@lamentis/naome 1.3.4 → 1.3.6

package/Cargo.lock

@@ -76,7 +76,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "naome-cli"
-version = "1.3.4"
+version = "1.3.6"
 dependencies = [
  "naome-core",
  "serde_json",
@@ -84,7 +84,7 @@ dependencies = [
 
 [[package]]
 name = "naome-core"
-version = "1.3.4"
+version = "1.3.6"
 dependencies = [
  "serde",
  "serde_json",

package/README.md

@@ -50,8 +50,6 @@ naome route --prompt-file /path/to/prompt.txt --execute --json
   perfect on day one.
 - Records verification proof before a task can be treated as complete.
 - Keeps sync fast by making baseline and deep quality scans explicit.
-- Can install optional Codex hooks for earlier agent feedback without making
-  hooks a human workflow requirement.
 
 ## Safety Model
 
@@ -99,8 +97,6 @@ After sync, NAOME writes the agent-facing workflow into `docs/naome/`:
 - `docs/naome/testing.md` maps change types to required checks.
 - `docs/naome/repository-quality.md` explains quality, structure, and cleanup
   policy.
-- `docs/naome/codex-hooks.md` explains the optional Codex hook acceleration
-  layer.
 
 Agents should follow the repository's NAOME docs instead of guessing workflow
 rules from generic project files.
@@ -116,7 +112,6 @@ The main local policy files are:
 - `.naome/repository-structure.json` for path role, module, and directory
   structure policy.
 - `.naome/task-state.json` for active task state and proof.
-- `.codex/hooks.json` only when optional Codex hooks were explicitly enabled.
 
 Product defaults stay generic. Repository-specific policy belongs in the local
 `.naome/` config files.

package/crates/naome-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-cli"
-version = "1.3.4"
+version = "1.3.6"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-core"
-version = "1.3.4"
+version = "1.3.6"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/src/install_plan.rs

@@ -60,16 +60,6 @@ pub const LOCAL_NATIVE_BINARY_PATHS: &[&str] = &[
     ".naome/task-journal.jsonl",
 ];
 
-pub const OPTIONAL_CODEX_HOOK_PATHS: &[&str] = &[
-    ".codex/config.toml",
-    ".codex/hooks.json",
-    ".naome/bin/codex-hook.js",
-    ".naome/bin/codex-hook-io.js",
-    ".naome/bin/codex-hook-policy.js",
-    ".naome/bin/codex-hook-runtime.js",
-    "docs/naome/codex-hooks.md",
-];
-
 #[derive(Debug, Clone, Serialize, PartialEq, Eq)]
 #[serde(rename_all = "camelCase")]
 pub struct InstallPlan {
@@ -78,7 +68,6 @@ pub struct InstallPlan {
     pub machine_owned: Vec<&'static str>,
     pub project_owned: Vec<&'static str>,
     pub local_only_machine_owned: Vec<&'static str>,
-    pub optional_codex_hook_paths: Vec<&'static str>,
     pub gitignore_entries: Vec<&'static str>,
     pub git_exclude_entries: Vec<&'static str>,
     pub git_untrack_paths: Vec<&'static str>,
@@ -104,7 +93,6 @@ pub fn install_plan(harness_version: impl Into<String>) -> InstallPlan {
         machine_owned: MACHINE_OWNED_PATHS.to_vec(),
         project_owned: PROJECT_OWNED_PATHS.to_vec(),
         local_only_machine_owned: LOCAL_ONLY_MACHINE_OWNED_PATHS.to_vec(),
-        optional_codex_hook_paths: OPTIONAL_CODEX_HOOK_PATHS.to_vec(),
         gitignore_entries,
         git_exclude_entries,
         git_untrack_paths,

package/crates/naome-core/src/route/git_ops.rs

@@ -37,8 +37,25 @@ fn git_add_paths(root: &Path, paths: &[String]) -> Result<(), NaomeError> {
     if paths.is_empty() {
         return Ok(());
     }
+    let tracked_paths = git_ls_files(root, &[], paths)?;
+    if !tracked_paths.is_empty() {
+        let mut update_args = vec!["add", "-u", "--"];
+        update_args.extend(tracked_paths.iter().map(String::as_str));
+        ensure_git_success(
+            Command::new("git")
+                .args(update_args)
+                .current_dir(root)
+                .output()?,
+        )?;
+    }
+
+    let untracked_paths = git_ls_files(root, &["--others", "--exclude-standard"], paths)?;
+    if untracked_paths.is_empty() {
+        return Ok(());
+    }
+
     let mut args = vec!["add", "--"];
-    args.extend(paths.iter().map(String::as_str));
+    args.extend(untracked_paths.iter().map(String::as_str));
     let output = Command::new("git").args(args).current_dir(root).output()?;
     if output.status.success() {
         Ok(())
@@ -47,6 +64,31 @@ fn git_add_paths(root: &Path, paths: &[String]) -> Result<(), NaomeError> {
     }
 }
 
