npm - @lamentis/naome - Versions diffs - 1.3.17 → 1.4.1 - Mend

@lamentis/naome 1.3.17 → 1.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (55) hide show

package/crates/naome-core/src/architecture/output.rs CHANGED Viewed

@@ -1,8 +1,14 @@
 use serde::{Deserialize, Serialize};
+use serde_json::{json, Value};
+use std::collections::BTreeSet;
+use std::path::Path;
 use super::model::{Severity, SourceRange};
 use super::scan::ArchitectureScanReport;
+const SARIF_REPO_ROOT_BASE_ID: &str = "REPO_ROOT";
+const ARCHITECTURE_CONFIG_PATH: &str = "naome.arch.yaml";
 #[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
 #[serde(rename_all = "camelCase")]
 pub struct ViolationSummary {
@@ -216,3 +222,193 @@ pub fn format_architecture_scan(report: &ArchitectureScanReport) -> String {
     }
     output
 }
+pub fn architecture_validation_sarif(report: &ArchitectureValidation) -> Value {
+    architecture_validation_sarif_with_root(report, Path::new("/"))
+}
+pub fn architecture_validation_sarif_with_root(
+    report: &ArchitectureValidation,
+    repo_root: &Path,
+) -> Value {
+    let mut rule_ids = ARCHITECTURE_RULE_IDS
+        .iter()
+        .map(|rule| rule.to_string())
+        .collect::<BTreeSet<_>>();
+    for finding in &report.config_findings {
+        rule_ids.insert(finding.id.clone());
+    }
+    for violation in &report.violations {
+        rule_ids.insert(violation.id.clone());
+    }
+    let rules = rule_ids
+        .iter()
+        .map(|id| {
+            json!({
+                "id": id,
+                "name": id,
+                "shortDescription": {
+                    "text": id
+                },
+                "helpUri": "https://github.com/Lamentis-O/naome/blob/main/docs/naome/architecture-fitness.md"
+            })
+        })
+        .collect::<Vec<_>>();
+    let mut results = Vec::new();
+    for violation in &report.violations {
+        results.push(sarif_result_for_violation(violation));
+    }
+    for finding in &report.config_findings {
+        results.push(sarif_result_for_config_finding(finding));
+    }
+    json!({
+        "$schema": "https://json.schemastore.org/sarif-2.1.0.json",
+        "version": "2.1.0",
+        "runs": [
+            {
+                "tool": {
+                    "driver": {
+                        "name": "NAOME Architecture Fitness",
+                        "informationUri": "https://github.com/Lamentis-O/naome",
+                        "rules": rules
+                    }
+                },
+                "originalUriBaseIds": {
+                    "REPO_ROOT": {
+                        "uri": file_uri_for_directory(repo_root)
+                    }
+                },
+                "results": results,
+                "properties": {
+                    "status": report.status,
+                    "filesScanned": report.files_scanned,
+                    "graphNodes": report.graph_nodes,
+                    "graphEdges": report.graph_edges,
+                    "changedOnlyRequested": report.changed_only_requested,
+                    "changedOnlyMode": report.changed_only_mode,
+                    "changedOnlyDegradedToFullScan": report.changed_only_degraded_to_full_scan,
+                    "changedOnlyDegradationReason": report.changed_only_degradation_reason
+                }
+            }
+        ]
+    })
+}
+fn sarif_result_for_violation(violation: &ArchitectureViolation) -> Value {
+    json!({
