@lamentis/naome 1.3.11 → 1.3.13

package/crates/naome-core/src/architecture/rules/external.rs

@@ -0,0 +1,244 @@
+use crate::architecture::output::ArchitectureViolation;
+use crate::architecture::scan::{ArchitectureScanReport, ImportTarget};
+use crate::paths;
+
+pub(super) fn validate_external_dependency_policy(
+    scan: &ArchitectureScanReport,
+    violations: &mut Vec<ArchitectureViolation>,
+    rules_executed: &mut Vec<String>,
+) {
+    let rule = scan.config.rule("external_dependency_policy");
+    if !rule.enabled {
+        return;
+    }
+    rules_executed.push("arch.external_dependency_policy".to_string());
+    for fact in scan.file_facts.values() {
+        let owners = fact
+            .layers
+            .iter()
+            .chain(fact.contexts.iter())
+            .collect::<Vec<_>>();
+        for import in &fact.imports {
+            let ImportTarget::ExternalDependency(package) = &import.target else {
+                continue;
+            };
+            if is_standard_library_dependency(fact.language.as_deref(), package) {
+                continue;
+            }
+            for owner in &owners {
+                let Some(policy) = scan.config.external_dependencies.get(*owner) else {
+                    continue;
+                };
+                if paths::matches_any(package, &policy.allow) {
+                    continue;
+                }
+                violations.push(ArchitectureViolation {
+                    id: "arch.external_dependency_policy".to_string(),
+                    severity: rule.severity,
+                    violation_type: "external_dependency_policy".to_string(),
+                    message: format!(
+                        "{} in {} imports external dependency {} without policy allowance.",
+                        fact.path, owner, package
+                    ),
+                    from: Some(format!("file:{}", fact.path)),
+                    to: Some(format!("external:{package}")),
+                    path: Some(fact.path.clone()),
+                    source_range: import.source_range.clone(),
+                    suggestion: format!(
+                        "Move {} behind an allowed adapter or add it to external_dependencies.{}.allow with intent.",
+                        package, owner
+                    ),
+                    agent_instruction: format!(
+                        "Do not import external dependency {} from {}; use an allowed boundary.",
+                        package, owner
+                    ),
+                });
+            }
+        }
+    }
+}
+
+fn is_standard_library_dependency(language: Option<&str>, package: &str) -> bool {
+    let root = package
+        .strip_prefix("node:")
+        .unwrap_or(package)
+        .split(['/', '.', ':'])
+        .next()
+        .unwrap_or(package);
+    match language {
+        Some("go") => !package
+            .split('/')
+            .next()
+            .is_some_and(|prefix| prefix.contains('.')),
