@lamentis/naome 1.3.17 → 1.4.0

package/Cargo.lock

@@ -76,7 +76,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "naome-cli"
-version = "1.3.17"
+version = "1.4.0"
 dependencies = [
  "naome-core",
  "serde_json",
@@ -84,7 +84,7 @@ dependencies = [
 
 [[package]]
 name = "naome-core"
-version = "1.3.17"
+version = "1.4.0"
 dependencies = [
  "serde",
  "serde_json",

package/crates/naome-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-cli"
-version = "1.3.17"
+version = "1.4.0"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-cli/src/architecture_commands.rs

@@ -2,9 +2,9 @@ use std::fs;
 use std::path::{Path, PathBuf};
 
 use naome_core::{
-    config_findings_for, format_architecture_explain, format_architecture_scan,
-    format_architecture_validation, scan_architecture, validate_architecture,
-    ArchitectureScanOptions, ARCHITECTURE_RULE_IDS,
+    architecture_validation_sarif_with_root, config_findings_for, format_architecture_explain,
+    format_architecture_scan, format_architecture_validation, scan_architecture,
+    validate_architecture, ArchitectureScanOptions, ARCHITECTURE_RULE_IDS,
 };
 
 use crate::architecture_init::architecture_init_config_text;
@@ -88,6 +88,19 @@ fn run_arch_validate(root: &Path, args: &[String]) -> Result<(), Box<dyn std::er
         root,
         scan_options(root, args, has_flag(args, "--changed-only")),
     )?;
+    if has_flag(args, "--sarif") {
+        let output =
+            serde_json::to_string_pretty(&architecture_validation_sarif_with_root(&report, root))?;
+        if let Some(path) = option_value(args, "--output") {
+            fs::write(root.join(path), output)?;
+        } else {
+            println!("{output}");
+        }
+        if report.status == "fail" {
+            std::process::exit(1);
+        }
+        return Ok(());
+    }
     let json = has_flag(args, "--json") || has_flag(args, "--agent-feedback");
     if json {
         if has_flag(args, "--agent-feedback") {

package/crates/naome-cli/src/main.rs

@@ -62,7 +62,7 @@ const HELP: &str = r#"Usage:
   naome arch init [--config <path>] [--json]
   naome arch explain [--config <path>] [--json]
   naome arch scan [--config <path>] [--changed-only] [--write] [--output <path>] [--json]
-  naome arch validate [--config <path>] [--changed-only] [--agent-feedback] [--json]
+  naome arch validate [--config <path>] [--changed-only] [--agent-feedback] [--json|--sarif] [--output <path>]
   naome workflow search-profile [--json]
   naome workflow agent-plan [--json]
   naome workflow context-delta [--read-path <path>...] [--json]

package/crates/naome-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-core"
-version = "1.3.17"
+version = "1.4.0"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/src/architecture/output.rs

@@ -1,8 +1,14 @@
 use serde::{Deserialize, Serialize};
+use serde_json::{json, Value};
+use std::collections::BTreeSet;
+use std::path::Path;
 
 use super::model::{Severity, SourceRange};
 use super::scan::ArchitectureScanReport;
 