+        "ruleId": violation.id,
+        "level": sarif_level_for_severity(violation.severity),
+        "message": {
+            "text": violation.message
+        },
+        "locations": sarif_locations(
+            violation.path.as_deref().or_else(|| violation_file_endpoint(violation)),
+            violation.source_range.as_ref()
+        ),
+        "properties": {
+            "type": violation.violation_type,
+            "from": violation.from,
+            "to": violation.to,
+            "suggestion": violation.suggestion,
+            "agentInstruction": violation.agent_instruction
+        }
+    })
+}
+fn sarif_result_for_config_finding(finding: &ArchitectureConfigFinding) -> Value {
+    let path = config_finding_path(finding);
+    json!({
+        "ruleId": finding.id,
+        "level": sarif_level_for_config_finding(&finding.severity),
+        "message": {
+            "text": finding.message
+        },
+        "locations": sarif_locations(Some(path.as_str()), None),
+        "properties": {
+            "subject": finding.subject,
+            "suggestion": finding.suggestion,
+            "agentInstruction": finding.agent_instruction
+        }
+    })
+}
+fn sarif_locations(path: Option<&str>, source_range: Option<&SourceRange>) -> Vec<Value> {
+    let Some(path) = path else {
+        return Vec::new();
+    };
+    let mut physical_location = json!({
+        "artifactLocation": {
+            "uri": path,
+            "uriBaseId": SARIF_REPO_ROOT_BASE_ID
+        }
+    });
+    if let Some(range) = source_range {
+        physical_location["region"] = json!({
+            "startLine": range.start_line,
+            "startColumn": range.start_column,
+            "endLine": range.end_line,
+            "endColumn": range.end_column
+        });
+    }
+    vec![json!({
+        "physicalLocation": physical_location
+    })]
+}
+fn violation_file_endpoint(violation: &ArchitectureViolation) -> Option<&str> {
+    [&violation.from, &violation.to]
+        .into_iter()
+        .flatten()
+        .find_map(|endpoint| endpoint.strip_prefix("file:"))
+}
+fn config_finding_path(finding: &ArchitectureConfigFinding) -> String {
+    finding
+        .subject
+        .strip_prefix("file:")
+        .unwrap_or(ARCHITECTURE_CONFIG_PATH)
+        .to_string()
+}
+fn sarif_level_for_severity(severity: Severity) -> &'static str {
+    match severity {
+        Severity::Error => "error",
+        Severity::Warning => "warning",
+        Severity::Info => "note",
+    }
+}
+fn sarif_level_for_config_finding(severity: &str) -> &'static str {
+    match severity {
+        "error" => "error",
+        "warning" => "warning",
+        _ => "note",
+    }
+}
+fn file_uri_for_directory(path: &Path) -> String {
+    let mut normalized = path.to_string_lossy().replace('\\', "/");
+    if !normalized.starts_with('/') {
+        normalized.insert(0, '/');
+    }
+    while normalized.ends_with('/') && normalized.len() > 1 {
+        normalized.pop();
+    }
+    format!("file://{}/", encode_uri_path(&normalized))
+}
+fn encode_uri_path(path: &str) -> String {
+    let mut encoded = String::new();
+    for byte in path.as_bytes() {
+        match *byte {
+            b'A'..=b'Z' | b'a'..=b'z' | b'0'..=b'9' | b'/' | b'-' | b'.' | b'_' | b'~' => {
+                encoded.push(*byte as char)
+            }
+            value => encoded.push_str(&format!("%{value:02X}")),
+        }
+    }
+    encoded
+}

