePath);
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot write .naomeignore safely.");
-    console.error(".naomeignore must be a regular file or must not exist.");
-    process.exit(1);
-  }
-
-  if (!existsSync(targetPath)) {
-    copyFileSync(sourcePath, targetPath);
-    installed.push(relativePath);
-    return;
-  }
-
-  if (!lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot update .naomeignore because that path is not a file.");
-    process.exit(1);
-  }
-
-  const content = readFileSync(targetPath, "utf8");
-  if (content.split(/\r?\n/).some((line) => line.trim() === ".naome/archive/")) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  writeFileSync(targetPath, `${content.trimEnd()}\n\n.naome/archive/\n`);
-  updated.push(relativePath);
-}
-
-function ensureLocalOnlySourceControlBoundary() {
-  if (!isInsideGitWorkTree()) {
-    ensureLocalOnlyGitIgnoreFallback();
-    skipped.push("local git exclude");
-    skipped.push("local-only git index cleanup");
-    return;
-  }
-
-  cleanupLegacyLocalOnlyGitIgnore();
-  ensureLocalOnlyGitExclude();
-  untrackLocalOnlyGitPaths();
-}
-
-function ensureLocalOnlyGitIgnoreFallback() {
-  const relativePath = ".gitignore";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot write .gitignore safely.");
-    console.error(".gitignore must be a regular file or must not exist.");
-    process.exit(1);
-  }
-
-  if (existsSync(targetPath) && !lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot update .gitignore because that path is not a file.");
-    process.exit(1);
-  }
-
-  const content = existsSync(targetPath) ? readFileSync(targetPath, "utf8") : "";
-  const existingLines = new Set(content.split(/\r?\n/).map((line) => line.trim()));
-  const missingEntries = legacyLocalOnlyGitIgnoreEntries().filter((entry) => !existingLines.has(entry));
-
-  if (missingEntries.length === 0) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  const nextContent = `${content.trimEnd()}${content.trimEnd() ? "\n\n" : ""}${missingEntries.join("\n")}\n`;
-  writeFileSync(targetPath, nextContent);
-  if (content.length === 0) {
-    installed.push(relativePath);
-  } else {
-    updated.push(relativePath);
-  }
-}
-
-function cleanupLegacyLocalOnlyGitIgnore() {
-  const relativePath = ".gitignore";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (!existsSync(targetPath)) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot clean up .gitignore safely.");
-    console.error(".gitignore must be a regular file or must not exist.");
-    process.exit(1);
-  }
-
-  if (!lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot update .gitignore because that path is not a file.");
-    process.exit(1);
-  }
-
-  const content = readFileSync(targetPath, "utf8");
-  const legacyEntries = new Set(legacyLocalOnlyGitIgnoreEntries());
-  const nextContent = cleanBlankLines(content
-    .split(/\r?\n/)
-    .filter((line) => !legacyEntries.has(line.trim()))
-    .join("\n"));
-
-  if (nextContent === content) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  if (nextContent.trim().length === 0) {
-    unlinkSync(targetPath);
-  } else {
-    writeFileSync(targetPath, nextContent);
-  }
-  updated.push(relativePath);
-}
-
-function ensureLocalOnlyGitExclude() {
-  if (!isInsideGitWorkTree()) {
-    skipped.push("local git exclude");
-    return;
-  }
-
-  const gitDirResult = spawnSync("git", ["rev-parse", "--absolute-git-dir"], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (gitDirResult.status !== 0 || !gitDirResult.stdout.trim()) {
-    skipped.push("local git exclude");
-    unsafeSkipped.push("local git exclude");
-    return;
-  }
-
-  const excludePath = join(gitDirResult.stdout.trim(), "info", "exclude");
-  mkdirSync(dirname(excludePath), { recursive: true });
-
-  if (existsSync(excludePath) && !lstatSync(excludePath).isFile()) {