+const SARIF_REPO_ROOT_BASE_ID: &str = "REPO_ROOT";
+const ARCHITECTURE_CONFIG_PATH: &str = "naome.arch.yaml";
+
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(rename_all = "camelCase")]
 pub struct ViolationSummary {
@@ -216,3 +222,193 @@ pub fn format_architecture_scan(report: &ArchitectureScanReport) -> String {
     }
     output
 }
+
+pub fn architecture_validation_sarif(report: &ArchitectureValidation) -> Value {
+    architecture_validation_sarif_with_root(report, Path::new("/"))
+}
+
+pub fn architecture_validation_sarif_with_root(
+    report: &ArchitectureValidation,
+    repo_root: &Path,
+) -> Value {
+    let mut rule_ids = ARCHITECTURE_RULE_IDS
+        .iter()
+        .map(|rule| rule.to_string())
+        .collect::<BTreeSet<_>>();
+    for finding in &report.config_findings {
+        rule_ids.insert(finding.id.clone());
+    }
+    for violation in &report.violations {
+        rule_ids.insert(violation.id.clone());
+    }
+
+    let rules = rule_ids
+        .iter()
+        .map(|id| {
+            json!({
+                "id": id,
+                "name": id,
+                "shortDescription": {
+                    "text": id
+                },
+                "helpUri": "https://github.com/Lamentis-O/naome/blob/main/docs/naome/architecture-fitness.md"
+            })
+        })
+        .collect::<Vec<_>>();
+
+    let mut results = Vec::new();
+    for violation in &report.violations {
+        results.push(sarif_result_for_violation(violation));
+    }
+    for finding in &report.config_findings {
+        results.push(sarif_result_for_config_finding(finding));
+    }
+
+    json!({
+        "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+        "version": "2.1.0",
+        "runs": [
+            {
+                "tool": {
+                    "driver": {
+                        "name": "NAOME Architecture Fitness",
+                        "informationUri": "https://github.com/Lamentis-O/naome",
+                        "rules": rules
+                    }
+                },
+                "originalUriBaseIds": {
+                    "REPO_ROOT": {
+                        "uri": file_uri_for_directory(repo_root)
+                    }
+                },
+                "results": results,
+                "properties": {
+                    "status": report.status,
+                    "filesScanned": report.files_scanned,
+                    "graphNodes": report.graph_nodes,
+                    "graphEdges": report.graph_edges,
+                    "changedOnlyRequested": report.changed_only_requested,
+                    "changedOnlyMode": report.changed_only_mode,
+                    "changedOnlyDegradedToFullScan": report.changed_only_degraded_to_full_scan,
+                    "changedOnlyDegradationReason": report.changed_only_degradation_reason
+                }
+            }
+        ]
+    })
+}
+
+fn sarif_result_for_violation(violation: &ArchitectureViolation) -> Value {
+    json!({
+        "ruleId": violation.id,
+        "level": sarif_level_for_severity(violation.severity),
+        "message": {
+            "text": violation.message
+        },
+        "locations": sarif_locations(
+            violation.path.as_deref().or_else(|| violation_file_endpoint(violation)),
+            violation.source_range.as_ref()
+        ),
+        "properties": {
+            "type": violation.violation_type,
+            "from": violation.from,
+            "to": violation.to,
+            "suggestion": violation.suggestion,
+            "agentInstruction": violation.agent_instruction
+        }
+    })
+}
+
+fn sarif_result_for_config_finding(finding: &ArchitectureConfigFinding) -> Value {
+    let path = config_finding_path(finding);
+    json!({
+        "ruleId": finding.id,
+        "level": sarif_level_for_config_finding(&finding.severity),
+        "message": {
+            "text": finding.message
+        },
+        "locations": sarif_locations(Some(path.as_str()), None),
+        "properties": {
+            "subject": finding.subject,
+            "suggestion": finding.suggestion,
+            "agentInstruction": finding.agent_instruction
+        }
+    })
+}
+
+fn sarif_locations(path: Option<&str>, source_range: Option<&SourceRange>) -> Vec<Value> {
+    let Some(path) = path else {
+        return Vec::new();
+    };
+    let mut physical_location = json!({
+        "artifactLocation": {
+            "uri": path,
+            "uriBaseId": SARIF_REPO_ROOT_BASE_ID
+        }
+    });
+    if let Some(range) = source_range {
+        physical_location["region"] = json!({
+            "startLine": range.start_line,
+            "startColumn": range.start_column,
+            "endLine": range.end_line,
+            "endColumn": range.end_column
+        });
+    }
+    vec![json!({
+        "physicalLocation": physical_location
+    })]
+}
+
+fn violation_file_endpoint(violation: &ArchitectureViolation) -> Option<&str> {
+    [&violation.from, &violation.to]
+        .into_iter()
+        .flatten()
+        .find_map(|endpoint| endpoint.strip_prefix("file:"))
+}
+
+fn config_finding_path(finding: &ArchitectureConfigFinding) -> String {
+    finding
+        .subject
+        .strip_prefix("file:")
+        .unwrap_or(ARCHITECTURE_CONFIG_PATH)
+        .to_string()
+}
+
+fn sarif_level_for_severity(severity: Severity) -> &'static str {
+    match severity {
+        Severity::Error => "error",
+        Severity::Warning => "warning",
+        Severity::Info => "note",
+    }
+}
+
+fn sarif_level_for_config_finding(severity: &str) -> &'static str {
+    match severity {
+        "error" => "error",
+        "warning" => "warning",
+        _ => "note",
+    }
+}
+
+fn file_uri_for_directory(path: &Path) -> String {
+    let mut normalized = path.to_string_lossy().replace('\\', "/");
+    if !normalized.starts_with('/') {
+        normalized.insert(0, '/');
+    }
+    while normalized.ends_with('/') && normalized.len() > 1 {
+        normalized.pop();
+    }
+    format!("file://{}/", encode_uri_path(&normalized))
+}
+
+fn encode_uri_path(path: &str) -> String {
+    let mut encoded = String::new();
+    for byte in path.as_bytes() {
+        match *byte {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'/' | b'-' | b'.' | b'_' | b'~' => {
+                encoded.push(*byte as char)
+            }
+            value => encoded.push_str(&format!("%{value:02X}")),
+        }
+    }
+    encoded
+}

