@lamentis/naome 1.3.10 → 1.3.12

package/crates/naome-core/src/architecture/rules/external.rs

@@ -0,0 +1,185 @@
+use crate::architecture::output::ArchitectureViolation;
+use crate::architecture::scan::{ArchitectureScanReport, ImportTarget};
+use crate::paths;
+
+pub(super) fn validate_external_dependency_policy(
+    scan: &ArchitectureScanReport,
+    violations: &mut Vec<ArchitectureViolation>,
+    rules_executed: &mut Vec<String>,
+) {
+    let rule = scan.config.rule("external_dependency_policy");
+    if !rule.enabled {
+        return;
+    }
+    rules_executed.push("arch.external_dependency_policy".to_string());
+    for fact in scan.file_facts.values() {
+        let owners = fact
+            .layers
+            .iter()
+            .chain(fact.contexts.iter())
+            .collect::<Vec<_>>();
+        for import in &fact.imports {
+            let ImportTarget::ExternalDependency(package) = &import.target else {
+                continue;
+            };
+            if is_standard_library_dependency(fact.language.as_deref(), package) {
+                continue;
+            }
+            for owner in &owners {
+                let Some(policy) = scan.config.external_dependencies.get(*owner) else {
+                    continue;
+                };
+                if paths::matches_any(package, &policy.allow) {
+                    continue;
+                }
+                violations.push(ArchitectureViolation {
+                    id: "arch.external_dependency_policy".to_string(),
+                    severity: rule.severity,
+                    violation_type: "external_dependency_policy".to_string(),
+                    message: format!(
+                        "{} in {} imports external dependency {} without policy allowance.",
+                        fact.path, owner, package
+                    ),
+                    from: Some(format!("file:{}", fact.path)),
+                    to: Some(format!("external:{package}")),
+                    path: Some(fact.path.clone()),
+                    source_range: import.source_range.clone(),
+                    suggestion: format!(
+                        "Move {} behind an allowed adapter or add it to external_dependencies.{}.allow with intent.",
+                        package, owner
+                    ),
+                    agent_instruction: format!(
+                        "Do not import external dependency {} from {}; use an allowed boundary.",
+                        package, owner
+                    ),
+                });
+            }
+        }
+    }
+}
+
+fn is_standard_library_dependency(language: Option<&str>, package: &str) -> bool {
+    let root = package
+        .strip_prefix("node:")
+        .unwrap_or(package)
+        .split(['/', '.', ':'])
+        .next()
+        .unwrap_or(package);
+    match language {
+        Some("go") => !package
+            .split('/')
+            .next()
+            .is_some_and(|prefix| prefix.contains('.')),
+        Some("javascript") | Some("typescript") => NODE_BUILTINS.contains(&root),
+        Some("python") => PYTHON_STDLIB.contains(&root),
+        Some("rust") => matches!(root, "std" | "core" | "alloc" | "proc_macro" | "test"),
+        _ => false,
+    }
+}
+
+const NODE_BUILTINS: &[&str] = &[
+    "assert",
+    "async_hooks",
+    "buffer",
+    "child_process",
+    "cluster",
+    "console",
+    "constants",
+    "crypto",
+    "diagnostics_channel",
+    "dns",
+    "domain",
+    "events",
+    "fs",
+    "http",
+    "http2",
+    "https",
+    "inspector",
+    "module",
+    "net",
+    "os",
+    "path",
+    "perf_hooks",
+    "process",
+    "punycode",
+    "querystring",
+    "readline",
+    "repl",
+    "stream",
+    "string_decoder",
+    "timers",
+    "tls",
+    "trace_events",
+    "tty",
+    "url",
+    "util",
+    "v8",
+    "vm",
+    "wasi",
+    "worker_threads",
+    "zlib",
+];
+
+const PYTHON_STDLIB: &[&str] = &[
+    "abc",
+    "argparse",
+    "array",
+    "ast",
+    "asyncio",
+    "base64",
+    "bisect",
+    "calendar",
+    "collections",
+    "concurrent",
+    "contextlib",
+    "copy",
+    "csv",
+    "dataclasses",
+    "datetime",
+    "decimal",
+    "email",
+    "enum",
+    "functools",
+    "glob",
+    "gzip",
+    "hashlib",
+    "heapq",
+    "hmac",
+    "html",
+    "http",
+    "importlib",
+    "inspect",
+    "io",
+    "itertools",
+    "json",
+    "logging",
+    "math",
+    "multiprocessing",
+    "operator",
+    "os",
+    "pathlib",
+    "pickle",
+    "platform",
+    "queue",
+    "random",
+    "re",
+    "shlex",
+    "shutil",
+    "signal",
+    "socket",
+    "sqlite3",
+    "statistics",
+    "string",
+    "subprocess",
+    "sys",
+    "tempfile",
+    "threading",
+    "time",
+    "traceback",
+    "typing",
+    "unittest",
+    "urllib",
+    "uuid",
+    "xml",
+    "zipfile",
+];

