@lamentis/naome 1.3.2 → 1.3.3

package/Cargo.lock

@@ -76,7 +76,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "naome-cli"
-version = "1.3.2"
+version = "1.3.3"
 dependencies = [
  "naome-core",
  "serde_json",
@@ -84,7 +84,7 @@ dependencies = [
 
 [[package]]
 name = "naome-core"
-version = "1.3.2"
+version = "1.3.3"
 dependencies = [
  "serde",
  "serde_json",

package/crates/naome-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-cli"
-version = "1.3.2"
+version = "1.3.3"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-core"
-version = "1.3.2"
+version = "1.3.3"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/src/lib.rs

@@ -14,6 +14,7 @@ mod task_ledger;
 mod task_state;
 mod verification;
 mod verification_contract;
+mod verification_contract_policy;
 mod workflow;
 
 pub use context::{

package/crates/naome-core/src/route/quality_gate_config.rs

@@ -98,6 +98,7 @@ pub(super) fn user_diff_check_ids(
             "No quality checks are configured for these changed paths.",
         ));
     }
+    enforce_repository_semantic_companion(&mut ids, checks)?;
 
     Ok(ids)
 }
@@ -124,3 +125,20 @@ fn push_unique_string(values: &mut Vec<String>, value: &str) {
         values.push(value.to_string());
     }
 }
+
+fn enforce_repository_semantic_companion(
+    ids: &mut Vec<String>,
+    checks: &HashMap<&str, QualityCheck>,
+) -> Result<(), NaomeError> {
+    if !ids.iter().any(|item| item == "repository-quality-check") {
+        return Ok(());
+    }
+    if checks.contains_key("repository-semantic-check") {
+        push_unique_string(ids, "repository-semantic-check");
+        return Ok(());
+    }
+
+    Err(NaomeError::new(
+        "repository-quality-check requires repository-semantic-check so semantic findings are mandatory quality-gate failures.",
+    ))
+}

package/crates/naome-core/src/task_state/diff.rs

@@ -6,7 +6,7 @@ use serde_json::Value;
 use crate::models::NaomeError;
 
 use super::git_io::read_git_changed_entries;
-use super::types::{is_control_state_path, ChangedEntry, TaskDiff};
+use super::types::{is_control_state_path, is_local_runtime_path, ChangedEntry, TaskDiff};
 use super::util::{matches_any_pattern, normalize_path, string_array};
 pub(super) fn validate_changed_paths(
     active_task: &Value,
@@ -80,7 +80,7 @@ pub(super) fn task_diff_from_entries(active_task: &Value, entries: &[ChangedEntr
     let diff_paths: Vec<String> = entries
         .iter()
         .map(|entry| entry.path.clone())
-        .filter(|path| !is_control_state_path(path))
+        .filter(|path| !is_control_state_path(path) && !is_local_runtime_path(path))
         .collect();
     let outside_paths = diff_paths
         .iter()

package/crates/naome-core/src/task_state/git_io.rs

@@ -6,7 +6,7 @@ use crate::models::NaomeError;
 
 pub(super) use super::git_parse::{parse_name_status_output, split_nul, upsert_changed_entry};
 pub(super) use super::git_refs::{command_output, git_commit_exists, read_git_head, run_git};
-use super::types::ChangedEntry;
+use super::types::{is_local_runtime_path, ChangedEntry};
 use super::util::normalize_path;
 pub(super) fn read_git_changed_paths(root: &Path) -> Result<Vec<String>, NaomeError> {
     Ok(read_git_changed_entries(root)?
@@ -55,6 +55,9 @@ pub(super) fn read_git_changed_entries(root: &Path) -> Result<Vec<ChangedEntry>,
         }
 
         for entry in parse_name_status_output(&output.stdout) {
+            if is_local_runtime_path(&entry.path) {
+                continue;
+            }
             upsert_changed_entry(&mut entries, entry);
         }
     }
@@ -69,7 +72,7 @@ pub(super) fn read_git_changed_entries(root: &Path) -> Result<Vec<ChangedEntry>,
 
     for token in split_nul(&untracked.stdout) {
         let path = normalize_path(token.trim());
-        if !path.is_empty() {
+        if !path.is_empty() && !is_local_runtime_path(&path) {
             upsert_changed_entry(
                 &mut entries,
                 ChangedEntry {

package/crates/naome-core/src/task_state/types.rs

@@ -97,6 +97,10 @@ pub(super) fn is_control_state_path(path: &str) -> bool {
     path == CONTROL_STATE_PATH || path.starts_with(TASK_LEDGER_PATH_PREFIX)
 }
 
