@lamentis/naome 1.2.1 → 1.3.1

package/templates/naome-root/.naome/bin/codex-hook-io.js

@@ -0,0 +1,122 @@
+"use strict";
+
+const { createHash } = require("node:crypto");
+const { existsSync, mkdirSync, readFileSync, writeFileSync } = require("node:fs");
+const { dirname } = require("node:path");
+const { spawnSync } = require("node:child_process");
+
+const CACHE = ".naome/cache/codex-hook-state.json";
+
+function readPayload() {
+  try {
+    return JSON.parse(readFileSync(0, "utf8") || "{}");
+  } catch {
+    return {};
+  }
+}
+
+function eventName(payload) {
+  const index = process.argv.indexOf("--event");
+  return index !== -1 && process.argv[index + 1] ? process.argv[index + 1] : payload?.hook_event_name || payload?.event || "";
+}
+
+function commandOf(payload) {
+  return [payload?.tool_input?.command, payload?.toolInput?.command, payload?.command].find((value) => typeof value === "string" && value);
+}
+
+function promptOf(payload) {
+  return [payload?.prompt, payload?.user_prompt, payload?.tool_input?.prompt, payload?.toolInput?.prompt, payload?.reason, payload?.message].find((value) => typeof value === "string" && value) || "";
+}
+
+function readJson(path) {
+  try {
+    return existsSync(path) ? JSON.parse(readFileSync(path, "utf8")) : null;
+  } catch {
+    return null;
+  }
+}
+
+function parseJson(value) {
+  try {
+    return JSON.parse(value);
+  } catch {
+    return null;
+  }
+}
+
+function readCache() {
+  return readJson(CACHE) || {};
+}
+
+function writeCache(value) {
+  try {
+    mkdirSync(dirname(CACHE), { recursive: true });
+    writeFileSync(CACHE, `${JSON.stringify(value)}\n`);
+  } catch {
+    // Best-effort cache only.
+  }
+}
+
+function run(command, args, env = process.env) {
+  return spawnSync(command, args, { cwd: process.cwd(), encoding: "utf8", env });
+}
+
+function runGit(args) {
+  return run("git", args);
+}
+
+function runNaome(args) {
+  return run(process.execPath, [".naome/bin/naome.js", ...args], { ...process.env, NO_COLOR: "1" });
+}
+
+function taskCheck(args) {
+  return run(process.execPath, [".naome/bin/check-task-state.js", ...args]);
+}
+
+function diffSignature() {
+  return createHash("sha256")
+    .update(runGit(["status", "--porcelain=v1"]).stdout || "")
+    .update(runGit(["diff", "--no-ext-diff", "HEAD", "--"]).stdout || "")
+    .digest("hex");
+}
+
+function decide(decision, reason, messages) {
+  write(decisionObject(decision, reason, messages));
+}
+
+function decisionObject(decision, reason, messages) {
+  if (decision !== "block") {
+    return {};
+  }
+  const detail = messages.filter(Boolean).join("; ");
+  return { decision, reason: compact(detail ? `${reason}: ${detail}` : reason) };
+}
+
+function write(value) {
+  process.stdout.write(`${JSON.stringify(value)}\n`);
+}
+
+function compact(value) {
+  const text = String(value);
+  return text.length > 500 ? `${text.slice(0, 497)}...` : text;
+}
+
+module.exports = {
+  commandOf,
+  compact,
+  decide,
+  decisionObject,
+  diffSignature,
+  eventName,
+  parseJson,
+  promptOf,
+  readCache,
+  readJson,
+  readPayload,
+  run,
+  runGit,
+  runNaome,
+  taskCheck,
+  write,
+  writeCache
+};