package/crates/naome-core/src/architecture/rules/graph.rs

@@ -0,0 +1,177 @@
+use std::collections::{BTreeMap, BTreeSet};
+
+use crate::architecture::model::ArchitectureEdgeKind;
+use crate::architecture::scan::ArchitectureScanReport;
+
+#[derive(Debug, Clone)]
+pub(super) struct ImportEdge<'a> {
+    pub(super) from_path: &'a str,
+    pub(super) to_path: &'a str,
+    pub(super) edge_index: usize,
+}
+
+pub(super) fn file_import_edges(scan: &ArchitectureScanReport) -> Vec<ImportEdge<'_>> {
+    scan.graph
+        .edges
+        .iter()
+        .enumerate()
+        .filter_map(|(edge_index, edge)| {
+            (edge.kind == ArchitectureEdgeKind::Imports)
+                .then(|| {
+                    Some(ImportEdge {
+                        from_path: edge.from.strip_prefix("file:")?,
+                        to_path: edge.to.strip_prefix("file:")?,
+                        edge_index,
+                    })
+                })
+                .flatten()
+        })
+        .collect()
+}
+
+pub(super) fn file_import_adjacency(
+    scan: &ArchitectureScanReport,
+) -> BTreeMap<String, Vec<String>> {
+    file_adjacency(file_import_edges(scan).into_iter())
+}
+
+pub(super) fn file_cycle_adjacency(scan: &ArchitectureScanReport) -> BTreeMap<String, Vec<String>> {
+    file_adjacency(
+        file_import_edges(scan)
+            .into_iter()
+            .filter(|edge| is_cycle_dependency(scan, edge)),
+    )
+}
+
+fn file_adjacency<'a>(
+    edges: impl Iterator<Item = ImportEdge<'a>>,
+) -> BTreeMap<String, Vec<String>> {
+    let mut adjacency = BTreeMap::<String, BTreeSet<String>>::new();
+    for edge in edges {
+        adjacency
+            .entry(edge.from_path.to_string())
+            .or_default()
+            .insert(edge.to_path.to_string());
+    }
+    adjacency
+        .into_iter()
+        .map(|(from, targets)| (from, targets.into_iter().collect()))
+        .collect()
+}
+
+fn is_cycle_dependency(scan: &ArchitectureScanReport, edge: &ImportEdge<'_>) -> bool {
+    let graph_edge = &scan.graph.edges[edge.edge_index];
+    if graph_edge.metadata.language.as_deref() != Some("rust") {
+        return true;
+    }
+    let specifier = graph_edge
+        .metadata
+        .raw_origin
+        .get("specifier")
+        .and_then(serde_json::Value::as_str)
+        .unwrap_or_default();
+    !is_rust_module_cycle_exempt(edge.from_path, edge.to_path, specifier)
+}
+
+fn is_rust_module_cycle_exempt(from_path: &str, to_path: &str, specifier: &str) -> bool {
+    if !is_rust_module_family_reference(specifier) {
+        return false;
+    }
+    is_rust_parent_child_module_family(from_path, to_path)
+}
+
+fn is_rust_module_family_reference(specifier: &str) -> bool {
+    specifier.starts_with("self::")
+        || specifier.starts_with("super::")
+        || specifier.starts_with("crate::")
+}
+
+fn is_rust_parent_child_module_family(from_path: &str, to_path: &str) -> bool {