-    printError("NAOME cannot update local git exclude because that path is not a file.");
-    process.exit(1);
-  }
-
-  const content = existsSync(excludePath) ? readFileSync(excludePath, "utf8") : "";
-  const existingLines = new Set(content.split(/\r?\n/).map((line) => line.trim()));
-  const missingEntries = localOnlyGitExcludeEntries.filter((entry) => !existingLines.has(entry));
-
-  if (missingEntries.length === 0) {
-    skipped.push(".git/info/exclude");
-    return;
-  }
-
-  const nextContent = `${content.trimEnd()}${content.trimEnd() ? "\n\n" : ""}${missingEntries.join("\n")}\n`;
-  writeFileSync(excludePath, nextContent);
-  updated.push(".git/info/exclude");
-}
-
-function legacyLocalOnlyGitIgnoreEntries() {
-  return [
-    "# NAOME local machine-owned harness files.",
-    ".naome/archive/",
-    ".naome/bin/naome-rust*",
-    ...localOnlyMachineOwnedPaths,
-    ...localOnlyGitIgnoreEntries,
-  ];
-}
-
-function cleanBlankLines(content) {
-  const lines = content.split(/\r?\n/);
-  const cleaned = [];
-
-  for (const line of lines) {
-    if (line.trim() === "" && cleaned.at(-1)?.trim() === "") {
-      continue;
-    }
-    cleaned.push(line);
-  }
-
-  const trimmed = cleaned.join("\n").trimEnd();
-  return trimmed ? `${trimmed}\n` : "";
-}
-
-function untrackLocalOnlyGitPaths() {
-  if (!isInsideGitWorkTree()) {
-    skipped.push("local-only git index cleanup");
-    return;
-  }
-
-  const tracked = trackedLocalOnlyGitPaths();
-  if (tracked.length === 0) {
-    skipped.push("local-only git index cleanup");
-    return;
-  }
-
-  const result = spawnSync("git", ["rm", "--cached", "-q", "--", ...tracked], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (result.status !== 0) {
-    printError("NAOME could not remove local-only harness files from the git index.");
-    if (result.stdout.trim()) {
-      console.error(result.stdout.trim());
-    }
-    if (result.stderr.trim()) {
-      console.error(result.stderr.trim());
-    }
-    process.exit(1);
-  }
-
-  updated.push(...tracked.map((path) => `git index: ${path}`));
-}
-
-function isInsideGitWorkTree() {
-  const result = spawnSync("git", ["rev-parse", "--is-inside-work-tree"], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  return result.status === 0 && result.stdout.trim() === "true";
-}
-
-function trackedLocalOnlyGitPaths() {
-  const result = spawnSync("git", ["ls-files", "-z", "--", ...localOnlyGitUntrackPaths], {
-    cwd: targetRoot,
-    encoding: "utf8",
-  });
-
-  if (result.status !== 0) {
-    printError("NAOME could not inspect tracked local-only harness files.");
-    if (result.stderr.trim()) {
-      console.error(result.stderr.trim());
-    }
-    process.exit(1);
-  }
-
-  return result.stdout.split("\0").filter(Boolean);
-}
-
-function ensureTestingProofHarnessSections() {
-  const relativePath = "docs/naome/testing.md";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot update docs/naome/testing.md safely.");
-    console.error("docs/naome/testing.md must be a regular file or must not exist.");
-    process.exit(1);
-  }
-
-  if (!existsSync(targetPath)) {
-    mkdirSync(dirname(targetPath), { recursive: true });
-    copyFileSync(join(templateRoot, relativePath), targetPath);
-    installed.push(relativePath);
-    return;
-  }
-
-  if (!lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot update docs/naome/testing.md because that path is not a file.");
-    process.exit(1);
-  }
-
-  let content = readFileSync(targetPath, "utf8");
-  const originalContent = content;
-  const sections = [
-    ["## Verification Map", "\n| Change type | Required proof | Command | Notes |\n|---|---|---|---|\n| Unknown | Unknown | Unknown | Fill during NAOME upgrade. |\n"],
-    ["## Known Checks", "\n| Check id | Command | Cwd | Cost | Last verified |\n|---|---|---|---|---|\n| Unknown | Unknown | Unknown | Unknown | Unknown |\n"],