package/crates/naome-core/src/architecture/scan/cache.rs CHANGED Viewed

@@ -9,7 +9,7 @@ use super::FileFact;
 use crate::models::NaomeError;
 const CACHE_SCHEMA: &str = "naome.architecture-cache.v1";
-const EXTRACTOR_VERSION: &str = "architecture-cache-v1.3.17";
+const EXTRACTOR_VERSION: &str = "architecture-cache-v1.4.0";
 const CACHE_PATH: &str = ".naome/cache/architecture/cache.json";
 #[derive(Debug, Clone, Serialize, Deserialize)]

package/crates/naome-core/src/architecture.rs CHANGED Viewed

@@ -20,6 +20,7 @@ pub use model::{
     ArchitectureNode, ArchitectureNodeKind, Severity, SourceRange,
 };
 pub use output::{
+    architecture_validation_sarif, architecture_validation_sarif_with_root,
     format_architecture_scan, format_architecture_validation, ArchitectureAgentFeedback,
     ArchitectureConfigFinding, ArchitectureValidation, ArchitectureViolation, ViolationSummary,
     ARCHITECTURE_RULE_IDS,

package/crates/naome-core/src/lib.rs CHANGED Viewed

@@ -21,13 +21,14 @@ mod verification_contract_policy;
 mod workflow;
 pub use architecture::{
-    config_findings_for, default_architecture_config_text, format_architecture_explain,
-    format_architecture_scan, format_architecture_validation, scan_architecture,
-    validate_architecture, ArchitectureAgentFeedback, ArchitectureConfig,
-    ArchitectureConfigFinding, ArchitectureEdge, ArchitectureEdgeKind, ArchitectureGraph,
-    ArchitectureMetadata, ArchitectureNode, ArchitectureNodeKind, ArchitectureScanOptions,
-    ArchitectureScanReport, ArchitectureValidation, ArchitectureViolation, ContextConfig,
-    LayerConfig, RuleConfig, Severity, SourceRange, ViolationSummary, ARCHITECTURE_RULE_IDS,
+    architecture_validation_sarif, architecture_validation_sarif_with_root, config_findings_for,
+    default_architecture_config_text, format_architecture_explain, format_architecture_scan,
+    format_architecture_validation, scan_architecture, validate_architecture,
+    ArchitectureAgentFeedback, ArchitectureConfig, ArchitectureConfigFinding, ArchitectureEdge,
+    ArchitectureEdgeKind, ArchitectureGraph, ArchitectureMetadata, ArchitectureNode,
+    ArchitectureNodeKind, ArchitectureScanOptions, ArchitectureScanReport, ArchitectureValidation,
+    ArchitectureViolation, ContextConfig, LayerConfig, RuleConfig, Severity, SourceRange,
+    ViolationSummary, ARCHITECTURE_RULE_IDS,
 };
 pub use context::{
     select_context_for_changed_paths, select_context_for_prompt, ContextBudgetLedger,
@@ -67,8 +68,13 @@ pub use task_ledger::{
     TaskLedgerProjection, TaskLedgerStatus,
 };
 pub use task_state::{
-    completed_task_commit_paths, validate_task_state, TaskStateMode, TaskStateOptions,
-    TaskStateReport,
+    completed_task_commit_paths, format_task_proof_plan, format_task_status, task_proof_plan,
+    task_status_exit_code, task_status_report, task_transition_readiness, validate_task_state,
+    AgentLoop, NextActionV2, PolicyHints, ProofRecording, ProofRecordingAfterSuccess,
+    RecoveryGuidance, RepairPlanItem, TaskFeedback, TaskGitStatus, TaskModeStatus,
+    TaskProofPlanReport, TaskProofStatus, TaskRecommendedCommand, TaskScopeStatus, TaskStateMode,
+    TaskStateOptions, TaskStateReport, TaskStatusFinding, TaskStatusReportV1,
+    TransitionReadinessReport,
 };
 pub use verification::seed_builtin_verification_checks;
 pub use verification_contract::validate_verification_contract;

package/crates/naome-core/src/task_state/mod.rs CHANGED Viewed

@@ -22,6 +22,8 @@ mod proof_types;
 mod push_gate;
 mod repair;
 mod shape;
+mod status;
+mod status_output;
 mod task_diff_api;
 mod task_records;
 mod task_references;
@@ -31,6 +33,14 @@ mod util;
 pub use api::validate_task_state;
 pub use completed_refresh::completed_task_harness_refresh_diff;
 pub(crate) use proof_model::{canonical_proof_check_ids, canonical_proofs};
+pub use status::{
+    task_proof_plan, task_status_exit_code, task_status_report, task_transition_readiness,
+    AgentLoop, NextActionV2, PolicyHints, ProofRecording, ProofRecordingAfterSuccess,
+    RecoveryGuidance, RepairPlanItem, TaskFeedback, TaskGitStatus, TaskModeStatus,
+    TaskProofPlanReport, TaskProofStatus, TaskRecommendedCommand, TaskScopeStatus,
+    TaskStatusFinding, TaskStatusReportV1, TransitionReadinessReport,
+};
+pub use status_output::{format_task_proof_plan, format_task_status};
 pub use task_diff_api::{
     completed_task_commit_diff, completed_task_commit_paths, harness_refresh_diff,
     harness_refresh_with_unrelated_diff,

