@lamentis/naome 1.3.16 → 1.4.0

package/crates/naome-core/tests/architecture_unresolved.rs

@@ -0,0 +1,36 @@
+use naome_core::{validate_architecture, ArchitectureScanOptions};
+
+mod architecture_support;
+
+use architecture_support::FixtureRepo;
+
+#[test]
+fn missing_rust_local_imports_remain_unresolved() {
+    let repo = FixtureRepo::new();
+    repo.write("src/lib.rs", "pub mod domain;\n");
+    repo.write(
+        "src/domain/mod.rs",
+        "use crate::missing::Thing;\nuse self::missing::Local;\npub mod service;\n",
+    );
+    repo.write("src/domain/service.rs", "use super::missing::Parent;\n");
+
+    let report = validate_architecture(repo.path(), ArchitectureScanOptions::default()).unwrap();
+    let unresolved = report
+        .config_findings
+        .iter()
+        .filter(|finding| finding.id == "arch.import.unresolved")
+        .map(|finding| finding.message.as_str())
+        .collect::<Vec<_>>();
+
+    for specifier in [
+        "crate::missing::Thing",
+        "self::missing::Local",
+        "super::missing::Parent",
+    ] {
+        assert!(
+            unresolved.iter().any(|message| message.contains(specifier)),
+            "{specifier}: {:?}",
+            unresolved
+        );
+    }
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.3.16",
+  "version": "1.4.0",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "Apache-2.0",
   "type": "module",

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -17,6 +17,7 @@ const expectedMachineOwnedIntegrity = Object.freeze({
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
   "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
+  "docs/naome/architecture-fitness.md": "sha256:be38e0c6dea8b1ebeee3bfd4a2e4e17008829360b1b4649ef45f2ce61e7287bd",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",

package/templates/naome-root/.naome/bin/check-task-state.js

@@ -17,6 +17,7 @@ const expectedMachineOwnedIntegrity = Object.freeze({
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
   "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
+  "docs/naome/architecture-fitness.md": "sha256:be38e0c6dea8b1ebeee3bfd4a2e4e17008829360b1b4649ef45f2ce61e7287bd",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",

package/templates/naome-root/.naome/manifest.json

@@ -1,5 +1,5 @@
 {
-  "harnessVersion": "1.3.13",
+  "harnessVersion": "1.4.0",
   "installedAt": null,
   "integrity": {
     ".naome/bin/check-harness-health.js": "sha256:802d7419774981a6af1826b3882270ff8f41259d516f98c52a02b4ddc184c467",
@@ -9,7 +9,7 @@
     ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
     "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
     "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
-    "docs/naome/architecture-fitness.md": "sha256:88aa979f61f82c2802c416af2c374ba041c94157189d59048d6889b07034d394",
+    "docs/naome/architecture-fitness.md": "sha256:be38e0c6dea8b1ebeee3bfd4a2e4e17008829360b1b4649ef45f2ce61e7287bd",
     "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
     "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
     "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",

package/templates/naome-root/.naome/verification.json

@@ -107,5 +107,10 @@
     }
   ],
   "changeTypes": [],
-  "releaseGates": []
+  "releaseGates": [
+    {
+      "checkId": "architecture-fitness-check",
+      "requiredWhen": "Before release or any source, manifest, alias, config, or structure change that can affect architecture."
+    }
+  ]
 }

package/templates/naome-root/docs/naome/architecture-fitness.md

@@ -7,13 +7,15 @@ facts instead of prompt text.
 
 ## Commands
 
-- `naome arch init` writes a starter `naome.arch.yaml`.
+- `naome arch init` writes a repository-aware starter `naome.arch.yaml`.
 - `naome arch explain` prints inferred layers, contexts, rules, and extractors.
 - `naome arch scan --json` emits the normalized graph.
 - `naome arch scan --write` writes `.naome/architecture-graph.json`.
 - `naome arch validate` runs architecture rules with human output.
 - `naome arch validate --json` emits stable machine-readable output.
 - `naome arch validate --agent-feedback` emits compact repair instructions.
+- `naome arch validate --sarif [--output architecture.sarif]` emits SARIF 2.1.0
+  for CI code-scanning while preserving failing exit codes.
 - `naome arch validate --changed-only` uses changed paths with the persistent
   architecture cache when available and safely degrades to a full scan when the
   cache cannot prove graph-level soundness.
@@ -34,70 +36,40 @@ extractor name, raw origin data, stable ID, and a human-readable label.
 Ignored paths require a reason so agents cannot silently suppress architecture
 ownership.
 