-    ["## Change Type Rules", "\n| Change type | Paths | Required checks |\n|---|---|---|\n| Unknown | Unknown | Unknown |\n"],
-    ["## Release Gates", "\n| Check id | Required when |\n|---|---|\n| Unknown | Before release, when applicable. |\n"],
-    ["## Rules", "\n- Mirror durable entries in `.naome/verification.json`.\n- Use only commands proven by repository files, CI, or user confirmation.\n- Report exact commands and results. Do not claim proof that did not run.\n"],
-    ["## Evidence", "\n- Unknown.\n"],
-  ];
-
-  for (const [heading, body] of sections) {
-    if (!hasMarkdownHeading(content, heading)) {
-      content = `${content.trimEnd()}\n\n${heading}\n${body}`;
-    }
-  }
-
-  if (content !== originalContent) {
-    writeFileSync(targetPath, content.endsWith("\n") ? content : `${content}\n`);
-    updated.push(relativePath);
-  } else {
-    skipped.push(relativePath);
-  }
-}
-
-function hasMarkdownHeading(content, heading) {
-  return content.split(/\r?\n/).some((line) => line.trim() === heading);
-}
-
-function writeUpgradeState(state) {
-  const relativePath = ".naome/upgrade-state.json";
-  const targetPath = join(targetRoot, relativePath);
-
-  assertWritableUpgradeStatePath();
-
-  mkdirSync(dirname(targetPath), { recursive: true });
-  writeFileSync(targetPath, `${JSON.stringify(state, null, 2)}\n`);
-  updated.push(relativePath);
-}
-
-function ensureCompleteUpgradeState(fromVersion = null) {
-  const existingUpgradeState = readUpgradeState();
-  if (
-    existingUpgradeState?.status === "complete" &&
-    existingUpgradeState?.toVersion === packageVersion &&
-    (fromVersion === null || existingUpgradeState?.fromVersion === fromVersion) &&
-    Array.isArray(existingUpgradeState.pending) &&
-    existingUpgradeState.pending.length === 0 &&
-    Array.isArray(existingUpgradeState.completed)
-  ) {
-    skipped.push(".naome/upgrade-state.json");
-    return;
-  }
-
-  writeUpgradeState({
-    status: "complete",
-    fromVersion,
-    toVersion: packageVersion,
-    pending: [],
-    completed: [],
-    updatedAt: new Date().toISOString(),
-  });
-}
-
-function assertWritableUpgradeStatePath() {
-  const relativePath = ".naome/upgrade-state.json";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot write .naome/upgrade-state.json safely.");
-    console.error(".naome/upgrade-state.json must be a regular file or must not exist.");
-    process.exit(1);
-  }
-
-  if (existsSync(targetPath) && !lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot write .naome/upgrade-state.json because that path is not a file.");
-    console.error(".naome/upgrade-state.json must be a regular file or must not exist.");
-    process.exit(1);
-  }
-}
-
-function refreshManifestHealthMetadata() {
-  const relativePath = ".naome/manifest.json";
-  const targetPath = join(targetRoot, relativePath);
-
-  if (hasSymlinkInTargetPath(relativePath)) {
-    printError("NAOME cannot write .naome/manifest.json safely.");
-    console.error(".naome/manifest.json must be a regular file.");
-    process.exit(1);
-  }
-
-  if (!existsSync(targetPath) || !lstatSync(targetPath).isFile()) {
-    printError("NAOME cannot write .naome/manifest.json because that path is not a file.");
-    process.exit(1);
-  }
-
-  const manifest = JSON.parse(readFileSync(targetPath, "utf8"));
-  const originalContent = JSON.stringify(manifest, null, 2);
-  applyManifestHealthMetadata(manifest);
-  const nextContent = JSON.stringify(manifest, null, 2);
-
-  if (nextContent === originalContent) {
-    skipped.push(relativePath);
-    return;
-  }
-
-  writeFileSync(targetPath, `${nextContent}\n`);
-  updated.push(relativePath);
-}
-
-function applyManifestHealthMetadata(manifest) {
-  manifest.harnessVersion = packageVersion;
-  manifest.machineOwned = [...machineOwnedPaths];