+pub(super) fn is_local_runtime_path(path: &str) -> bool {
+    path == ".naome/tmp" || path.starts_with(".naome/tmp/")
+}
+
 pub(super) fn read_complete_active_task(root: &Path) -> Result<Option<(Value, Value)>, NaomeError> {
     let Some(task_state) = read_task_state_projection(root)? else {
         return Ok(None);

package/crates/naome-core/src/verification_contract.rs

@@ -5,6 +5,7 @@ use std::path::Path;
 use serde_json::Value;
 
 use crate::models::NaomeError;
+use crate::verification_contract_policy::validate_semantic_quality_gate_policy;
 
 const REQUIRED_TESTING_HEADINGS: &[&str] = &[
     "# Testing And Verification",
@@ -29,7 +30,7 @@ const ALLOWED_TOP_LEVEL_KEYS: &[&str] = &[
 const MAX_CHECKS: usize = 20;
 const MAX_PHASES: usize = 8;
 const MAX_CHANGE_TYPES: usize = 12;
-const MAX_RELEASE_GATES: usize = 10;
+const MAX_RELEASE_GATES: usize = 12;
 
 pub fn validate_verification_contract(root: &Path) -> Result<Vec<String>, NaomeError> {
     let mut errors = Vec::new();
@@ -135,6 +136,7 @@ fn validate_contract_shape(contract: &Value, errors: &mut Vec<String>) {
     }
     validate_change_types(change_types, &check_ids, errors);
     validate_release_gates(release_gates, &check_ids, errors);
+    validate_semantic_quality_gate_policy(change_types, release_gates, &check_ids, errors);
 
     if status == Some("ready") && contains_example_placeholders(contract) {
         errors.push(

package/crates/naome-core/src/verification_contract_policy.rs

@@ -0,0 +1,52 @@
+use std::collections::HashSet;
+
+use serde_json::Value;
+
+pub(crate) fn validate_semantic_quality_gate_policy(
+    change_types: &[Value],
+    release_gates: &[Value],
+    check_ids: &HashSet<String>,
+    errors: &mut Vec<String>,
+) {
+    if check_ids.contains("repository-quality-check")
+        && !check_ids.contains("repository-semantic-check")
+    {
+        errors.push(
+            "checks must include repository-semantic-check whenever repository-quality-check is configured.".to_string(),
+        );
+    }
+
+    for (index, change_type) in change_types.iter().enumerate() {
+        let Some(required_checks) = change_type
+            .get("requiredChecks")
+            .and_then(Value::as_array)
+        else {
+            continue;
+        };
+        let has_quality = contains_string(required_checks, "repository-quality-check");
+        let has_semantic = contains_string(required_checks, "repository-semantic-check");
+        if has_quality && !has_semantic {
+            errors.push(format!(
+                "changeTypes[{index}].requiredChecks must include repository-semantic-check whenever repository-quality-check is required."
+            ));
+        }
+    }
+
+    let has_quality_release_gate = release_gates.iter().any(|gate| {
+        gate.get("checkId").and_then(Value::as_str) == Some("repository-quality-check")
+    });
+    let has_semantic_release_gate = release_gates.iter().any(|gate| {
+        gate.get("checkId").and_then(Value::as_str) == Some("repository-semantic-check")
+    });
+    if has_quality_release_gate && !has_semantic_release_gate {
+        errors.push(
+            "releaseGates must include repository-semantic-check whenever repository-quality-check is a release gate.".to_string(),
+        );
+    }
+}
+
+fn contains_string(values: &[Value], expected: &str) -> bool {
+    values
+        .iter()
+        .any(|value| value.as_str() == Some(expected))
+}