package/crates/naome-core/src/architecture/scan/cache.rs

@@ -9,7 +9,7 @@ use super::FileFact;
 use crate::models::NaomeError;
 
 const CACHE_SCHEMA: &str = "naome.architecture-cache.v1";
-const EXTRACTOR_VERSION: &str = "architecture-cache-v1.3.17";
+const EXTRACTOR_VERSION: &str = "architecture-cache-v1.4.0";
 const CACHE_PATH: &str = ".naome/cache/architecture/cache.json";
 
 #[derive(Debug, Clone, Serialize, Deserialize)]

package/crates/naome-core/src/architecture.rs

@@ -20,6 +20,7 @@ pub use model::{
     ArchitectureNode, ArchitectureNodeKind, Severity, SourceRange,
 };
 pub use output::{
+    architecture_validation_sarif, architecture_validation_sarif_with_root,
     format_architecture_scan, format_architecture_validation, ArchitectureAgentFeedback,
     ArchitectureConfigFinding, ArchitectureValidation, ArchitectureViolation, ViolationSummary,
     ARCHITECTURE_RULE_IDS,

package/crates/naome-core/src/lib.rs

@@ -21,13 +21,14 @@ mod verification_contract_policy;
 mod workflow;
 
 pub use architecture::{
-    config_findings_for, default_architecture_config_text, format_architecture_explain,
-    format_architecture_scan, format_architecture_validation, scan_architecture,
-    validate_architecture, ArchitectureAgentFeedback, ArchitectureConfig,
-    ArchitectureConfigFinding, ArchitectureEdge, ArchitectureEdgeKind, ArchitectureGraph,
-    ArchitectureMetadata, ArchitectureNode, ArchitectureNodeKind, ArchitectureScanOptions,
-    ArchitectureScanReport, ArchitectureValidation, ArchitectureViolation, ContextConfig,
-    LayerConfig, RuleConfig, Severity, SourceRange, ViolationSummary, ARCHITECTURE_RULE_IDS,
+    architecture_validation_sarif, architecture_validation_sarif_with_root, config_findings_for,
+    default_architecture_config_text, format_architecture_explain, format_architecture_scan,
+    format_architecture_validation, scan_architecture, validate_architecture,
+    ArchitectureAgentFeedback, ArchitectureConfig, ArchitectureConfigFinding, ArchitectureEdge,
+    ArchitectureEdgeKind, ArchitectureGraph, ArchitectureMetadata, ArchitectureNode,
+    ArchitectureNodeKind, ArchitectureScanOptions, ArchitectureScanReport, ArchitectureValidation,
+    ArchitectureViolation, ContextConfig, LayerConfig, RuleConfig, Severity, SourceRange,
+    ViolationSummary, ARCHITECTURE_RULE_IDS,
 };
 pub use context::{
     select_context_for_changed_paths, select_context_for_prompt, ContextBudgetLedger,