package/templates/naome-root/.naome/bin/codex-hook-policy.js

@@ -0,0 +1,180 @@
+"use strict";
+
+const { readFileSync } = require("node:fs");
+
+const CHEAP = new Set(["diff-check", "repository-quality-check", "repository-semantic-check", "task-state-progress-check"]);
+const EXPENSIVE = new Set(["installer-tests", "rust-build", "package-dry-run", "harness-health-tests", "task-state-tests", "verification-contract-tests"]);
+
+function classifyPrompt(prompt) {
+  const value = prompt.toLowerCase();
+  if (/status|where are we|progress/.test(value)) return "status_request";
+  if (/review|comment|pr feedback/.test(value)) return "review";
+  if (/commit/.test(value)) return "commit";
+  if (/push/.test(value) && !/ci|check|fail/.test(value)) return "push";
+  if (/ci|check|failing|failed|workflow|actions/.test(value)) return "ci_fix";
+  if (/continue|keep going|resume|do so/.test(value)) return "continuation";
+  return "new_task";
+}
+
+function riskyPromptCodes(prompt) {
+  const value = prompt.toLowerCase();
+  return [
+    ["reset|clean|rm\\s+-rf", "risky-destructive"],
+    ["force push|--force|--force-with-lease|\\spush\\s+-f", "risky-force-push"],
+    ["--no-verify|bypass.*hook|skip.*hook", "risky-hook-bypass"],
+    ["publish|release|npm publish", "risky-release"]
+  ].filter(([pattern]) => new RegExp(pattern).test(value)).map(([, code]) => code);
+}
+
+function permissionRiskCodes(value) {
+  const lower = value.toLowerCase();
+  return [...new Set([
+    ["https?:|network|fetch|curl|wget|push|pull|gh\\s+|npm\\s+(install|publish)", "network"],
+    ["\\bgit\\b|push|commit|merge|rebase", "git"],
+    ["write|stage|commit|push|apply|patch|install|sync", "write"],
+    ["publish|npm publish", "publish"],
+    ["release|tag", "release"],
+    ["reset|clean|--force|-f\\b|rm\\s+-rf", "destructive"]
+  ].filter(([pattern]) => new RegExp(pattern).test(lower)).map(([, code]) => code))];
+}
+
+function hardBlockedCommand(command) {
+  const value = command.replace(/\s+/g, " ").trim();
+  return [
+    [/(\bgit\s+reset\b.*\B--hard\b|\bgit\s+reset\s+--hard\b)/, "destructive-git-reset-hard: hard reset requires explicit human review."],
+    [/\bgit\s+clean\b.*(^|\s)-[^\s]*f|\bgit\s+clean\b.*--force\b/, "destructive-git-clean: forced clean requires explicit human review."],
+    [/\brm\b(?=.*(?:^|\s)-[^\s]*r)(?=.*(?:^|\s)-[^\s]*f)(?=.*(?:^|\s)(?:--\s+)?(?:\.\/)?(?:[^/\s]+\/)*\.git(?:\/|\s|$))/, "destructive-git-dir-removal: removing .git is blocked."],
+    [/--no-verify\b/, "hook-bypass-command: --no-verify is blocked."],
+    [/\bgit\s+push\b.*(?:--force(?:-with-lease)?\b|(^|\s)-f(\s|$))/, "force-push-command: force pushes require fresh human review."]
+  ].find(([pattern]) => pattern.test(value))?.[1] || null;
+}
+
+function searchSegments(command) {
+  return command
+    .split(/&&|\|\||[;|]/)
+    .map((part) => part.trim().replace(/^(?:cd\s+\S+\s+)?/, ""))
+    .filter((part) => /^(rg|grep|find)\b/.test(part));
+}
+
+function forbiddenPath(payload, command) {
+  const input = payload?.tool_input || payload?.toolInput || {};
+  const values = [command, ...["path", "file_path", "filepath", "target_file", "pattern"].map((key) => input[key])].filter(Boolean);
+  return values.some((value) => tokens(value).some(blockedPath)) ? "read-boundary-violation: command or tool input touches a path blocked by .naomeignore." : null;
+}
+
+function blockedPath(path) {
+  if (/(^|\/)\.naome\/archive(\/|$)/.test(path)) return true;
+  return ignoredPatterns().some((pattern) => pathMatches(path, pattern));
+}
+
+function tokens(value) {
+  return String(value).replace(/\\/g, "/").split(/[\s"'`,]+/).map((token) => token.replace(/^\.\//, "").replace(/[):;]+$/, "")).filter(Boolean);
+}
+
+function ignoredPatterns() {
+  try {
+    return readFileSync(".naomeignore", "utf8").split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !line.startsWith("#"));
+  } catch {