+fn git_ls_files(
+    root: &Path,
+    mode_args: &[&str],
+    paths: &[String],
+) -> Result<Vec<String>, NaomeError> {
+    let mut args = vec!["ls-files"];
+    args.extend(mode_args);
+    args.extend(["-z", "--"]);
+    args.extend(paths.iter().map(String::as_str));
+    let output = Command::new("git").args(args).current_dir(root).output()?;
+    if output.status.success() {
+        Ok(split_nul_paths(&output.stdout))
+    } else {
+        Err(NaomeError::new(command_output(&output)))
+    }
+}
+
+fn split_nul_paths(bytes: &[u8]) -> Vec<String> {
+    String::from_utf8_lossy(bytes)
+        .split('\0')
+        .filter(|path| !path.is_empty())
+        .map(ToString::to_string)
+        .collect()
+}
+
 pub(super) fn git_commit(root: &Path, message: &str) -> Result<(), NaomeError> {
     ensure_git_success(git_output(root, &["commit", "-m", message])?)
 }
@@ -64,9 +106,12 @@ pub(super) fn ensure_git_success(output: Output) -> Result<(), NaomeError> {
 }
 
 pub(super) fn command_output(output: &std::process::Output) -> String {
-    let stderr = String::from_utf8_lossy(&output.stderr).trim().to_string();
-    if !stderr.is_empty() {
-        return stderr;
+    let stderr = String::from_utf8_lossy(&output.stderr);
+    let stdout = String::from_utf8_lossy(&output.stdout);
+    for message in [stderr.trim(), stdout.trim()] {
+        if !message.is_empty() {
+            return message.to_string();
+        }
     }
-    String::from_utf8_lossy(&output.stdout).trim().to_string()
+    format!("git exited with status {}", output.status)
 }

package/crates/naome-core/tests/install_plan.rs

@@ -19,17 +19,6 @@ fn install_plan_marks_machine_docs_and_bins_local_only() {
     assert!(!plan
         .local_only_machine_owned
         .contains(&"docs/naome/architecture.md"));
-    assert!(plan
-        .optional_codex_hook_paths
-        .contains(&".codex/hooks.json"));
-    assert!(plan
-        .optional_codex_hook_paths
-        .contains(&".codex/config.toml"));
-    assert!(plan
-        .optional_codex_hook_paths
-        .contains(&".naome/bin/codex-hook.js"));
-    assert!(!plan.machine_owned.contains(&".naome/bin/codex-hook.js"));
-    assert!(!plan.project_owned.contains(&".codex/hooks.json"));
 }
 
 #[test]

package/installer/context.js

@@ -34,16 +34,6 @@ export function createInstallerContext() {
     installPlan: null,
     machineOwnedPaths: [],
     projectOwnedPaths: [],
-    optionalCodexHookPaths: [
-      ".codex/config.toml",
-      ".codex/hooks.json",
-      ".naome/bin/codex-hook.js",
-      ".naome/bin/codex-hook-io.js",
-      ".naome/bin/codex-hook-policy.js",
-      ".naome/bin/codex-hook-runtime.js",
-      "docs/naome/codex-hooks.md",
-    ],
-    codexHooksEnabled: false,
     localOnlyMachineOwnedPaths: [],
     localOnlyGitIgnoreEntries: [],
     localOnlyGitExcludeEntries: [],

package/installer/filesystem.js

@@ -30,10 +30,6 @@ export function copyTemplateFile(ctx, sourcePath) {
   const relativePath = relative(ctx.templateRoot, sourcePath);
   const targetPath = join(ctx.targetRoot, relativePath);
 
-  if (ctx.optionalCodexHookPaths.includes(relativePath) && !ctx.codexHooksEnabled) {
-    return;
-  }
-
   if (hasSymlinkInTargetPath(ctx, relativePath)) {
     ctx.skipped.push(relativePath);
     ctx.unsafeSkipped.push(relativePath);

package/installer/flows.js

@@ -1,3 +1,5 @@
+import { posix } from "node:path";
+
 import { ensureArchiveDirectory, copyTemplateFile, walk } from "./filesystem.js";
 import {
   ensureBuiltInVerificationChecks,
@@ -14,14 +16,23 @@ import {
   refreshManifestHealthMetadata,
 } from "./manifest-state.js";
 import { installNativeDecisionBinary, patchInstalledMachineOwnedIntegrity } from "./native.js";
+import { removeLegacyHarnessFile } from "./harness-file-ops.js";
 import { printError } from "./output.js";
 import { compareVersions } from "./version.js";
 import { confirmAgentsTakeover, takeoverExistingAgents } from "./agents.js";
-import { ensureCodexHooks, resolveCodexHooksPreference } from "./codex-hooks.js";
+
+const legacyOptionalHookPaths = [
+  ".codex/config.toml",
+  ".codex/hooks.json",
+  ".naome/bin/codex-hook-io.js",
+  ".naome/bin/codex-hook-policy.js",
+  ".naome/bin/codex-hook-runtime.js",
+  ".naome/bin/codex-hook.js",
+  "docs/naome/codex-hooks.md",
+];
 