package/crates/naome-core/tests/architecture_cache.rs

@@ -210,7 +210,7 @@ fn changed_only_degrades_when_cache_extractor_version_is_stale() {
     let cache_path = repo.path().join(".naome/cache/architecture/cache.json");
     let stale_cache = std::fs::read_to_string(&cache_path)
         .unwrap()
-        .replace("architecture-cache-v1.3.17", "architecture-cache-v1.3.14");
+        .replace("architecture-cache-v1.4.0", "architecture-cache-v1.3.17");
     std::fs::write(cache_path, stale_cache).unwrap();
 
     let report = validate_architecture(repo.path(), changed_only()).unwrap();

package/crates/naome-core/tests/architecture_config.rs

@@ -1,4 +1,7 @@
-use naome_core::{format_architecture_validation, validate_architecture, ArchitectureScanOptions};
+use naome_core::{
+    architecture_validation_sarif_with_root, format_architecture_validation, validate_architecture,
+    ArchitectureScanOptions,
+};
 
 mod architecture_support;
 
@@ -152,3 +155,67 @@ fn validation_reports_unresolved_repo_absolute_imports() {
                 .any(|item| item.contains("unresolved imports"))
     }));
 }
+
+#[test]
+fn validation_sarif_includes_violations_and_config_findings() {
+    let repo = FixtureRepo::new();
+    repo.write(
+        "naome.arch.yaml",
+        r#"
+layers:
+  domain:
+    paths:
+      - "src/domain/**"
+  infrastructure:
+    paths:
+      - "src/infrastructure/**"
+  unused:
+    paths:
+      - "src/unused/**"
+allowed_dependencies:
+  domain:
+  infrastructure:
+rules:
+  no_forbidden_layer_dependencies:
+    enabled: true
+    severity: error
+"#,
+    );
+    repo.write(
+        "src/domain/event.ts",
+        "import { db } from '../infrastructure/db';\nimport missing from './missing';\n",
+    );
+    repo.write("src/infrastructure/db.ts", "export const db = 1;\n");
+
+    let report = validate_architecture(repo.path(), ArchitectureScanOptions::default()).unwrap();
+    let sarif = architecture_validation_sarif_with_root(&report, repo.path());
+    let results = sarif["runs"][0]["results"].as_array().unwrap();
+
+    assert_eq!(sarif["version"], "2.1.0");
+    assert!(sarif["runs"][0]["originalUriBaseIds"]["REPO_ROOT"]["uri"]
+        .as_str()
+        .is_some_and(|uri| uri.starts_with("file://") && uri.ends_with('/')));
+    assert!(results.iter().any(|result| {
+        result["ruleId"] == "arch.no_forbidden_layer_dependencies"
+            && result["level"] == "error"
+            && result["locations"][0]["physicalLocation"]["artifactLocation"]["uri"]
+                == "src/domain/event.ts"
+            && result["locations"][0]["physicalLocation"]["artifactLocation"]["uriBaseId"]
+                == "REPO_ROOT"
+    }));
+    assert!(results.iter().any(|result| {
+        result["ruleId"] == "arch.import.unresolved"
+            && result["level"] == "warning"
+            && result["properties"]["agentInstruction"]
+                .as_str()
+                .is_some_and(|instruction| instruction.contains("./missing"))
+    }));
+    assert!(results.iter().any(|result| {
+        result["ruleId"] == "arch.config.layer_matches_no_files"
+            && result["level"] == "warning"
+            && result["locations"][0]["physicalLocation"]["artifactLocation"]["uri"]
+                == "naome.arch.yaml"
+            && result["locations"][0]["physicalLocation"]["artifactLocation"]["uriBaseId"]
+                == "REPO_ROOT"
+    }));
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.3.17",
+  "version": "1.4.0",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "Apache-2.0",
   "type": "module",