-  manifest.projectOwned = projectOwnedPaths;
-  manifest.integrity = templateIntegrity();
-
-  const nativeHash = installedNativeBinaryHash();
-  if (!usesSourceNativeFallback() && nativeHash) {
-    if (!manifest.machineOwned.includes(nativeBinaryRelativePath)) {
-      manifest.machineOwned.push(nativeBinaryRelativePath);
-    }
-    manifest.integrity[nativeBinaryRelativePath] = `sha256:${nativeHash}`;
-  }
-}
-
-function installedNativeBinaryHash() {
-  const targetPath = join(targetRoot, nativeBinaryRelativePath);
-  if (!existsSync(targetPath) || hasSymlinkInTargetPath(nativeBinaryRelativePath) || !lstatSync(targetPath).isFile()) {
-    return null;
-  }
-
-  return sha256(readFileSync(targetPath));
-}
-
-function templateIntegrity() {
-  const integrity = {};
-
-  for (const relativePath of machineOwnedPaths) {
-    const sourcePath = join(templateRoot, relativePath);
-    integrity[relativePath] = `sha256:${machineFileHash(relativePath, readFileSync(sourcePath))}`;
-  }
-
-  return integrity;
-}
-
-function sha256(content) {
-  return createHash("sha256").update(content).digest("hex");
-}
-
-function machineFileHash(relativePath, content) {
-  let normalized = content;
-
-  if (hasGeneratedIntegrity(relativePath)) {
-    normalized = normalized.toString("utf8").replace(integrityBlockPattern, normalizedIntegrityBlock);
-  }
-
-  if (relativePath === naomeCommandRelativePath) {
-    normalized = normalized.toString("utf8").replace(nativeIntegrityPattern, normalizedNativeIntegrity);
-  }
-
-  return sha256(normalized);
-}
-
-function ensureArchiveDirectory() {
-  const archivePath = ".naome/archive";
-  const targetPath = join(targetRoot, archivePath);
-  if (hasSymlinkInTargetPath(archivePath)) {
-    printError("NAOME cannot create .naome/archive safely.");
-    console.error(".naome/archive must be a regular directory or must not exist.");
-    process.exit(1);
-  }
-
-  if (existsSync(targetPath)) {
-    if (!lstatSync(targetPath).isDirectory()) {
-      printError("NAOME cannot create .naome/archive because that path is not a directory.");
-      console.error(".naome/archive must be a regular directory or must not exist.");
-      process.exit(1);
-    }
-
-    skipped.push(`${archivePath}/`);
-    return;
-  }
-
-  mkdirSync(targetPath, { recursive: true });
-  installed.push(`${archivePath}/`);
-}
-
-function hasAgentsTakeoverCandidate() {
-  const agentsPath = join(targetRoot, "AGENTS.md");
-  if (!existsSync(agentsPath)) {
-    return false;
-  }
-
-  if (hasSymlinkInTargetPath("AGENTS.md")) {
-    return true;
-  }
-
-  return readFileSync(agentsPath, "utf8") !== readFileSync(join(templateRoot, "AGENTS.md"), "utf8");
-}
-
-async function confirmAgentsTakeover() {
-  if (!hasAgentsTakeoverCandidate()) {
-    return;
-  }
-
-  if (hasSymlinkInTargetPath("AGENTS.md")) {
-    printError("NAOME cannot take over AGENTS.md because it is a symlink.");
-    console.error("Replace the symlink with a regular file before installing NAOME.");
-    process.exit(1);
-  }
-
-  if (!process.stdin.isTTY || process.env.CI === "true") {
-    printError("AGENTS.md already exists.");
-    console.error("NAOME must replace AGENTS.md to become the active harness entrypoint.");
-    console.error("Run this installer in an interactive terminal and confirm the takeover.");
-    process.exit(1);
-  }
-
-  printSection("AGENTS.md takeover required");
-  console.log(`${color.dim("existing")} AGENTS.md`);
-  console.log(`${color.dim("archive ")} .naome/archive/AGENTS.pre-naome.md`);
-  console.log(`${color.dim("replace ")} AGENTS.md with the NAOME entrypoint`);
-  console.log(`${color.dim("ignore  ")} .naome/archive/ via .naomeignore`);
-  console.log("");
-
-  const rl = createInterface({ input, output });
-  const answer = await rl.question(`${color.yellow("?")} Replace AGENTS.md and continue installation? (y/N) `);