package/crates/naome-core/src/task_state/status/agent_model.rs ADDED Viewed

@@ -0,0 +1,76 @@
+use serde::{Deserialize, Serialize};
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct NextActionV2 {
+    #[serde(rename = "type")]
+    pub action_type: String,
+    pub reason: String,
+    pub check_ids: Vec<String>,
+    pub commands: Vec<String>,
+    pub paths: Vec<String>,
+    pub safe_to_execute: bool,
+    pub requires_user_approval: bool,
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct AgentLoop {
+    pub state: String,
+    pub can_continue_editing: bool,
+    pub can_run_checks: bool,
+    pub can_record_proof: bool,
+    pub can_commit: bool,
+    pub must_do_next: Vec<String>,
+    pub must_not_do: Vec<String>,
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct RepairPlanItem {
+    pub id: String,
+    pub kind: String,
+    pub reason: String,
+    pub paths: Vec<String>,
+    pub check_ids: Vec<String>,
+    pub commands: Vec<String>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cwd: Option<String>,
+    pub safe_to_execute: bool,
+    pub requires_user_approval: bool,
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct ProofRecording {
+    pub path_set_id: String,
+    pub paths: Vec<String>,
+    pub proof_batch_id: String,
+    pub checks_to_record: Vec<String>,
+    pub after_success: ProofRecordingAfterSuccess,
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct ProofRecordingAfterSuccess {
+    pub record_proof: bool,
+    pub instructions: String,
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct PolicyHints {
+    pub may_edit: Vec<String>,
+    pub must_inspect_before_edit: Vec<String>,
+    pub must_run_after_edit: Vec<String>,
+    pub forbidden_actions: Vec<String>,
+}
+#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
+#[serde(rename_all = "camelCase")]
+pub struct RecoveryGuidance {
+    pub id: String,
+    pub reason: String,
+    pub safe_next_action: String,
+    pub requires_user_approval: bool,
+}

package/crates/naome-core/src/task_state/status/control/action.rs ADDED Viewed

@@ -0,0 +1,87 @@
+use super::super::agent_model::NextActionV2;
+use super::super::model::{
+    TaskProofStatus, TaskRecommendedCommand, TaskScopeStatus, TaskStatusFinding,
+};
+use super::shared::{action_check_ids, has_finding, has_git_recovery};
+pub(in crate::task_state::status) fn next_action_v2(
+    state: &str,
+    proof: &TaskProofStatus,
+    findings: &[TaskStatusFinding],
+    commands: &[TaskRecommendedCommand],
+    scope: &TaskScopeStatus,
+) -> NextActionV2 {
+    let (action_type, reason, paths, safe) = prioritized_action(state, proof, findings, scope);
+    NextActionV2 {
+        action_type: action_type.to_string(),
+        reason,
+        check_ids: action_check_ids(proof),
+        commands: commands
+            .iter()
+            .map(|command| command.command.clone())
+            .collect(),
+        paths,
+        safe_to_execute: safe,
+        requires_user_approval: !safe,
+    }
+}
+fn prioritized_action(
+    state: &str,
+    proof: &TaskProofStatus,
+    findings: &[TaskStatusFinding],
+    scope: &TaskScopeStatus,
+) -> (&'static str, String, Vec<String>, bool) {
+    if has_finding(findings, "task.state.conflict_markers") {
+        return (
+            "blocked",
+            "Task-state conflict markers must be resolved.".to_string(),
+            vec![],
+            false,
+        );
+    }
+    if has_git_recovery(findings) {
+        return (
+            "recover_git_state",
+            "Git recovery is required before task work can continue.".to_string(),
+            vec![],
+            false,
+        );
+    }
+    if has_finding(findings, "task.scope.out_of_scope_change") {
+        return (
+            "repair_scope",
+            "Out-of-scope changes must be removed or admitted.".to_string(),
+            scope.out_of_scope_changed_paths.clone(),
+            true,
+        );
+    }
+    if !proof.missing_checks.is_empty() || !proof.stale_checks.is_empty() {
+        return (
+            "rerun_checks",
+            "Required proof is missing or stale.".to_string(),
+            scope.in_scope_changed_paths.clone(),
+            true,
+        );
+    }
+    match state {
+        "idle" | "missing" => (
+            "create_task",
+            "No active task is in progress.".to_string(),
+            vec![],
+            true,
+        ),
+        "complete" => (
+            "none",
+            "Task is complete and proof is current.".to_string(),
+            vec![],
+            true,
+        ),
+        _ => (
+            "continue_editing",
+            "Active task is healthy.".to_string(),
+            scope.in_scope_changed_paths.clone(),
+            true,
+        ),
+    }
+}