+    let Some(from_module) = rust_module_id(from_path) else {
+        return false;
+    };
+    let Some(to_module) = rust_module_id(to_path) else {
+        return false;
+    };
+    if from_module == to_module {
+        return true;
+    }
+    from_module
+        .strip_prefix(&to_module)
+        .is_some_and(|suffix| suffix.starts_with('/'))
+        || to_module
+            .strip_prefix(&from_module)
+            .is_some_and(|suffix| suffix.starts_with('/'))
+}
+
+fn rust_module_id(path: &str) -> Option<String> {
+    path.strip_suffix("/mod.rs")
+        .map(ToString::to_string)
+        .or_else(|| path.strip_suffix(".rs").map(ToString::to_string))
+}
+
+pub(super) fn strongly_connected_components(
+    adjacency: &BTreeMap<String, Vec<String>>,
+) -> Vec<Vec<String>> {
+    let mut state = TarjanState::default();
+    for node in adjacency.keys() {
+        if !state.indices.contains_key(node) {
+            strong_connect(node, adjacency, &mut state);
+        }
+    }
+    state
+        .components
+        .into_iter()
+        .filter(|component| {
+            component.len() > 1
+                || component.first().is_some_and(|node| {
+                    adjacency
+                        .get(node)
+                        .is_some_and(|targets| targets.contains(node))
+                })
+        })
+        .collect()
+}
+
+#[derive(Default)]
+struct TarjanState {
+    next_index: usize,
+    stack: Vec<String>,
+    on_stack: BTreeSet<String>,
+    indices: BTreeMap<String, usize>,
+    lowlinks: BTreeMap<String, usize>,
+    components: Vec<Vec<String>>,
+}
+
+fn strong_connect(node: &str, adjacency: &BTreeMap<String, Vec<String>>, state: &mut TarjanState) {
+    let index = state.next_index;
+    state.next_index += 1;
+    state.indices.insert(node.to_string(), index);
+    state.lowlinks.insert(node.to_string(), index);
+    state.stack.push(node.to_string());
+    state.on_stack.insert(node.to_string());
+
+    for target in adjacency.get(node).into_iter().flatten() {
+        if !state.indices.contains_key(target) {
+            strong_connect(target, adjacency, state);
+            let lowlink = state.lowlinks[node].min(state.lowlinks[target]);
+            state.lowlinks.insert(node.to_string(), lowlink);
+        } else if state.on_stack.contains(target) {
+            let lowlink = state.lowlinks[node].min(state.indices[target]);
+            state.lowlinks.insert(node.to_string(), lowlink);
+        }
+    }
+
+    if state.lowlinks[node] == state.indices[node] {
+        let mut component = Vec::new();
+        while let Some(member) = state.stack.pop() {
+            state.on_stack.remove(&member);
+            component.push(member.clone());
+            if member == node {
+                break;
+            }
+        }
+        component.sort();
+        state.components.push(component);
+    }
+}