+        Some("javascript") | Some("typescript") => NODE_BUILTINS.contains(&root),
+        Some("python") => PYTHON_STDLIB.contains(&root),
+        Some("rust") => matches!(root, "std" | "core" | "alloc" | "proc_macro" | "test"),
+        Some("swift") => SWIFT_APPLE_FRAMEWORKS.contains(&root),
+        _ => false,
+    }
+}
+
+const NODE_BUILTINS: &[&str] = &[
+    "assert",
+    "async_hooks",
+    "buffer",
+    "child_process",
+    "cluster",
+    "console",
+    "constants",
+    "crypto",
+    "diagnostics_channel",
+    "dns",
+    "domain",
+    "events",
+    "fs",
+    "http",
+    "http2",
+    "https",
+    "inspector",
+    "module",
+    "net",
+    "os",
+    "path",
+    "perf_hooks",
+    "process",
+    "punycode",
+    "querystring",
+    "readline",
+    "repl",
+    "stream",
+    "string_decoder",
+    "timers",
+    "tls",
+    "trace_events",
+    "tty",
+    "url",
+    "util",
+    "v8",
+    "vm",
+    "wasi",
+    "worker_threads",
+    "zlib",
+];
+
+const PYTHON_STDLIB: &[&str] = &[
+    "abc",
+    "argparse",
+    "array",
+    "ast",
+    "asyncio",
+    "base64",
+    "bisect",
+    "calendar",
+    "collections",
+    "concurrent",
+    "contextlib",
+    "copy",
+    "csv",
+    "dataclasses",
+    "datetime",
+    "decimal",
+    "email",
+    "enum",
+    "functools",
+    "glob",
+    "gzip",
+    "hashlib",
+    "heapq",
+    "hmac",
+    "html",
+    "http",
+    "importlib",
+    "inspect",
+    "io",
+    "itertools",
+    "json",
+    "logging",
+    "math",
+    "multiprocessing",
+    "operator",
+    "os",
+    "pathlib",
+    "pickle",
+    "platform",
+    "queue",
+    "random",
+    "re",
+    "shlex",
+    "shutil",
+    "signal",
+    "socket",
+    "sqlite3",
+    "statistics",
+    "string",
+    "subprocess",
+    "sys",
+    "tempfile",
+    "threading",
+    "time",
+    "traceback",
+    "typing",
+    "unittest",
+    "urllib",
+    "uuid",
+    "xml",
+    "zipfile",
+];
+
+const SWIFT_APPLE_FRAMEWORKS: &[&str] = &[
+    "Accelerate",
+    "AppIntents",
+    "AppKit",
+    "ARKit",
+    "AVFoundation",
+    "CloudKit",
+    "Combine",
+    "CoreData",
+    "CoreFoundation",
+    "CoreBluetooth",
+    "CoreGraphics",
+    "CoreImage",
+    "CoreLocation",
+    "CoreML",
+    "CoreMotion",
+    "CoreNFC",
+    "CoreSpotlight",
+    "CoreTelephony",
+    "CoreText",
+    "CryptoKit",
+    "Dispatch",
+    "EventKit",
+    "Foundation",
+    "GameKit",
+    "HealthKit",
+    "LocalAuthentication",
+    "MapKit",
+    "MessageUI",
+    "Metal",
+    "MetalKit",
+    "NaturalLanguage",
+    "Network",
+    "Observation",
+    "PassKit",
+    "PencilKit",
+    "Photos",
+    "QuartzCore",
+    "RealityKit",
+    "SafariServices",
+    "SceneKit",
+    "Security",
+    "SpriteKit",
+    "StoreKit",
+    "Swift",
+    "SwiftData",
+    "SwiftUI",
+    "ThreadNetwork",
+    "UIKit",
+    "UniformTypeIdentifiers",
+    "UserNotifications",
+    "Vision",
+    "WatchKit",
+    "WebKit",
+    "WidgetKit",
+    "XCTest",
+];