+    return [".naome/archive/"];
+  }
+}
+
+function pathMatches(path, pattern) {
+  const actual = String(path).replace(/\\/g, "/");
+  const glob = String(pattern).replace(/\\/g, "/");
+  if (glob.endsWith("/")) return actual.startsWith(glob);
+  if (glob.endsWith("/**")) return actual.startsWith(glob.slice(0, -3));
+  if (!glob.includes("*")) return actual === glob;
+  return new RegExp(`^${glob.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*")}$`).test(actual);
+}
+
+function looksLikeWriteTool(payload, command) {
+  const name = String(payload?.tool_name || payload?.toolName || payload?.name || "").toLowerCase();
+  if (/edit|write|patch|notebookedit|multiedit/.test(name)) return true;
+  if (!command) return false;
+  if (/^(git status|git diff|rg\b|grep\b|find\b|sed\b|cat\b|nl\b|wc\b|ls\b|pwd\b)/.test(command.trim())) return false;
+  return />|>>|\b(apply_patch|cp|mv|touch|mkdir|rm|npm install|cargo build|node --test|writeFileSync)\b/.test(command);
+}
+
+function touchedPaths(payload, command) {
+  const paths = [];
+  collectInputPaths(payload?.tool_input || payload?.toolInput || {}, paths);
+  collectCommandPaths(command, paths);
+  return [...new Set(paths.map(cleanPath).filter(Boolean))];
+}
+
+function collectInputPaths(value, paths) {
+  if (Array.isArray(value)) return value.forEach((entry) => collectInputPaths(entry, paths));
+  if (!value || typeof value !== "object") return;
+  for (const [key, child] of Object.entries(value)) {
+    if (/^(path|paths|file|files|file_path|filepath|target_file)$/.test(key)) collectPathValue(child, paths);
+    if (child && typeof child === "object") collectInputPaths(child, paths);
+  }
+}
+
+function collectPathValue(value, paths) {
+  if (Array.isArray(value)) return value.forEach((entry) => collectPathValue(entry, paths));
+  if (typeof value === "string") paths.push(value);
+}
+
+function collectCommandPaths(command, paths) {
+  if (!command) return;
+  for (const segment of command.split(/&&|\|\||[;]/).map((part) => part.trim())) {
+    const parts = tokens(segment);
+    if (/^(touch|mkdir|rm)$/.test(parts[0])) paths.push(...parts.slice(1).filter((part) => !part.startsWith("-")));
+    if (/^(cp|mv)$/.test(parts[0])) paths.push(...parts.slice(1).filter((part) => !part.startsWith("-")).slice(-1));
+  }
+}
+
+function cleanPath(path) {
+  return String(path).replace(/\\/g, "/").replace(/^\.\//, "").replace(/[):;]+$/, "");
+}
+
+function scopeDrift(paths, allowed) {
+  if (!Array.isArray(allowed)) return [];
+  return paths.filter((path) => !isControlStatePath(path) && !allowed.some((pattern) => pathMatches(path, pattern)));
+}
+
+function isControlStatePath(path) {
+  return path === ".naome/task-state.json" || path.startsWith(".naome/tasks/") || path.startsWith(".naome/cache/");
+}
+
+function owedProof(paths, verification) {
+  const checks = new Set();
+  for (const type of verification?.changeTypes || []) {
+    if (paths.some((path) => (type.paths || []).some((pattern) => pathMatches(path, pattern)))) {
+      for (const check of type.requiredChecks || []) if (!CHEAP.has(check)) checks.add(check);
+    }
+  }
+  return [...checks].sort();
+}
+
+function expensiveProof(checks) {
+  return checks.filter((check) => EXPENSIVE.has(check));
+}
+
+function pushUnique(codes, code, messages, message) {
+  if (!codes.includes(code)) codes.push(code);
+  if (!messages.includes(message)) messages.push(message);
+}
+
+function primaryReason(codes) {
+  if (codes.includes("scope-drift")) return "scope-drift";
+  if (codes.some((code) => code.endsWith("-failed"))) return "cheap-gate-failed";
+  return codes[0] || "naome-hook-warning";
+}
+
+module.exports = {
+  classifyPrompt,
+  expensiveProof,
+  forbiddenPath,
+  hardBlockedCommand,
+  looksLikeWriteTool,
+  owedProof,
+  permissionRiskCodes,
+  primaryReason,
+  pushUnique,
+  riskyPromptCodes,
+  scopeDrift,
+  searchSegments, touchedPaths
+};