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -17,7 +17,7 @@ const expectedMachineOwnedIntegrity = Object.freeze({
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
   "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
-  "docs/naome/architecture-fitness.md": "sha256:5067f57787f0cac0be4b0d49079f03b595fdab6e4fba4b8bdde4bc3cfc0d1de1",
+  "docs/naome/architecture-fitness.md": "sha256:be38e0c6dea8b1ebeee3bfd4a2e4e17008829360b1b4649ef45f2ce61e7287bd",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",

package/templates/naome-root/.naome/bin/check-task-state.js

@@ -17,7 +17,7 @@ const expectedMachineOwnedIntegrity = Object.freeze({
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
   "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
-  "docs/naome/architecture-fitness.md": "sha256:5067f57787f0cac0be4b0d49079f03b595fdab6e4fba4b8bdde4bc3cfc0d1de1",
+  "docs/naome/architecture-fitness.md": "sha256:be38e0c6dea8b1ebeee3bfd4a2e4e17008829360b1b4649ef45f2ce61e7287bd",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",

package/templates/naome-root/.naome/manifest.json

@@ -1,5 +1,5 @@
 {
-  "harnessVersion": "1.3.13",
+  "harnessVersion": "1.4.0",
   "installedAt": null,
   "integrity": {
     ".naome/bin/check-harness-health.js": "sha256:802d7419774981a6af1826b3882270ff8f41259d516f98c52a02b4ddc184c467",
@@ -9,7 +9,7 @@
     ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
     "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
     "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
-    "docs/naome/architecture-fitness.md": "sha256:5067f57787f0cac0be4b0d49079f03b595fdab6e4fba4b8bdde4bc3cfc0d1de1",
+    "docs/naome/architecture-fitness.md": "sha256:be38e0c6dea8b1ebeee3bfd4a2e4e17008829360b1b4649ef45f2ce61e7287bd",
     "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
     "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
     "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",

package/templates/naome-root/docs/naome/architecture-fitness.md

@@ -14,6 +14,8 @@ facts instead of prompt text.
 - `naome arch validate` runs architecture rules with human output.
 - `naome arch validate --json` emits stable machine-readable output.
 - `naome arch validate --agent-feedback` emits compact repair instructions.
+- `naome arch validate --sarif [--output architecture.sarif]` emits SARIF 2.1.0
+  for CI code-scanning while preserving failing exit codes.
 - `naome arch validate --changed-only` uses changed paths with the persistent
   architecture cache when available and safely degrades to a full scan when the
   cache cannot prove graph-level soundness.
@@ -110,15 +112,14 @@ edges as clean architecture.
 
 ## Configuration Findings
 
-Validation can pass while still reporting configuration findings. These are
-non-blocking warnings about weak architecture policy, such as:
+Validation can pass while still reporting non-blocking configuration findings
+about weak architecture policy, such as:
 
 - broad catch-all layers or contexts overlapping narrower boundaries;
 - layers or contexts whose path patterns match no files;
 - unresolved imports that could hide real dependency edges.
 
-Use `naome arch explain --json` or `naome arch validate --json` to inspect
-`configFindings` deterministically in CI or agent loops.
+Use JSON output to inspect `configFindings` deterministically in CI or agents.
 