package/crates/naome-core/src/architecture/rules/transitive.rs

@@ -0,0 +1,89 @@
+use std::collections::{BTreeMap, BTreeSet, VecDeque};
+
+use crate::architecture::output::ArchitectureViolation;
+use crate::architecture::scan::ArchitectureScanReport;
+
+use super::graph;
+
+pub(super) fn validate_transitive_layer_dependencies(
+    scan: &ArchitectureScanReport,
+    violations: &mut Vec<ArchitectureViolation>,
+    rules_executed: &mut Vec<String>,
+) {
+    let rule = scan
+        .config
+        .rule("no_transitive_forbidden_layer_dependencies");
+    if !rule.enabled {
+        return;
+    }
+    rules_executed.push("arch.no_transitive_forbidden_layer_dependencies".to_string());
+    let adjacency = graph::file_import_adjacency(scan);
+    for (from_path, from_fact) in &scan.file_facts {
+        for from_layer in &from_fact.layers {
+            let Some((target_path, target_layers)) =
+                first_forbidden_target(scan, &adjacency, from_path, from_layer)
+            else {
+                continue;
+            };
+            violations.push(ArchitectureViolation {
+                id: "arch.no_transitive_forbidden_layer_dependencies".to_string(),
+                severity: rule.severity,
+                violation_type: "transitive_forbidden_dependency".to_string(),
+                message: format!(
+                    "{from_path} in layer {from_layer} transitively reaches {target_path} in forbidden layer {target_layers}."
+                ),
+                from: Some(format!("file:{from_path}")),
+                to: Some(format!("file:{target_path}")),
+                path: Some(from_path.clone()),
+                source_range: None,
+                suggestion: "Remove the indirect dependency chain or introduce an allowed boundary."
+                    .to_string(),
+                agent_instruction:
+                    "Do not reach forbidden layers indirectly; move the dependency behind an allowed interface."
+                        .to_string(),
+            });
+        }
+    }
+}
+
+fn first_forbidden_target(
+    scan: &ArchitectureScanReport,
+    adjacency: &BTreeMap<String, Vec<String>>,
+    from_path: &str,
+    from_layer: &str,
+) -> Option<(String, String)> {
+    let mut queue = VecDeque::new();
+    let mut visited = BTreeSet::new();
+    for target in adjacency.get(from_path).into_iter().flatten() {
+        queue.push_back((target.clone(), 1usize));
+    }
+    while let Some((path, depth)) = queue.pop_front() {
+        if !visited.insert(path.clone()) {
+            continue;
+        }
+        if depth > 1 {
+            let Some(fact) = scan.file_facts.get(&path) else {
+                continue;
+            };
+            if !fact.layers.is_empty() && !layer_allowed(scan, from_layer, &fact.layers) {
+                return Some((path, fact.layers.join(", ")));
+            }
+        }
+        for target in adjacency.get(&path).into_iter().flatten() {
+            queue.push_back((target.clone(), depth + 1));
+        }
+    }
+    None
+}
+
+fn layer_allowed(scan: &ArchitectureScanReport, from_layer: &str, targets: &[String]) -> bool {
+    let allowed = scan
+        .config
+        .allowed_dependencies
+        .get(from_layer)
+        .map(Vec::as_slice)
+        .unwrap_or(&[]);
+    targets
+        .iter()
+        .any(|to_layer| from_layer == to_layer || allowed.contains(to_layer))
+}

package/crates/naome-core/src/architecture/rules.rs

@@ -5,13 +5,27 @@ use super::output::{
     Severity,
 };
 use super::scan::ArchitectureScanReport;
+use crate::architecture::model::ArchitectureEdgeKind;
+
+mod budgets;
+mod context;
+mod cycles;
+mod external;
+mod graph;
+mod transitive;
 
 pub fn validate_scan(scan: ArchitectureScanReport) -> ArchitectureValidation {
     let mut violations = Vec::new();
     let mut rules_executed = Vec::new();
 