package/templates/naome-root/.naome/bin/codex-hook-runtime.js

@@ -0,0 +1,174 @@
+"use strict";
+
+const io = require("./codex-hook-io.js");
+const policy = require("./codex-hook-policy.js");
+
+function handleCodexHook() {
+  const payload = io.readPayload();
+  const event = io.eventName(payload);
+  try {
+    if (event === "UserPromptSubmit") return userPrompt(payload); if (event === "PreToolUse") return preTool(payload);
+    if (event === "PermissionRequest") return permission(payload); if (event === "PostToolUse") return postTool(payload);
+    if (event === "Stop") return stop(payload);
+  } catch {
+    return io.write({});
+  }
+  io.write({});
+}
+
+function userPrompt(payload) {
+  const prompt = io.promptOf(payload);
+  const classification = policy.classifyPrompt(prompt);
+  const risky = policy.riskyPromptCodes(prompt);
+  const status = io.parseJson(io.runNaome(["status", "--json"]).stdout);
+  const codes = [`prompt-${classification}`, ...risky];
+  if (status?.state === "dirty_unowned_diff") codes.push("repo-dirty-unowned");
+  if (["new_task", "ci_fix"].includes(classification)) codes.push("route-required", "context-selection-required");
+  io.decide("warn", "prompt-guidance", [`prompt:${classification}`, status?.state ? `repo:${status.state}` : null, risky.length ? `risk:${risky.join(",")}` : null, ["new_task", "ci_fix"].includes(classification) ? "run route and context select before feature work" : null], { classification, reasonCodes: codes });
+}
+
+function preTool(payload) {
+  const command = io.commandOf(payload);
+  const boundary = policy.forbiddenPath(payload, command);
+  if (boundary) return io.decide("block", boundary, [boundary], { reasonCodes: [boundary.split(":")[0]] });
+  if (!command) return io.write({});
+  const hard = policy.hardBlockedCommand(command);
+  if (hard) return io.decide("block", hard, [hard], { reasonCodes: [hard.split(":")[0]] });
+  const preflight = commitPushPreflight(command);
+  if (preflight) return io.decide("block", preflight, [preflight], { reasonCodes: [preflight.split(":")[0]] });
+  const search = validateSearch(command);
+  if (search) return io.decide("block", search, [search], { reasonCodes: [search.split(":")[0]] });
+  io.write({});
+}
+
+function permission(payload) {
+  const risks = policy.permissionRiskCodes(`${io.commandOf(payload) || ""} ${io.promptOf(payload)}`);
+  if (!risks.length) return io.write({});
+  io.decide("warn", "permission-risk-summary", [`permission risks: ${risks.join(",")}; approve only if this matches the current NAOME task.`], { riskCodes: risks, reasonCodes: ["permission-risk-summary"] });
+}
+
+function postTool(payload) {
+  const command = io.commandOf(payload);
+  const changedPaths = changedFiles();
+  if (!changedPaths.length) return io.write({});
+  if (!policy.looksLikeWriteTool(payload, command)) {
+    const cache = io.readCache();
+    io.writeCache({ ...cache, postToolUse: { signature: io.diffSignature(), decision: {} } });
+    return io.write({});
+  }
+  const checkedPaths = postToolCheckedPaths(payload, command, changedPaths);
+  if (!checkedPaths.length) return io.write({});
+  const signature = `${io.diffSignature()}:${checkedPaths.join("\0")}`;
+  const cache = io.readCache();
+  if (cache.postToolUse?.signature === signature) return io.write({});
+  const result = changedState(checkedPaths, { pathScoped: true });
+  const decision = result.codes.length ? io.decisionObject("warn", policy.primaryReason(result.codes), result.messages, { reasonCodes: result.codes, changedPaths: checkedPaths, owedProof: result.expensiveOwed, cheapGates: result.gates }) : {};