-```yaml
-layers:
-  domain:
-    paths:
-      - "src/domain/**"
-  infrastructure:
-    paths:
-      - "src/infrastructure/**"
-
-contexts:
-  billing:
-    paths:
-      - "src/billing/**"
-    public_api:
-      - "src/billing/index.ts"
+`naome arch init` starts from the files already present in the repository. It
+recognizes common `src/**` layers, Swift/iOS `Sources/**` layouts, feature
+directories under `src/`, and public API entrypoints such as `index.*` or
+`Public/**`. Repositories without recognizable source roots still receive the
+safe generic starter.
+
+Core configuration sections are `layers`, `contexts`, `rules`,
+`allowed_dependencies`, `external_dependencies`, and `ignore`. Typical rules are
+enabled as:
 
+```yaml
 rules:
   no_forbidden_layer_dependencies:
     enabled: true
     severity: error
-  no_cross_context_internal_imports:
-    enabled: true
-    severity: error
   public_api_boundary:
     enabled: true
     severity: error
   no_cycles:
     enabled: true
     severity: error
-  no_transitive_forbidden_layer_dependencies:
-    enabled: true
-    severity: error
   max_imports_per_file:
     enabled: true
     value: 20
     severity: warning
-  max_fan_out:
-    enabled: true
-    value: 20
-    severity: warning
-  external_dependency_policy:
-    enabled: true
-    severity: error
   max_file_lines:
     enabled: true
     value: 400
     severity: warning
-  generated_manual_boundary:
-    enabled: true
-    severity: error
-
-allowed_dependencies:
-  domain:
-  infrastructure:
-    - domain
+```
 
-external_dependencies:
-  domain:
-    allow: []
-  infrastructure:
-    allow:
-      - "stripe"
-      - "@supabase/*"
+Use explicit ignore reasons, for example:
 
+```yaml
 ignore:
   - path: "generated/**"
     reason: "Generated code is not architecture-owned."
@@ -132,6 +104,23 @@ repair loops. It also reports `changedOnlyMode` and
 `changedOnlyDegradationReason`, so agents can distinguish an incremental cache
 run from a deliberate full-scan fallback.
 
+Agent feedback is intentionally compact. Dependency repair entries include the
+source file and target file when both are known, plus direct `must_not_do`
+constraints for layer-boundary violations. Configuration findings also surface
+unresolved imports as repairable feedback so agents do not treat missing graph
+edges as clean architecture.
+
+## Configuration Findings
+
+Validation can pass while still reporting non-blocking configuration findings
+about weak architecture policy, such as:
+
+- broad catch-all layers or contexts overlapping narrower boundaries;
+- layers or contexts whose path patterns match no files;
+- unresolved imports that could hide real dependency edges.
+
+Use JSON output to inspect `configFindings` deterministically in CI or agents.
+
 ## Incremental Cache
 
 NAOME stores architecture file facts in `.naome/cache/architecture/cache.json`.
@@ -145,6 +134,10 @@ Changed-only validation is sound by construction:
 - config changes perform a full scan with reason `config_changed`;
 - added or deleted repository files perform a full scan with reason
   `file_set_changed`;
+- manifest and resolver-context changes such as `package.json`,
+  `tsconfig.json`, `jsconfig.json`, `Cargo.toml`, `go.mod`, `Package.swift`,
+  Gradle, Maven, CocoaPods, Carthage, or Xcode project files perform a full
+  scan with reason `resolver_context_changed`;
 - when config and file set are unchanged, NAOME reuses cached facts for
   untouched files, rescans changed files, rebuilds the full graph, and runs all
   graph-level rules against that graph.
@@ -156,28 +149,52 @@ The command is deterministic in both cache-backed and fallback modes; CI can
 inspect the JSON fields above when it needs to distinguish performance from
 soundness fallbacks.
 