 ## Incremental Cache
 
@@ -148,7 +149,11 @@ The command is deterministic in both cache-backed and fallback modes; CI can
 inspect the JSON fields above when it needs to distinguish performance from
 soundness fallbacks.
 
-For v1.4 readiness, architecture fitness is a release gate whenever source,
+Use `node .naome/bin/naome.js arch validate --sarif --output architecture.sarif`
+when CI can upload SARIF. It contains blocking violations, configuration
+findings, unresolved imports, and `agentInstruction` properties for repair loops.
+
+For v1.4.0, architecture fitness is a release gate whenever source,
 manifest, alias, config, or structure changes can alter dependency edges. Treat
 error-level violations as blocking. Warning-level config findings are advisory
 unless the repository chooses stricter policy, but unresolved imports should be
@@ -156,29 +161,24 @@ triaged before claiming a clean architecture result.
 
 ## Language Support
 
-The v1.3.17 foundation classifies TypeScript, JavaScript, Rust, Python, Go,
-Java, Kotlin, and Swift files by path extension. It extracts import facts for
-TypeScript, JavaScript, Rust, Python, Go, and Swift. It resolves relative
-imports, repository-absolute aliases, TypeScript/JavaScript `paths` aliases
-from nearby `tsconfig.json` or `jsconfig.json`, Python package imports with
-local `__init__.py` roots, Go module imports, SwiftPM target imports, and Rust
-crate/self/super module paths where possible.
-Unresolved imports are represented explicitly as graph nodes instead of
-dropping them. Swift and iOS app repositories get Apple framework imports, SwiftPM
-manifests, and Xcode Swift package references represented in the normalized
-graph; Apple SDK frameworks are treated as platform APIs for external policy.
-It also extracts package and dependency facts from `package.json`,
-`Cargo.toml`, `pyproject.toml`, `go.mod`, lightweight `pom.xml` / Gradle
-manifests, `Package.swift`, and `.xcodeproj/project.pbxproj`, then emits
-manifest-identity package nodes and manifest-owned `DependsOn` edges to
-external dependencies.
+The v1.4.0 foundation classifies TypeScript, JavaScript, Rust, Python, Go, Java,
+Kotlin, and Swift files by path extension. It extracts imports for TypeScript,
+JavaScript, Rust, Python, Go, and Swift, resolving relative paths,
+repository-absolute aliases, TS/JS `paths`, Python package roots, Go modules,
+SwiftPM targets, and Rust crate/self/super module paths where possible.
+Unresolved imports become explicit graph nodes. Swift/iOS repositories get Apple
+framework imports, SwiftPM manifests, and Xcode Swift package references in the
+normalized graph; Apple SDK frameworks are treated as platform APIs. Manifest
+facts from `package.json`, `Cargo.toml`, `pyproject.toml`, `go.mod`, lightweight
+`pom.xml` / Gradle manifests, `Package.swift`, and `.xcodeproj/project.pbxproj`
+emit manifest-identity package nodes and manifest-owned dependency edges.
 Architecture rules now cover layers, bounded contexts, public APIs, cycles,
 transitive layer reach, import/fan-out budgets, and external dependency
 policies.
 
 ## Acceptance Coverage
 
-v1.4 readiness is covered with deterministic fixture repositories for
+v1.4.0 readiness is covered with deterministic fixture repositories for
 TypeScript/JavaScript aliases, Rust crate paths, Python package roots, Go
 modules, Swift/iOS targets, and mixed monorepos. These fixtures assert both
 positive local-edge resolution and negative forbidden-dependency findings.
@@ -187,7 +187,7 @@ positive local-edge resolution and negative forbidden-dependency findings.
 
 This release intentionally keeps validation file-graph based. Manifest
 extractors are dependency-owner oriented and do not yet parse every build-tool
-feature. Deep symbol-level call analysis and SARIF output remain follow-up work.
+feature. Deep symbol-level call analysis remains follow-up work.
 
 ## v1.4 Migration Checklist