+  io.writeCache({ ...cache, postToolUse: { signature, decision, changedPaths, checkedPaths, cheapGateCommands: result.gateCommands } });
+  io.write(decision);
+}
+
+function stop(payload) {
+  const changedPaths = changedFiles();
+  const result = changedState(changedPaths);
+  for (const check of [io.taskCheck([]), io.taskCheck(["--progress"])]) {
+    const output = `${check.stdout || ""}\n${check.stderr || ""}`;
+    if (check.status && /outside allowedPaths|scope drift/i.test(output)) policy.pushUnique(result.codes, "scope-drift", result.messages, "scope drift blocks completion");
+    if (check.status && /missing proof|proofResults missing|failed proof/i.test(output)) policy.pushUnique(result.codes, "missing-proof", result.messages, "missing required proof blocks completion");
+  }
+  const prompt = io.promptOf(payload);
+  if (/push/i.test(prompt) && /\[ahead [1-9]/.test(io.runGit(["status", "--short", "--branch"]).stdout || "")) {
+    policy.pushUnique(result.codes, "unpushed-branch", result.messages, "branch has unpushed commits");
+  }
+  if (/resolve|review comment|github comment/i.test(prompt) && /CHANGES_REQUESTED/.test(io.run("gh", ["pr", "view", "--json", "reviewDecision"]).stdout || "")) {
+    policy.pushUnique(result.codes, "unresolved-review-comments", result.messages, "GitHub review still appears unresolved");
+  }
+  if (result.codes.length) return io.decide("block", policy.primaryReason(result.codes), result.messages, { reasonCodes: result.codes, changedPaths, cheapGates: result.gates });
+  io.write({});
+}
+
+function changedState(changedPaths, options = {}) {
+  const codes = [];
+  const messages = [];
+  const state = io.readJson(".naome/task-state.json");
+  const drift = policy.scopeDrift(changedPaths, state?.activeTask?.allowedPaths);
+  if (drift.length) policy.pushUnique(codes, "scope-drift", messages, `scope drift: ${drift.join(", ")}`);
+  const expensiveOwed = missingExpensiveProof(changedPaths, policy.expensiveProof(policy.owedProof(changedPaths, io.readJson(".naome/verification.json"))), state?.activeTask);
+  if (expensiveOwed.length) policy.pushUnique(codes, "owed-proof", messages, `owed proof: ${expensiveOwed.join(", ")}`);
+  if (repoStale()) policy.pushUnique(codes, "repository-model-stale", messages, "repository model is stale");
+  const gatePaths = options.pathScoped ? changedPaths : [];
+  const gates = cheapGates(gatePaths);
+  for (const gate of gates) policy.pushUnique(codes, gate.code, messages, gate.message);
+  return { codes, messages, expensiveOwed, gates, gateCommands: cheapGateCommands(gatePaths) };
+}
+
+function commitPushPreflight(command) {
+  if (!/\bgit\s+(commit|push)\b/.test(command.replace(/\s+/g, " "))) return null;
+  if (/\bgit\s+commit\b/.test(command)) return "commit-preflight: use `node .naome/bin/naome.js commit -m ...` so NAOME owns staging, proof, and commit gates.";
+  for (const gate of cheapGates()) return `push-preflight: ${gate.checkId} failed before git push.`;
+  return repoStale() ? "push-preflight: repository-model-stale failed before git push." : null;
+}
+
+function cheapGates(paths = []) {
+  return cheapGateChecks(paths).flatMap(([checkId, command, fn]) => fn().status ? [{ code: `${checkId}-failed`, checkId, command, message: `cheap gate failed: ${checkId}` }] : []);
+}
+function cheapGateCommands(paths = []) {
+  return cheapGateChecks(paths).map(([, command]) => command);
+}
+function cheapGateChecks(paths = []) {
+  const pathArgs = paths.flatMap((path) => ["--path", path]);
+  const displayPaths = paths.map(shellPath).join(" ");
+  const checks = [