package/crates/naome-core/src/architecture/rules/graph.rs

@@ -0,0 +1,177 @@
+use std::collections::{BTreeMap, BTreeSet};
+
+use crate::architecture::model::ArchitectureEdgeKind;
+use crate::architecture::scan::ArchitectureScanReport;
+
+#[derive(Debug, Clone)]
+pub(super) struct ImportEdge<'a> {
+    pub(super) from_path: &'a str,
+    pub(super) to_path: &'a str,
+    pub(super) edge_index: usize,
+}
+
+pub(super) fn file_import_edges(scan: &ArchitectureScanReport) -> Vec<ImportEdge<'_>> {
+    scan.graph
+        .edges
+        .iter()
+        .enumerate()
+        .filter_map(|(edge_index, edge)| {
+            (edge.kind == ArchitectureEdgeKind::Imports)
+                .then(|| {
+                    Some(ImportEdge {
+                        from_path: edge.from.strip_prefix("file:")?,
+                        to_path: edge.to.strip_prefix("file:")?,
+                        edge_index,
+                    })
+                })
+                .flatten()
+        })
+        .collect()
+}
+
+pub(super) fn file_import_adjacency(
+    scan: &ArchitectureScanReport,
+) -> BTreeMap<String, Vec<String>> {
+    file_adjacency(file_import_edges(scan).into_iter())
+}
+
+pub(super) fn file_cycle_adjacency(scan: &ArchitectureScanReport) -> BTreeMap<String, Vec<String>> {
+    file_adjacency(
+        file_import_edges(scan)
+            .into_iter()
+            .filter(|edge| is_cycle_dependency(scan, edge)),
+    )
+}
+
+fn file_adjacency<'a>(
+    edges: impl Iterator<Item = ImportEdge<'a>>,
+) -> BTreeMap<String, Vec<String>> {
+    let mut adjacency = BTreeMap::<String, BTreeSet<String>>::new();
+    for edge in edges {
+        adjacency
+            .entry(edge.from_path.to_string())
+            .or_default()
+            .insert(edge.to_path.to_string());
+    }
+    adjacency
+        .into_iter()
+        .map(|(from, targets)| (from, targets.into_iter().collect()))
+        .collect()
+}
+
+fn is_cycle_dependency(scan: &ArchitectureScanReport, edge: &ImportEdge<'_>) -> bool {
+    let graph_edge = &scan.graph.edges[edge.edge_index];
+    if graph_edge.metadata.language.as_deref() != Some("rust") {
+        return true;
+    }
+    let specifier = graph_edge
+        .metadata
+        .raw_origin
+        .get("specifier")
+        .and_then(serde_json::Value::as_str)
+        .unwrap_or_default();
+    !is_rust_module_cycle_exempt(edge.from_path, edge.to_path, specifier)
+}
+
+fn is_rust_module_cycle_exempt(from_path: &str, to_path: &str, specifier: &str) -> bool {
+    if !is_rust_module_family_reference(specifier) {
+        return false;
+    }
+    is_rust_parent_child_module_family(from_path, to_path)
+}
+
+fn is_rust_module_family_reference(specifier: &str) -> bool {
+    specifier.starts_with("self::")
+        || specifier.starts_with("super::")
+        || specifier.starts_with("crate::")
+}
+
+fn is_rust_parent_child_module_family(from_path: &str, to_path: &str) -> bool {
+    let Some(from_module) = rust_module_id(from_path) else {
+        return false;
+    };
+    let Some(to_module) = rust_module_id(to_path) else {
+        return false;
+    };
+    if from_module == to_module {
+        return true;
+    }
+    from_module
+        .strip_prefix(&to_module)
+        .is_some_and(|suffix| suffix.starts_with('/'))
+        || to_module
+            .strip_prefix(&from_module)
+            .is_some_and(|suffix| suffix.starts_with('/'))
+}
+
+fn rust_module_id(path: &str) -> Option<String> {
+    path.strip_suffix("/mod.rs")
+        .map(ToString::to_string)
+        .or_else(|| path.strip_suffix(".rs").map(ToString::to_string))
+}
+
+pub(super) fn strongly_connected_components(
+    adjacency: &BTreeMap<String, Vec<String>>,
+) -> Vec<Vec<String>> {
+    let mut state = TarjanState::default();
+    for node in adjacency.keys() {
+        if !state.indices.contains_key(node) {
+            strong_connect(node, adjacency, &mut state);
+        }
+    }
+    state
+        .components
+        .into_iter()
+        .filter(|component| {
+            component.len() > 1
+                || component.first().is_some_and(|node| {
+                    adjacency
+                        .get(node)
+                        .is_some_and(|targets| targets.contains(node))
+                })
+        })
+        .collect()
+}
+
+#[derive(Default)]
+struct TarjanState {
+    next_index: usize,
+    stack: Vec<String>,
+    on_stack: BTreeSet<String>,
+    indices: BTreeMap<String, usize>,
+    lowlinks: BTreeMap<String, usize>,
+    components: Vec<Vec<String>>,
+}
+
+fn strong_connect(node: &str, adjacency: &BTreeMap<String, Vec<String>>, state: &mut TarjanState) {
+    let index = state.next_index;
+    state.next_index += 1;
+    state.indices.insert(node.to_string(), index);
+    state.lowlinks.insert(node.to_string(), index);
+    state.stack.push(node.to_string());
+    state.on_stack.insert(node.to_string());
+
+    for target in adjacency.get(node).into_iter().flatten() {
+        if !state.indices.contains_key(target) {
+            strong_connect(target, adjacency, state);
+            let lowlink = state.lowlinks[node].min(state.lowlinks[target]);
+            state.lowlinks.insert(node.to_string(), lowlink);
+        } else if state.on_stack.contains(target) {
+            let lowlink = state.lowlinks[node].min(state.indices[target]);
+            state.lowlinks.insert(node.to_string(), lowlink);
+        }
+    }
+
+    if state.lowlinks[node] == state.indices[node] {
+        let mut component = Vec::new();
+        while let Some(member) = state.stack.pop() {
+            state.on_stack.remove(&member);
+            component.push(member.clone());
+            if member == node {
+                break;
+            }
+        }
+        component.sort();
+        state.components.push(component);
+    }
+}