-    validate_max_file_lines(&scan, &mut violations, &mut rules_executed);
+    budgets::validate_file_size_budget(&scan, &mut violations, &mut rules_executed);
     validate_generated_manual_boundary(&scan, &mut violations, &mut rules_executed);
+    validate_forbidden_layer_dependencies(&scan, &mut violations, &mut rules_executed);
+    context::validate_context_rules(&scan, &mut violations, &mut rules_executed);
+    cycles::validate_cycles(&scan, &mut violations, &mut rules_executed);
+    transitive::validate_transitive_layer_dependencies(&scan, &mut violations, &mut rules_executed);
+    budgets::validate_dependency_budgets(&scan, &mut violations, &mut rules_executed);
+    external::validate_external_dependency_policy(&scan, &mut violations, &mut rules_executed);
 
     violations.sort_by(|left, right| {
         (
@@ -46,41 +60,73 @@ pub fn validate_scan(scan: ArchitectureScanReport) -> ArchitectureValidation {
     }
 }
 
-fn validate_max_file_lines(
+fn validate_forbidden_layer_dependencies(
     scan: &ArchitectureScanReport,
     violations: &mut Vec<ArchitectureViolation>,
     rules_executed: &mut Vec<String>,
 ) {
-    let rule = scan.config.rule("max_file_lines");
+    let rule = scan.config.rule("no_forbidden_layer_dependencies");
     if !rule.enabled {
         return;
     }
-    rules_executed.push("arch.max_file_lines".to_string());
-    let Some(limit) = rule.value else {
-        return;
-    };
-    for fact in scan.file_facts.values() {
-        if fact.line_count <= limit {
+    rules_executed.push("arch.no_forbidden_layer_dependencies".to_string());
+    for edge in &scan.graph.edges {
+        if edge.kind != ArchitectureEdgeKind::Imports {
             continue;
         }
-        violations.push(ArchitectureViolation {
-            id: "arch.max_file_lines".to_string(),
-            severity: rule.severity,
-            violation_type: "file_size_budget".to_string(),
-            message: format!(
-                "{} has {} lines, exceeding the configured budget of {}.",
-                fact.path, fact.line_count, limit
-            ),
-            from: Some(format!("file:{}", fact.path)),
-            to: None,
-            path: Some(fact.path.clone()),
-            source_range: None,
-            suggestion: "Split the file into cohesive modules or move generated content behind an explicit ignore rule.".to_string(),
-            agent_instruction: format!(
-                "Reduce {} below {} lines or add a justified generated-code ignore rule if it is not manually owned.",
-                fact.path, limit
-            ),
-        });
+        let Some(from_path) = edge.from.strip_prefix("file:") else {
+            continue;
+        };
+        let Some(to_path) = edge.to.strip_prefix("file:") else {
+            continue;
+        };
+        let Some(from_fact) = scan.file_facts.get(from_path) else {
+            continue;
+        };
+        let Some(to_fact) = scan.file_facts.get(to_path) else {
+            continue;
+        };
+        if to_fact.layers.is_empty() {
+            continue;
+        }
+        for from_layer in &from_fact.layers {
+            let allowed_layers = scan
+                .config
+                .allowed_dependencies
+                .get(from_layer)
+                .map(Vec::as_slice)
+                .unwrap_or(&[]);
+            if to_fact
+                .layers
+                .iter()
+                .any(|to_layer| from_layer == to_layer || allowed_layers.contains(to_layer))
+            {
+                continue;
+            }
+            let target_layers = to_fact.layers.join(", ");
+            violations.push(ArchitectureViolation {
+                id: "arch.no_forbidden_layer_dependencies".to_string(),
+                severity: rule.severity,
+                violation_type: "forbidden_layer_dependency".to_string(),
+                message: format!(
+                    "{} in layer {} imports {} in forbidden layer {}.",
+                    from_path, from_layer, to_path, target_layers
+                ),
+                from: Some(edge.from.clone()),
+                to: Some(edge.to.clone()),
+                path: Some(from_path.to_string()),
+                source_range: edge.metadata.source_range.clone(),
+                suggestion: format!(
+                    "Move the dependency behind an allowed layer boundary or change naome.arch.yaml allowed_dependencies if this architecture is intentional. {} currently allows: {}.",
+                    from_layer,
+                    allowed_layers.join(", ")
+                ),
+                agent_instruction: format!(
+                    "Do not import {} from {}. Introduce an allowed boundary or invert the dependency before re-running architecture validation.",
+                    target_layers, from_layer
+                ),
+            });
+        }
     }
 }
 