package/crates/naome-core/src/task_state/status/control/exit_code.rs ADDED Viewed

@@ -0,0 +1,32 @@
+use super::super::model::{TaskProofStatus, TaskStatusFinding};
+use super::shared::has_finding;
+pub fn task_status_exit_code(findings: &[TaskStatusFinding], proof: &TaskProofStatus) -> i32 {
+    if has_finding(findings, "task.state.conflict_markers")
+        || has_finding(findings, "task.state.invalid_json")
+        || has_finding(findings, "task.state.active_task_missing")
+    {
+        40
+    } else if findings.iter().any(|finding| {
+        matches!(
+            finding.id.as_str(),
+            "task.git.operation_in_progress"
+                | "task.git.admission_head_missing"
+                | "task.git.admission_head_not_reachable"
+        )
+    }) {
+        30
+    } else if has_finding(findings, "task.scope.out_of_scope_change") {
+        20
+    } else if has_finding(findings, "task.state.no_active_task_with_diff") {
+        50
+    } else if has_finding(findings, "task.state.completed_task_has_diff") {
+        60
+    } else if !proof.missing_checks.is_empty() {
+        10
+    } else if !proof.stale_checks.is_empty() {
+        11
+    } else {
+        0
+    }
+}

package/crates/naome-core/src/task_state/status/control/loop_state.rs ADDED Viewed

@@ -0,0 +1,70 @@
+use super::super::agent_model::AgentLoop;
+use super::super::model::{TaskProofStatus, TaskScopeStatus, TaskStatusFinding};
+use super::shared::{action_check_ids, has_finding, has_git_recovery};
+pub(in crate::task_state::status) fn agent_loop(
+    state: &str,
+    proof: &TaskProofStatus,
+    findings: &[TaskStatusFinding],
+    scope: &TaskScopeStatus,
+) -> AgentLoop {
+    let loop_state = agent_loop_state(state, proof, findings, scope);
+    AgentLoop {
+        can_continue_editing: matches!(loop_state.as_str(), "healthy" | "ready_to_commit"),
+        can_run_checks: !matches!(
+            loop_state.as_str(),
+            "blocked_by_scope_drift" | "blocked_by_git_state" | "blocked_by_task_state"
+        ),
+        can_record_proof: matches!(
+            loop_state.as_str(),
+            "blocked_by_missing_proof" | "blocked_by_stale_proof" | "ready_to_commit"
+        ),
+        can_commit: loop_state == "ready_to_commit",
+        must_do_next: must_do_next(&loop_state, proof),
+        must_not_do: must_not_do(&loop_state),
+        state: loop_state,
+    }
+}
+fn agent_loop_state(
+    state: &str,
+    proof: &TaskProofStatus,
+    findings: &[TaskStatusFinding],
+    scope: &TaskScopeStatus,
+) -> String {
+    if has_finding(findings, "task.state.conflict_markers") {
+        "blocked_by_task_state"
+    } else if has_git_recovery(findings) {
+        "blocked_by_git_state"
+    } else if has_finding(findings, "task.scope.out_of_scope_change") {
+        "blocked_by_scope_drift"
+    } else if has_finding(findings, "task.state.no_active_task_with_diff") {
+        "blocked_by_task_state"
+    } else if !proof.missing_checks.is_empty() {
+        "blocked_by_missing_proof"
+    } else if !proof.stale_checks.is_empty() {
+        "blocked_by_stale_proof"
+    } else if matches!(state, "idle" | "missing") {
+        "ready_for_new_task"
+    } else if state == "complete" || !scope.in_scope_changed_paths.is_empty() {
+        "ready_to_commit"
+    } else {
+        "healthy"
+    }
+    .to_string()
+}
+fn must_do_next(state: &str, proof: &TaskProofStatus) -> Vec<String> {
+    match state {
+        "blocked_by_missing_proof" | "blocked_by_stale_proof" => action_check_ids(proof),
+        value => vec![value.to_string()],
+    }
+}
+fn must_not_do(state: &str) -> Vec<String> {
+    let mut items = vec!["Do not bypass the NAOME commit gate.".to_string()];
+    if state != "ready_to_commit" {
+        items.push("Do not commit until task can-transition allows completion.".to_string());
+    }
+    items
+}