package/crates/naome-core/tests/repo_support/mod.rs

@@ -17,6 +17,7 @@ pub use verification_values::{
     change_type, check_missing_last_verified_fixture, diff_check,
     placeholder_verification_contract_fixture, quality_check, repo_docs_verification_fixture,
     repository_quality_config_source,
-    repository_quality_config_value, semantic_repository_quality_fixture_source,
+    repository_quality_config_value, repository_semantic_check,
+    semantic_repository_quality_fixture_source,
     verification_value,
 };

package/crates/naome-core/tests/repo_support/verification.rs

@@ -2,7 +2,8 @@ use serde_json::{json, Value};
 
 use super::repo::TestRepo;
 use super::verification_values::{
-    change_type, diff_check, mutating_diff_check, repository_quality_check, verification_value,
+    change_type, diff_check, mutating_diff_check, repository_quality_check,
+    repository_semantic_check, verification_value,
 };
 
 impl TestRepo {
@@ -33,54 +34,39 @@ impl TestRepo {
     ) {
         let mut checks = vec![diff_check(vec!["README.md"])];
         checks.extend(extra_checks);
-
         self.write_naome_json(
             "verification.json",
-            json!({
-                "schema": "naome.verification.v1",
-                "version": 1,
-                "status": "ready",
-                "checks": checks,
-                "changeTypes": [
-                    {
-                        "id": "readme",
-                        "description": "README changes.",
-                        "paths": ["README.md"],
-                        "requiredChecks": required_checks,
-                        "recommendedChecks": [],
-                        "humanReview": false
-                    }
-                ],
-                "releaseGates": []
-            }),
+            verification_value(
+                "ready",
+                checks,
+                vec![change_type(
+                    "readme",
+                    "README changes.",
+                    vec!["README.md"],
+                    required_checks,
+                )],
+            ),
         );
     }
 
     pub fn write_product_quality_verification(&self) {
         self.write_naome_json(
             "verification.json",
-            json!({
-                "schema": "naome.verification.v1",
-                "version": 1,
-                "status": "ready",
-                "checks": product_quality_checks(),
-                "changeTypes": [
-                    {
-                        "id": "product-installer-or-template",
-                        "description": "NAOME product changes.",
-                        "paths": ["packages/naome/**", "scripts/**"],
-                        "requiredChecks": [
-                            "installer-tests",
-                            "rust-build",
-                            "decision-engine-tests",
-                            "package-dry-run"
-                        ],
-                        "recommendedChecks": [],
-                        "humanReview": false
-                    }
-                ],
-                "releaseGates": []
-            }),
+            verification_value(
+                "ready",
+                product_quality_checks(),
+                vec![change_type(
+                    "product-installer-or-template",
+                    "NAOME product changes.",
+                    vec!["packages/naome/**", "scripts/**"],
+                    vec![
+                        "installer-tests",
+                        "rust-build",
+                        "decision-engine-tests",
+                        "package-dry-run",
+                    ],
+                )],
+            ),
         );
     }
 
@@ -89,7 +75,7 @@ impl TestRepo {
             "verification.json",
             verification_value(
                 "ready",
-                vec![repository_quality_check()],
+                vec![repository_quality_check(), repository_semantic_check()],
                 vec![change_type(
                     "source",
                     "Source changes.",

package/crates/naome-core/tests/repo_support/verification_values.rs

@@ -242,6 +242,19 @@ pub fn repository_quality_check() -> serde_json::Value {
     })
 }
 
+pub fn repository_semantic_check() -> serde_json::Value {
+    json!({
+        "id": "repository-semantic-check",
+        "command": "naome semantic check --changed",
+        "cwd": ".",
+        "purpose": "Validate changed files against repository semantic rules.",
+        "cost": "fast",
+        "source": "NAOME built-in",
+        "evidence": ["src/**"],
+        "lastVerified": null
+    })
+}
+
 pub fn semantic_repository_quality_fixture_source(name: &str) -> String {
     [
         format!("const {name} = {{"),

package/crates/naome-core/tests/route_user_diff.rs

@@ -73,14 +73,14 @@ fn execute_route_runs_repository_quality_check_without_shelling_to_repo_command(
 }
 