package/crates/naome-core/src/architecture/scan/graph_builder/emit.rs

@@ -2,7 +2,7 @@ use serde_json::json;
 
 use crate::architecture::model::{
     ArchitectureEdge, ArchitectureEdgeKind, ArchitectureGraph, ArchitectureMetadata,
-    ArchitectureNode, ArchitectureNodeKind,
+    ArchitectureNode, ArchitectureNodeKind, SourceRange,
 };
 
 pub(super) fn push_node(
@@ -22,6 +22,32 @@ pub(super) fn push_node(
     });
 }
 
+pub(super) fn push_node_with_metadata(
+    graph: &mut ArchitectureGraph,
+    id: &str,
+    kind: ArchitectureNodeKind,
+    label: &str,
+    path: Option<String>,
+    language: Option<String>,
+    confidence: f32,
+    extractor: &str,
+    raw_origin: serde_json::Value,
+) {
+    graph.nodes.push(ArchitectureNode {
+        id: id.to_string(),
+        kind,
+        label: label.to_string(),
+        metadata: ArchitectureMetadata {
+            path,
+            language,
+            source_range: None,
+            confidence,
+            extractor: extractor.to_string(),
+            raw_origin,
+        },
+    });
+}
+
 pub(super) fn push_edge(
     graph: &mut ArchitectureGraph,
     from: &str,
@@ -40,6 +66,42 @@ pub(super) fn push_edge(
     });
 }
 
+pub(super) fn push_edge_with_metadata(
+    graph: &mut ArchitectureGraph,
+    from: &str,
+    to: &str,
+    kind: ArchitectureEdgeKind,
+    label: &str,
+    path: Option<String>,
+    language: Option<String>,
+    source_range: Option<SourceRange>,
+    confidence: f32,
+    extractor: &str,
+    raw_origin: serde_json::Value,
+) {
+    graph.edges.push(ArchitectureEdge {
+        id: format!(
+            "edge:{from}:{to}:{kind:?}:{}",
+            raw_origin
+                .get("specifier")
+                .and_then(serde_json::Value::as_str)
+                .unwrap_or(label)
+        ),
+        from: from.to_string(),
+        to: to.to_string(),
+        kind,
+        label: label.to_string(),
+        metadata: ArchitectureMetadata {
+            path,
+            language,
+            source_range,
+            confidence,
+            extractor: extractor.to_string(),
+            raw_origin,
+        },
+    });
+}
+
 fn metadata(
     path: Option<String>,
     language: Option<String>,

package/crates/naome-core/src/architecture/scan/graph_builder/facts.rs

@@ -1,13 +1,11 @@
 use std::collections::BTreeSet;
-use std::fs;
 use std::path::Path;
 
 use crate::architecture::config::ArchitectureConfig;
 use crate::architecture::scan::FileFact;
 use crate::paths;
 
-pub(super) fn file_fact(root: &Path, path: &str, config: &ArchitectureConfig) -> FileFact {
-    let content = fs::read_to_string(root.join(path)).unwrap_or_default();
+pub(super) fn file_fact(path: &str, content: &str, config: &ArchitectureConfig) -> FileFact {
     FileFact {
         path: path.to_string(),
         language: language_for_path(path),
@@ -27,6 +25,7 @@ pub(super) fn file_fact(root: &Path, path: &str, config: &ArchitectureConfig) ->
                 .map(|(name, value)| (name, &value.paths)),
         ),
         ignored: ignore_reason(path, config),
+        imports: Vec::new(),
     }
 }