+    ["diff-check", paths.length ? `git diff --check -- ${displayPaths}` : "git diff --check", () => io.runGit(paths.length ? ["diff", "--check", "--", ...paths] : ["diff", "--check"])],
+    ["repository-quality-check", paths.length ? `node .naome/bin/naome.js quality check ${pathArgs.join(" ")}` : "node .naome/bin/naome.js quality check --changed", () => io.runNaome(paths.length ? ["quality", "check", ...pathArgs] : ["quality", "check", "--changed"])],
+    ["repository-semantic-check", paths.length ? `node .naome/bin/naome.js semantic check ${pathArgs.join(" ")}` : "node .naome/bin/naome.js semantic check --changed", () => io.runNaome(paths.length ? ["semantic", "check", ...pathArgs] : ["semantic", "check", "--changed"])]
+  ];
+  if (!paths.length && hasActiveTask()) checks.push(["task-state-progress-check", "node .naome/bin/check-task-state.js --progress", () => io.taskCheck(["--progress"])]);
+  return checks;
+}
+function validateSearch(command) {
+  for (const segment of policy.searchSegments(command)) {
+    const result = io.runNaome(["workflow", "check-search", "--command", segment, "--json"]);
+    if (result.status === 0) continue;
+    const ids = io.parseJson(result.stdout)?.findings?.map((finding) => finding.id).filter(Boolean);
+    return ids?.length ? `${ids.join(",")}: NAOME rejected this broad search command.` : io.compact(`unsafe-search-command: ${result.stdout || result.stderr}`);
+  }
+  return null;
+}
+function changedFiles() {
+  const result = io.runGit(["status", "--porcelain=v1"]);
+  return result.status ? [] : result.stdout.split(/\r?\n/).filter(Boolean).map((line) => line.replace(/^..\s+/, "").split(" -> ").pop()).filter((path, index, paths) => path && paths.indexOf(path) === index);
+}
+function postToolCheckedPaths(payload, command, changedPaths) {
+  const touched = policy.touchedPaths(payload, command);
+  if (!touched.length) return changedPaths;
+  return changedPaths.filter((path) => touched.some((touch) => path === touch || path.startsWith(`${touch}/`)));
+}
+function shellPath(path) {
+  return /[^A-Za-z0-9_./:-]/.test(path) ? JSON.stringify(path) : path;
+}
+function repoStale() {
+  const result = io.runNaome(["repo", "check", "--json"]);
+  return result.status !== 0 && /repository model is stale|repository-model-stale/i.test(`${result.stdout}\n${result.stderr}`);
+}
+
+function hasActiveTask() {
+  const state = io.readJson(".naome/task-state.json"); return Boolean(state?.activeTask && state.status === "implementing");
+}
+function missingExpensiveProof(changedPaths, checkIds, activeTask) {
+  const proofPaths = changedPaths.filter((path) => !isControlStatePath(path));
+  return proofPaths.length ? checkIds.filter((checkId) => !proofCoversChangedPaths(activeTask, checkId, proofPaths)) : [];
+}
+function proofCoversChangedPaths(activeTask, checkId, changedPaths) {
+  const proof = (activeTask?.proofResults || []).find((entry) => entry.checkId === checkId && entry.exitCode === 0);
+  const evidence = Array.isArray(proof?.evidence) ? proof.evidence : [];
+  return changedPaths.every((changedPath) => evidence.some((path) => evidenceCoversPath(path, changedPath)));
+}
+function evidenceCoversPath(evidencePath, changedPath) {
+  const evidence = String(evidencePath);
+  return evidence === changedPath || (evidence.endsWith("/") && String(changedPath).startsWith(evidence)) || (evidence.endsWith("/**") && String(changedPath).startsWith(evidence.slice(0, -3)));
+}
+function isControlStatePath(path) {
+  return path === ".naome/task-state.json" || path.startsWith(".naome/tasks/") || path.startsWith(".naome/cache/");
+}
+
+module.exports = { handleCodexHook };