 #[test]
-fn execute_route_refuses_semantic_changed_findings_through_repository_quality_gate() {
-    let repo = TestRepo::new("route-semantic-quality-gate");
+fn execute_route_requires_semantic_gate_with_repository_quality_gate() {
+    let repo = TestRepo::new("route-repository-quality-requires-semantic");
     repo.init_git();
     repo.write_file(
         ".naome/repository-quality.json",
         &repository_quality_config_source(),
     );
-    repo.write_file("scripts/baseline.test.js", "const ok = { value: 1 };\n");
+    repo.write_file("src/clean.js", "export const clean = true;\n");
     repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
     repo.write_naome_json(
         "verification.json",
@@ -91,8 +91,56 @@ fn execute_route_refuses_semantic_changed_findings_through_repository_quality_ga
                 "naome quality check --changed",
                 "Validate changed files against repository quality rules.",
                 "fast",
-                vec!["scripts/**"],
+                vec!["src/**"],
             )],
+            vec![change_type(
+                "source",
+                "Source changes.",
+                vec!["src/**"],
+                vec!["repository-quality-check"],
+            )],
+        ),
+    );
+    repo.commit_all("baseline");
+    repo.write_file("src/clean.js", "export const clean = false;\n");
+    let before_head = repo.git_stdout(&["rev-parse", "HEAD"]);
+
+    let route = route_commit_request(&repo);
+
+    assert_quality_gate_blocked(&repo, &route, before_head, "src/clean.js");
+    assert!(route.user_message.contains("repository-semantic-check"));
+}
+
+#[test]
+fn execute_route_refuses_semantic_changed_findings_through_repository_quality_gate() {
+    let repo = TestRepo::new("route-semantic-quality-gate");
+    repo.init_git();
+    repo.write_file(
+        ".naome/repository-quality.json",
+        &repository_quality_config_source(),
+    );
+    repo.write_file("scripts/baseline.test.js", "const ok = { value: 1 };\n");
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.write_naome_json(
+        "verification.json",
+        verification_value(
+            "ready",
+            vec![
+                quality_check(
+                    "repository-quality-check",
+                    "naome quality check --changed",
+                    "Validate changed files against repository quality rules.",
+                    "fast",
+                    vec!["scripts/**"],
+                ),
+                quality_check(
+                    "repository-semantic-check",
+                    "naome semantic check --changed",
+                    "Validate changed files against repository semantic rules.",
+                    "fast",
+                    vec!["scripts/**"],
+                ),
+            ],
             vec![change_type(
                 "scripts",
                 "Script changes.",

package/crates/naome-core/tests/task_state.rs

@@ -410,26 +410,20 @@ fn progress_report(repo: &TaskFixture) -> TaskStateReport {
 }
 
 fn implementing_readme_task_fixture() -> serde_json::Value {
-    json!({
-        "schema": "naome.task-state.v1",
-        "version": 1,
-        "status": "implementing",
-        "activeTask": active_task(json!({
-            "allowedPaths": ["README.md"],
-            "proofResults": []
-        })),
-        "blocker": null,
-        "updatedAt": "2026-05-04T12:00:00.000Z"
-    })
+    implementing_task_fixture(vec!["README.md"])
 }
 
 fn implementing_package_task() -> serde_json::Value {
+    implementing_task_fixture(vec!["Package.swift"])
+}
+
+fn implementing_task_fixture(allowed_paths: Vec<&str>) -> serde_json::Value {
     json!({
         "schema": "naome.task-state.v1",
         "version": 1,
         "status": "implementing",
         "activeTask": active_task(json!({
-            "allowedPaths": ["Package.swift"],
+            "allowedPaths": allowed_paths,
             "proofResults": []
         })),
         "blocker": null,

package/crates/naome-core/tests/verification_contract.rs

@@ -5,7 +5,7 @@ mod repo_support;
 
 use repo_support::{
     change_type, check_missing_last_verified_fixture, diff_check,
-    placeholder_verification_contract_fixture, verification_value, TestRepo,
+    placeholder_verification_contract_fixture, quality_check, verification_value, TestRepo,
 };
 
 #[test]
@@ -52,6 +52,42 @@ fn rejects_missing_check_references_and_ready_placeholders() {
     assert!(joined.contains("must not contain example placeholders"));
 }
 