+Use `node .naome/bin/naome.js arch validate --sarif --output architecture.sarif`
+when CI can upload SARIF. It contains blocking violations, configuration
+findings, unresolved imports, and `agentInstruction` properties for repair loops.
+
+For v1.4.0, architecture fitness is a release gate whenever source,
+manifest, alias, config, or structure changes can alter dependency edges. Treat
+error-level violations as blocking. Warning-level config findings are advisory
+unless the repository chooses stricter policy, but unresolved imports should be
+triaged before claiming a clean architecture result.
+
 ## Language Support
 
-The v1.3.14 foundation classifies TypeScript, JavaScript, Rust, Python, Go,
-Java, Kotlin, and Swift files by path extension. It extracts import facts for
-TypeScript, JavaScript, Rust, Python, Go, and Swift, resolves relative imports
-and simple repository-absolute aliases where the language supports them, and
-represents unresolved imports explicitly as graph nodes instead of dropping
-them. Swift and iOS app repositories get Apple framework imports, SwiftPM
-manifests, and Xcode Swift package references represented in the normalized
-graph; Apple SDK frameworks are treated as platform APIs for external policy.
-It also extracts package and dependency facts from `package.json`,
-`Cargo.toml`, `pyproject.toml`, `go.mod`, lightweight `pom.xml` / Gradle
-manifests, `Package.swift`, and `.xcodeproj/project.pbxproj`, then emits
-manifest-identity package nodes and manifest-owned `DependsOn` edges to
-external dependencies.
+The v1.4.0 foundation classifies TypeScript, JavaScript, Rust, Python, Go, Java,
+Kotlin, and Swift files by path extension. It extracts imports for TypeScript,
+JavaScript, Rust, Python, Go, and Swift, resolving relative paths,
+repository-absolute aliases, TS/JS `paths`, Python package roots, Go modules,
+SwiftPM targets, and Rust crate/self/super module paths where possible.
+Unresolved imports become explicit graph nodes. Swift/iOS repositories get Apple
+framework imports, SwiftPM manifests, and Xcode Swift package references in the
+normalized graph; Apple SDK frameworks are treated as platform APIs. Manifest
+facts from `package.json`, `Cargo.toml`, `pyproject.toml`, `go.mod`, lightweight
+`pom.xml` / Gradle manifests, `Package.swift`, and `.xcodeproj/project.pbxproj`
+emit manifest-identity package nodes and manifest-owned dependency edges.
 Architecture rules now cover layers, bounded contexts, public APIs, cycles,
 transitive layer reach, import/fan-out budgets, and external dependency
 policies.
 
+## Acceptance Coverage
+
+v1.4.0 readiness is covered with deterministic fixture repositories for
+TypeScript/JavaScript aliases, Rust crate paths, Python package roots, Go
+modules, Swift/iOS targets, and mixed monorepos. These fixtures assert both
+positive local-edge resolution and negative forbidden-dependency findings.
+
 ## Limitations
 
 This release intentionally keeps validation file-graph based. Manifest
 extractors are dependency-owner oriented and do not yet parse every build-tool
-feature. SARIF output and deeper symbol-level call analysis remain planned
-follow-up slices before v1.4.0.
+feature. Deep symbol-level call analysis remains follow-up work.
+
+## v1.4 Migration Checklist
+
+1. Run `naome arch init` and review inferred layers and contexts.
+2. Run `naome arch explain --json` and address ineffective config findings.
+3. Run `naome arch validate --json` and fix error-level violations first.
+4. Treat unresolved imports as incomplete architecture evidence, not as passes.
+5. Add explicit `ignore` entries only with reasons for generated or vendor code.
+6. Enable the CI gate with `naome arch validate --changed-only` once the full
+   repository has no error-level violations.