package/templates/naome-root/.naome/bin/codex-hook.js

@@ -0,0 +1,6 @@
+#!/usr/bin/env node
+"use strict";
+
+const { handleCodexHook } = require("./codex-hook-runtime.js");
+
+handleCodexHook();

package/templates/naome-root/.naome/bin/naome.js

@@ -27,7 +27,7 @@ function main(argv) {
     return;
   }
 
-  if (["status", "next", "intent", "route", "explain", "quality", "structure", "cleanup", "refresh-integrity", "workflow"].includes(command)) {
+  if (["status", "next", "intent", "route", "explain", "context", "doctor", "task", "quality", "semantic", "repo", "structure", "cleanup", "refresh-integrity", "workflow"].includes(command)) {
     runNativeDecisionCommand(command, args);
     return;
   }
@@ -143,6 +143,10 @@ function commit(args) {
   }
 
   const message = parseCommitMessage(args);
+  const renderResult = spawnNative(root, ["task", "render-state", "--write", "--json"]);
+  if (renderResult.status !== 0) {
+    fail(`Cannot render NAOME task-state projection: ${renderResult.stderr.trim() || renderResult.stdout.trim()}`);
+  }
   const taskState = readTaskState(root);
 
   if (taskState.status !== "complete") {
@@ -328,14 +332,17 @@ function gitHead(root) {
 }
 
 function findHarnessRoot(startPath) {
-  return findAncestorWithMarker(startPath, [".naome", "task-state.json"]);
+  return findAncestorWithAnyMarker(startPath, [
+    [".naome", "task-state.json"],
+    [".naome", "tasks", "active.json"]
+  ]);
 }
 
-function findAncestorWithMarker(startPath, markerParts) {
+function findAncestorWithAnyMarker(startPath, markers) {
   let current = resolve(startPath);
 
   while (true) {
-    if (existsSync(join(current, ...markerParts))) {
+    if (markers.some((markerParts) => existsSync(join(current, ...markerParts)))) {
       return current;
     }
 
@@ -358,14 +365,32 @@ function printHelp() {
     "naome route --prompt <text> [--execute] [--json]",
     "naome explain --prompt-file <path> [--json]",
     "naome explain --prompt <text> [--json]",
-    "naome quality init [--json]",
-    "naome quality check --changed [--json]",
-    "naome quality report [--json]",
+    "naome context select --changed [--json]",
+    "naome context select --prompt-file <path> [--json]",
+    "naome context select --prompt <text> [--json]",
+    "naome doctor [--json]",
+    "naome task render-state [--write] [--json]",
+    "naome task migrate-ledger [--write] [--json]",
+    "naome quality init [--baseline|--deep-baseline] [--json]",
+    "naome quality check --changed [--include-scanned-paths] [--json]",
+    "naome quality check --path <path> [--path <path>...] [--include-scanned-paths] [--json]",
+    "naome quality report [--deep] [--include-scanned-paths] [--json]",
+    "naome quality cache status [--json]",
+    "naome quality cache clear",
+    "naome semantic report [--deep] [--json]",
+    "naome semantic check --changed [--json]",
+    "naome semantic check --path <path> [--path <path>...] [--json]",
+    "naome semantic route --finding <id> [--json]",
+    "naome semantic loop [--json]",
+    "naome repo model [--write] [--json]",
+    "naome repo check [--json]",
+    "naome repo explain --path <path> [--json]",
     "naome structure report [--json]",
     "naome structure explain --path <path> [--json]",
     "naome cleanup plan [--json]",
     "naome cleanup route --path <path> [--json]",
     "naome refresh-integrity [--json]",
+    "naome workflow agent-plan|context-delta|proof-plan|capabilities|edit-watchdog|decision-gate|digest [--json]",
     "naome workflow search-profile|check-search|phases|processes|mutations [--json]",
     "naome install",
     "naome sync",
@@ -392,6 +417,19 @@ function installOrSync(command, args) {
       join(packageRoot, "bin", "naome-node.js"),
       ...args
     ], { stdio: "inherit" });
+    if (result.status === 0) {
+      const migration = spawnNative(root, ["task", "migrate-ledger", "--write", "--json"]);
+      if (migration.status !== 0) {
+        fail("task ledger migration failed after sync.");
+      }
+      const output = (migration.stdout || "").trim();
+      if (output) {
+        const parsed = JSON.parse(output);
+        if (parsed.updated && parsed.migration && parsed.migration.source === "task-state") {
+          console.log("task ledger migrated from task-state");
+        }
+      }
+    }
     process.exit(result.status === null ? 1 : result.status);
   }
 