-  rl.close();
-
-  if (answer.trim().toLowerCase() !== "y") {
-    printCancelled("NAOME was not installed. AGENTS.md was left unchanged.");
-    process.exit(1);
-  }
-
-  assertArchiveDirectoryAvailableForTakeover();
-}
-
-function takeoverExistingAgents() {
-  const agentsPath = join(targetRoot, "AGENTS.md");
-  if (!existsSync(agentsPath)) {
-    return;
-  }
-
-  if (hasSymlinkInTargetPath("AGENTS.md")) {
-    return;
-  }
-
-  const templateAgentsPath = join(templateRoot, "AGENTS.md");
-  const templateAgents = readFileSync(templateAgentsPath, "utf8");
-  const existingAgents = readFileSync(agentsPath, "utf8");
-
-  if (existingAgents === templateAgents) {
-    return;
-  }
-
-  const archivePath = nextArchivePath("AGENTS.pre-naome.md");
-
-  if (!archivePath) {
-    printError("AGENTS.md already exists, but NAOME could not archive it safely.");
-    console.error("AGENTS.md was left unchanged.");
-    process.exit(1);
-  }
-
-  renameSync(agentsPath, archivePath);
-  copyFileSync(templateAgentsPath, agentsPath);
-  removeSkipped("AGENTS.md");
-  installed.push("AGENTS.md");
-  archived.push({
-    from: "AGENTS.md",
-    to: relative(targetRoot, archivePath),
-  });
-}
-
-function removeSkipped(relativePath) {
-  const index = skipped.indexOf(relativePath);
-  if (index !== -1) {
-    skipped.splice(index, 1);
-  }
-}
-
-function nextArchivePath(baseName) {
-  const archiveDir = ".naome/archive";
-
-  if (!isArchiveDirectoryAvailable()) {
-    skipped.push(`${archiveDir}/${baseName}`);
-    unsafeSkipped.push(`${archiveDir}/${baseName}`);
-    return null;
-  }
-
-  mkdirSync(join(targetRoot, archiveDir), { recursive: true });
-
-  for (let index = 0; index < 1000; index += 1) {
-    const fileName = index === 0 ? baseName : baseName.replace(/\.md$/, `.${index}.md`);
-    const archivePath = join(targetRoot, archiveDir, fileName);
-
-    if (!existsSync(archivePath)) {
-      return archivePath;
-    }
-  }
-
-  return null;
-}
-
-function assertArchiveDirectoryAvailableForTakeover() {
-  if (isArchiveDirectoryAvailable()) {
-    return;
-  }
-
-  printError("NAOME cannot archive AGENTS.md safely.");
-  console.error(".naome/archive must be a regular directory or must not exist.");
-  console.error("Fix that path before installing NAOME.");
-  process.exit(1);
-}
-
-function isArchiveDirectoryAvailable() {
-  const parts = [".naome", "archive"];
-  let current = targetRoot;
-
-  for (const part of parts) {
-    current = join(current, part);
-    try {
-      const stats = lstatSync(current);
-      if (stats.isSymbolicLink() || !stats.isDirectory()) {
-        return false;
-      }
-    } catch (error) {
-      if (error.code === "ENOENT") {
-        return true;
-      }
-      throw error;
-    }
-  }
-
-  return true;
-}
-
-function hasSymlinkInTargetPath(relativePath) {
-  const parts = relativePath.split(/[\\/]+/);
-  let current = targetRoot;
-
-  for (const part of parts) {
-    current = join(current, part);
-    try {
-      if (lstatSync(current).isSymbolicLink()) {
-        return true;
-      }
-    } catch (error) {
-      if (error.code === "ENOENT") {
-        continue;
-      }
-      throw error;
-    }
-  }
-
-  return false;
-}
-
-function assertTemplateRoot() {
-  if (!existsSync(templateRoot) || !statSync(templateRoot).isDirectory()) {
-    printError("NAOME installer templates are missing from this package.");
-    process.exit(1);
-  }
-}
-
-function printHeader() {
-  console.log("");
-  console.log(`${color.bold("NAOME")} ${color.dim(`v${packageVersion}`)}`);
-  console.log(color.dim("AI coding-agent harness installer"));
-  console.log("");
-  console.log(`${color.dim("target  ")} ${targetRoot}`);
-}
-
-function printSection(title) {
-  console.log("");
-  console.log(color.bold(title));
-}
-
-function printList(items, marker) {