package/crates/naome-core/src/task_state/status/control/policy.rs ADDED Viewed

@@ -0,0 +1,31 @@
+use super::super::agent_model::PolicyHints;
+use super::super::model::{TaskProofStatus, TaskScopeStatus, TaskStatusFinding};
+use super::shared::action_check_ids;
+pub(in crate::task_state::status) fn policy_hints(
+    scope: &TaskScopeStatus,
+    proof: &TaskProofStatus,
+    findings: &[TaskStatusFinding],
+) -> PolicyHints {
+    let may_edit = if scope.in_scope_changed_paths.is_empty() {
+        scope.allowed_paths.clone()
+    } else {
+        scope.in_scope_changed_paths.clone()
+    };
+    let mut forbidden_actions = vec![
+        "Do not bypass the NAOME commit gate.".to_string(),
+        "Do not commit before can-transition or can-commit allows it.".to_string(),
+    ];
+    if findings
+        .iter()
+        .any(|finding| finding.id == "task.scope.out_of_scope_change")
+    {
+        forbidden_actions.push("Do not keep out-of-scope changes in the task diff.".to_string());
+    }
+    PolicyHints {
+        may_edit,
+        must_inspect_before_edit: scope.out_of_scope_changed_paths.clone(),
+        must_run_after_edit: action_check_ids(proof),
+        forbidden_actions,
+    }
+}

package/crates/naome-core/src/task_state/status/control/proof_recording.rs ADDED Viewed

@@ -0,0 +1,25 @@
+use super::super::agent_model::{ProofRecording, ProofRecordingAfterSuccess};
+use super::super::model::{TaskProofStatus, TaskScopeStatus};
+use super::shared::action_check_ids;
+pub(in crate::task_state::status) fn proof_recording(
+    task_id: Option<&str>,
+    scope: &TaskScopeStatus,
+    proof: &TaskProofStatus,
+) -> ProofRecording {
+    let checks_to_record = action_check_ids(proof);
+    let proof_batch_id = format!(
+        "{}-proof",
+        task_id.unwrap_or("current-task").replace('_', "-")
+    );
+    ProofRecording {
+        path_set_id: "current-task-diff".to_string(),
+        paths: scope.in_scope_changed_paths.clone(),
+        proof_batch_id,
+        checks_to_record: checks_to_record.clone(),
+        after_success: ProofRecordingAfterSuccess {
+            record_proof: !checks_to_record.is_empty(),
+            instructions: "After each command exits 0, record one proof batch using pathSetId current-task-diff and the listed in-scope paths.".to_string(),
+        },
+    }
+}

package/crates/naome-core/src/task_state/status/control/recovery.rs ADDED Viewed

@@ -0,0 +1,19 @@
+use super::super::agent_model::RecoveryGuidance;
+use super::super::model::TaskStatusFinding;
+pub(in crate::task_state::status) fn recovery_guidance(
+    findings: &[TaskStatusFinding],
+) -> Vec<RecoveryGuidance> {
+    findings
+        .iter()
+        .filter(|finding| {
+            finding.id.starts_with("task.git.") || finding.id == "task.state.conflict_markers"
+        })
+        .map(|finding| RecoveryGuidance {
+            id: finding.id.clone(),
+            reason: finding.message.clone(),
+            safe_next_action: finding.suggested_fix.clone(),
+            requires_user_approval: true,
+        })
+        .collect()
+}