package/templates/naome-root/.naome/manifest.json

@@ -3,15 +3,17 @@
   "installedAt": null,
   "integrity": {
     ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
-    ".naome/bin/check-task-state.js": "sha256:43c02868072d0d13499aefba2e9a5ec9517d59539fd19ff0f11e3e4623a51b44",
-    ".naome/bin/naome.js": "sha256:87eabd690bf55f0b0195446db46fa7c19bfa17395d31c2f34a9ef9339d2229e2",
+    ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
+    ".naome/bin/naome.js": "sha256:d343f367da21bf45272331eec2ea34862a0bf056978780c62d6cae02e0f7993a",
     ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
     ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
-    "AGENTS.md": "sha256:9192ea81f90bb19f8043513c49b5da9e9598ee694da8356f345e7ccbca0e28df",
-    "docs/naome/agent-workflow.md": "sha256:802eb34cf268fc9c5e7aefc28192efef4bf60302d30b3f78e5a61b876ce8a098",
+    "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
+    "docs/naome/agent-workflow.md": "sha256:78faeb4eed157b60f0b60bc43da36c713fc4a3436b93bd963ce5f3c12dc91f22",
+    "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
     "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
-    "docs/naome/first-run.md": "sha256:a1dd0bd17ec9d71955a473cd2c4a615538e89a7d81e8f4e1015a50ab9efe3558",
-    "docs/naome/index.md": "sha256:a674102cc801702dc77102afb59be0f5ab189dc638caf0bef358b9d6087d0742",
+    "docs/naome/first-run.md": "sha256:f1a2412f1b542e61c79b5ba65a3fdaa810b0f95cf79d9f734256418cdcfb19aa",
+    "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
+    "docs/naome/task-ledger.md": "sha256:1e524085a2f88811941fd9f2f48ca826bc3e0e4816039d07e795637847714cbd",
     "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"
   },
   "machineOwned": [
@@ -24,7 +26,9 @@
     "docs/naome/index.md",
     "docs/naome/first-run.md",
     "docs/naome/agent-workflow.md",
+    "docs/naome/context-economy.md",
     "docs/naome/execution.md",
+    "docs/naome/task-ledger.md",
     "docs/naome/upgrade.md"
   ],
   "name": "naome",
@@ -36,12 +40,14 @@
     ".naome/task-state.json",
     ".naome/upgrade-state.json",
     ".naome/verification.json",
+    ".naome/repository-model.json",
     ".naome/repository-quality.json",
     ".naome/repository-structure.json",
     ".naome/repository-quality-baseline.json",
     "docs/naome/architecture.md",
     "docs/naome/decisions.md",
     "docs/naome/repo-profile.md",
+    "docs/naome/repository-model.md",
     "docs/naome/repository-quality.md",
     "docs/naome/repository-structure.md",
     "docs/naome/security.md",

package/templates/naome-root/.naome/repository-model.json

@@ -0,0 +1,6 @@
+{
+  "schema": "naome.repository-model.v2",
+  "version": 2,
+  "status": "ready",
+  "facts": []
+}

package/templates/naome-root/.naome/repository-quality.json

@@ -13,7 +13,9 @@
   },
   "enabledAdapters": [],
   "disabledChecks": [],
-  "ignoredPaths": [],
+  "ignoredPaths": [
+    ".naome/tasks/**"
+  ],
   "generatedPaths": [
     "**/*.min.js",
     "**/*.map",