package/crates/naome-core/src/architecture/rules/transitive.rs

@@ -0,0 +1,89 @@
+use std::collections::{BTreeMap, BTreeSet, VecDeque};
+
+use crate::architecture::output::ArchitectureViolation;
+use crate::architecture::scan::ArchitectureScanReport;
+
+use super::graph;
+
+pub(super) fn validate_transitive_layer_dependencies(
+    scan: &ArchitectureScanReport,
+    violations: &mut Vec<ArchitectureViolation>,
+    rules_executed: &mut Vec<String>,
+) {
+    let rule = scan
+        .config
+        .rule("no_transitive_forbidden_layer_dependencies");
+    if !rule.enabled {
+        return;
+    }
+    rules_executed.push("arch.no_transitive_forbidden_layer_dependencies".to_string());
+    let adjacency = graph::file_import_adjacency(scan);
+    for (from_path, from_fact) in &scan.file_facts {
+        for from_layer in &from_fact.layers {
+            let Some((target_path, target_layers)) =
+                first_forbidden_target(scan, &adjacency, from_path, from_layer)
+            else {
+                continue;
+            };
+            violations.push(ArchitectureViolation {
+                id: "arch.no_transitive_forbidden_layer_dependencies".to_string(),
+                severity: rule.severity,
+                violation_type: "transitive_forbidden_dependency".to_string(),
+                message: format!(
+                    "{from_path} in layer {from_layer} transitively reaches {target_path} in forbidden layer {target_layers}."
+                ),
+                from: Some(format!("file:{from_path}")),
+                to: Some(format!("file:{target_path}")),
+                path: Some(from_path.clone()),
+                source_range: None,
+                suggestion: "Remove the indirect dependency chain or introduce an allowed boundary."
+                    .to_string(),
+                agent_instruction:
+                    "Do not reach forbidden layers indirectly; move the dependency behind an allowed interface."
+                        .to_string(),
+            });
+        }
+    }
+}
+
+fn first_forbidden_target(
+    scan: &ArchitectureScanReport,
+    adjacency: &BTreeMap<String, Vec<String>>,
+    from_path: &str,
+    from_layer: &str,
+) -> Option<(String, String)> {
+    let mut queue = VecDeque::new();
+    let mut visited = BTreeSet::new();
+    for target in adjacency.get(from_path).into_iter().flatten() {
+        queue.push_back((target.clone(), 1usize));
+    }
+    while let Some((path, depth)) = queue.pop_front() {
+        if !visited.insert(path.clone()) {
+            continue;
+        }
+        if depth > 1 {
+            let Some(fact) = scan.file_facts.get(&path) else {
+                continue;
+            };
+            if !fact.layers.is_empty() && !layer_allowed(scan, from_layer, &fact.layers) {
+                return Some((path, fact.layers.join(", ")));
+            }
+        }
+        for target in adjacency.get(&path).into_iter().flatten() {
+            queue.push_back((target.clone(), depth + 1));
+        }
+    }
+    None
+}
+
+fn layer_allowed(scan: &ArchitectureScanReport, from_layer: &str, targets: &[String]) -> bool {
+    let allowed = scan
+        .config
+        .allowed_dependencies
+        .get(from_layer)
+        .map(Vec::as_slice)
+        .unwrap_or(&[]);
+    targets
+        .iter()
+        .any(|to_layer| from_layer == to_layer || allowed.contains(to_layer))
+}

package/crates/naome-core/src/architecture/rules.rs

@@ -7,13 +7,25 @@ use super::output::{
 use super::scan::ArchitectureScanReport;
 use crate::architecture::model::ArchitectureEdgeKind;
 
+mod budgets;
+mod context;
+mod cycles;
+mod external;
+mod graph;
+mod transitive;
+
 pub fn validate_scan(scan: ArchitectureScanReport) -> ArchitectureValidation {
     let mut violations = Vec::new();
     let mut rules_executed = Vec::new();
 
-    validate_max_file_lines(&scan, &mut violations, &mut rules_executed);
+    budgets::validate_file_size_budget(&scan, &mut violations, &mut rules_executed);
     validate_generated_manual_boundary(&scan, &mut violations, &mut rules_executed);
     validate_forbidden_layer_dependencies(&scan, &mut violations, &mut rules_executed);
+    context::validate_context_rules(&scan, &mut violations, &mut rules_executed);
+    cycles::validate_cycles(&scan, &mut violations, &mut rules_executed);
+    transitive::validate_transitive_layer_dependencies(&scan, &mut violations, &mut rules_executed);
+    budgets::validate_dependency_budgets(&scan, &mut violations, &mut rules_executed);
+    external::validate_external_dependency_policy(&scan, &mut violations, &mut rules_executed);
 
     violations.sort_by(|left, right| {
         (
@@ -118,44 +130,6 @@ fn validate_forbidden_layer_dependencies(
     }
 }
 
-fn validate_max_file_lines(
-    scan: &ArchitectureScanReport,
-    violations: &mut Vec<ArchitectureViolation>,
-    rules_executed: &mut Vec<String>,
-) {
-    let rule = scan.config.rule("max_file_lines");
-    if !rule.enabled {
-        return;
-    }
-    rules_executed.push("arch.max_file_lines".to_string());
-    let Some(limit) = rule.value else {
-        return;
-    };
-    for fact in scan.file_facts.values() {
-        if fact.line_count <= limit {
-            continue;
-        }
-        violations.push(ArchitectureViolation {
-            id: "arch.max_file_lines".to_string(),
-            severity: rule.severity,
-            violation_type: "file_size_budget".to_string(),
-            message: format!(
-                "{} has {} lines, exceeding the configured budget of {}.",
-                fact.path, fact.line_count, limit
-            ),
-            from: Some(format!("file:{}", fact.path)),
-            to: None,
-            path: Some(fact.path.clone()),
-            source_range: None,
-            suggestion: "Split the file into cohesive modules or move generated content behind an explicit ignore rule.".to_string(),
-            agent_instruction: format!(
-                "Reduce {} below {} lines or add a justified generated-code ignore rule if it is not manually owned.",
-                fact.path, limit
-            ),
-        });
-    }
-}
-
 fn validate_generated_manual_boundary(
     scan: &ArchitectureScanReport,
     violations: &mut Vec<ArchitectureViolation>,