+#[test]
+fn rejects_repository_quality_without_semantic_required_check() {
+    let repo = TestRepo::new("verification-contract-semantic-required");
+    repo.write_testing_markdown(default_testing_markdown());
+    repo.write_naome_json("verification.json", {
+        let mut value = verification_value(
+            "ready",
+            vec![quality_check(
+                "repository-quality-check",
+                "node .naome/bin/naome.js quality check --changed",
+                "Validate changed files against repository quality rules.",
+                "fast",
+                vec![".naome/repository-quality.json"],
+            )],
+            vec![change_type(
+                "code",
+                "Code changes.",
+                vec!["src/**"],
+                vec!["repository-quality-check"],
+            )],
+        );
+        value["lastUpdated"] = json!("2026-05-11");
+        value["releaseGates"] = json!([{
+            "checkId": "repository-quality-check",
+            "requiredWhen": "Before release."
+        }]);
+        value
+    });
+
+    let errors = validate_verification_contract(repo.path()).unwrap();
+    let joined = errors.join("\n");
+
+    assert!(joined.contains("repository-semantic-check"));
+    assert!(joined.contains("changeTypes[0].requiredChecks"));
+}
+
 #[test]
 fn rejects_checks_without_explicit_last_verified_value() {
     let repo = TestRepo::new("verification-contract-last-verified");

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.3.2",
+  "version": "1.3.3",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "Apache-2.0",
   "type": "module",

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -18,7 +18,7 @@ const expectedMachineOwnedIntegrity = Object.freeze({
   "docs/naome/agent-workflow.md": "sha256:78faeb4eed157b60f0b60bc43da36c713fc4a3436b93bd963ce5f3c12dc91f22",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
-  "docs/naome/first-run.md": "sha256:f1a2412f1b542e61c79b5ba65a3fdaa810b0f95cf79d9f734256418cdcfb19aa",
+  "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",
   "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
   "docs/naome/task-ledger.md": "sha256:1e524085a2f88811941fd9f2f48ca826bc3e0e4816039d07e795637847714cbd",
   "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"

package/templates/naome-root/.naome/bin/check-task-state.js

@@ -18,7 +18,7 @@ const expectedMachineOwnedIntegrity = Object.freeze({
   "docs/naome/agent-workflow.md": "sha256:78faeb4eed157b60f0b60bc43da36c713fc4a3436b93bd963ce5f3c12dc91f22",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
-  "docs/naome/first-run.md": "sha256:f1a2412f1b542e61c79b5ba65a3fdaa810b0f95cf79d9f734256418cdcfb19aa",
+  "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",
   "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
   "docs/naome/task-ledger.md": "sha256:1e524085a2f88811941fd9f2f48ca826bc3e0e4816039d07e795637847714cbd",
   "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"

package/templates/naome-root/.naome/manifest.json

@@ -11,7 +11,7 @@
     "docs/naome/agent-workflow.md": "sha256:78faeb4eed157b60f0b60bc43da36c713fc4a3436b93bd963ce5f3c12dc91f22",
     "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
     "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
-    "docs/naome/first-run.md": "sha256:f1a2412f1b542e61c79b5ba65a3fdaa810b0f95cf79d9f734256418cdcfb19aa",
+    "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",
     "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
     "docs/naome/task-ledger.md": "sha256:1e524085a2f88811941fd9f2f48ca826bc3e0e4816039d07e795637847714cbd",
     "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"

package/templates/naome-root/docs/naome/first-run.md

@@ -102,7 +102,7 @@ Rules:
   real check.
 - This JSON is machine state, not prose context. It is exempt from the
   200-line instruction-file budget, but must stay bounded: at most 20 checks, 12
-  change types, and 10 release gates.
+  change types, and 12 release gates.
 - Do not read `.naome/verification.json` as long-form context during normal
   work. Select the relevant change type or check id, then read only the matching
   entries needed for proof.

package/templates/naome-root/docs/naome/testing.md

@@ -67,7 +67,7 @@ phase is failing or missing.
 - Use dates as `YYYY-MM-DD` or `null`.
 - Keep instruction files under 200 lines. `.naome/verification.json` is machine
   state instead; keep it schema-valid and bounded to 20 checks, 12 change types,
-  and 10 release gates.
+  and 12 release gates.
 - Store long command output as a compact summary that preserves command, cwd,
   exit code, relevant lines, affected paths, and artifacts.
 - When intake defines change types, include `repository-quality-check` and