-  for (const item of uniqueStrings(items)) {
-    console.log(`${color.dim(marker)} ${item}`);
-  }
-}
-
-function uniqueStrings(items) {
-  return Array.from(new Set(items));
-}
-
-function printError(message) {
-  console.error("");
-  console.error(`${color.red("x")} ${message}`);
-}
-
-function printCancelled(message) {
-  console.log("");
-  console.log(`${color.yellow("-")} ${message}`);
-}
-
-function printSummary() {
-  console.log("");
-  console.log(`${color.green("+")} ${summaryTitle}`);
-
-  const detailedOutput = shouldPrintDetailedSummary();
-  if (!detailedOutput) {
-    printCompactSummary();
-  }
-
-  if (detailedOutput && installed.length > 0) {
-    const installedItems = uniqueStrings(installed);
-    printSection(`Installed ${installedItems.length} ${installedItems.length === 1 ? "item" : "items"}`);
-    printList(installed, "+");
-  }
-
-  if (detailedOutput && updated.length > 0) {
-    const updatedItems = uniqueStrings(updated);
-    printSection(`Updated ${updatedItems.length} ${updatedItems.length === 1 ? "item" : "items"}`);
-    printList(updated, "~");
-  }
-
-  if (detailedOutput && archived.length > 0) {
-    printSection("Archived");
-    for (const entry of archived) {
-      console.log(`${color.dim(">")} ${entry.from} -> ${entry.to}`);
-    }
-  }
-
-  if (detailedOutput && skipped.length > 0) {
-    const skippedItems = uniqueStrings(skipped);
-    printSection(`Skipped ${skippedItems.length} existing ${skippedItems.length === 1 ? "path" : "paths"}`);
-    printList(skipped, "-");
-  }
-
-  if (unsafeSkipped.length > 0) {
-    printSection("Skipped unsafe symlinked paths");
-    printList(unsafeSkipped, "!");
-  }
-
-  if (isRepositoryInitialized()) {
-    console.log("");
-    return;
-  }
-
-  printSection("Next step");
-  console.log("Copy this into your coding agent:");
-  console.log("");
-  console.log(color.dim("```"));
-  console.log(nextStepPrompt);
-  console.log(color.dim("```"));
-  console.log("");
-}
-
-function shouldPrintDetailedSummary() {
-  return verboseOutput || !existingInstall;
-}
-
-function printCompactSummary() {
-  const installedCount = uniqueStrings(installed).length;
-  const updatedCount = uniqueStrings(updated).length;
-  const archivedCount = archived.length;
-
-  if (installedCount > 0) {
-    console.log(`${color.dim("installed")} ${installedCount}`);
-  }
-  if (updatedCount > 0) {
-    console.log(`${color.dim("updated")} ${updatedCount}`);
-  }
-  if (archivedCount > 0) {
-    console.log(`${color.dim("archived")} ${archivedCount}`);
-  }
-}
-
-function isRepositoryInitialized() {
-  try {
-    const initState = JSON.parse(readFileSync(join(targetRoot, ".naome", "init-state.json"), "utf8"));
-    return initState.initialized === true;
-  } catch {
-    return false;
-  }
-}
-
-assertTemplateRoot();
-loadInstallPlan();
-
-printHeader();
-const existingInstall = readExistingInstall();
-
-if (existingInstall) {
-  runExistingInstall(existingInstall);
-} else {
-  await runFreshInstall();
-}
-
-ensureExecutableMachineOwnedFiles();
-configureGitHooks();
-printSummary();
-
-function compareVersions(left, right) {
-  const leftParts = parseVersion(left);
-  const rightParts = parseVersion(right);
-
-  for (let index = 0; index < 3; index += 1) {
-    if (leftParts[index] > rightParts[index]) {
-      return 1;
-    }
-
-    if (leftParts[index] < rightParts[index]) {
-      return -1;
-    }
-  }
-
-  return 0;
-}
-
-function parseVersion(version) {
-  const match = /^(\d+)\.(\d+)\.(\d+)$/.exec(version);
-  if (!match) {
-    printError(`Invalid NAOME version: ${version}`);
-    process.exit(1);
-  }
-
-  return match.slice(1).map((part) => Number.parseInt(part, 10));
-}
-
-function isVersion(version) {
-  return typeof version === "string" && /^\d+\.\d+\.\d+$/.test(version);
-}
+await runNaomeNodeCli();