 export async function runFreshInstall(ctx) {
   await confirmAgentsTakeover(ctx);
-  await resolveCodexHooksPreference(ctx);
 
   for (const sourcePath of walk(ctx.templateRoot)) {
     copyTemplateFile(ctx, sourcePath);
@@ -54,10 +65,14 @@ export async function runExistingInstall(ctx, existingInstall) {
     }
 
     ensureArchiveDirectory(ctx);
-    await runRepair(ctx, existingInstall.version, { fromVersion: existingInstall.version });
+    await runRepair(ctx, existingInstall.version, {
+      existingManifest: existingInstall.manifest,
+      fromVersion: existingInstall.version,
+      retireLegacyOptionalHooks: true,
+    });
   } else {
     ensureArchiveDirectory(ctx);
-    await runRepair(ctx, existingInstall.version);
+    await runRepair(ctx, existingInstall.version, { existingManifest: existingInstall.manifest });
   }
 }
 
@@ -72,17 +87,65 @@ function rejectUnsupportedHistoricalInstall(ctx, version) {
 
 async function runRepair(ctx, version, options = {}) {
   ctx.summaryTitle = "NAOME harness checked";
-  await resolveCodexHooksPreference(ctx);
   ensureCoreHarnessFiles(ctx, `repair-${version}`);
   ensureTaskControlHarnessFiles(ctx, `repair-${version}`);
   ensureHarnessHealthFiles(ctx, `repair-${version}`);
-  ensureCodexHooks(ctx, `repair-${version}`);
   installNativeDecisionBinary(ctx);
   patchInstalledMachineOwnedIntegrity(ctx);
   ensureBuiltInVerificationChecks(ctx);
   ensureTestingProofHarnessSections(ctx);
   ensureRepositoryStructurePolicyFiles(ctx);
+  removeRetiredMachineOwnedFiles(ctx, options.existingManifest, `repair-${version}`, {
+    extraPaths: options.retireLegacyOptionalHooks ? legacyOptionalHookPaths : [],
+  });
   refreshManifestHealthMetadata(ctx);
   ensureCompleteUpgradeState(ctx, options.fromVersion ?? null);
   ensureLocalOnlySourceControlBoundary(ctx);
 }
+
+function removeRetiredMachineOwnedFiles(ctx, manifest, archiveDirName, options = {}) {
+  const currentOwnedPaths = new Set([
+    ...ctx.machineOwnedPaths,
+    ...ctx.projectOwnedPaths,
+    ...ctx.localOnlyMachineOwnedPaths,
+    ctx.nativeBinaryRelativePath,
+  ].filter(Boolean));
+  const retiredPaths = [
+    ...(Array.isArray(manifest?.machineOwned) ? manifest.machineOwned : []),
+    ...(Array.isArray(options.extraPaths) ? options.extraPaths : []),
+  ];
+
+  for (const relativePath of [...new Set(retiredPaths)]) {
+    if (!isSafeManifestPath(relativePath)) {
+      const pathLabel = String(relativePath);
+      ctx.skipped.push(pathLabel);
+      ctx.unsafeSkipped.push(pathLabel);
+      continue;
+    }
+
+    if (currentOwnedPaths.has(relativePath)) {
+      continue;
+    }
+
+    removeLegacyHarnessFile(ctx, relativePath, archiveDirName);
+  }
+}
+
+function isSafeManifestPath(relativePath) {
+  if (
+    typeof relativePath !== "string" ||
+    relativePath.length === 0 ||
+    relativePath.includes("\0") ||
+    relativePath.includes("\\") ||
+    relativePath.includes(":")
+  ) {
+    return false;
+  }
+
+  if (posix.isAbsolute(relativePath)) {
+    return false;
+  }
+
+  const normalizedPath = posix.normalize(relativePath);
+  return normalizedPath === relativePath && normalizedPath !== "." && !normalizedPath.startsWith("../");
+}

package/installer/harness-file-ops.js

@@ -39,6 +39,10 @@ export function ensureTemplateFile(ctx, relativePath) {
 }
 
 export function removeBranchControlledHookShim(ctx, relativePath, archiveDirName) {
+  removeLegacyHarnessFile(ctx, relativePath, archiveDirName);
+}
+
+export function removeLegacyHarnessFile(ctx, relativePath, archiveDirName) {
   const targetPath = join(ctx.targetRoot, relativePath);
   if (!existsSync(targetPath)) {
     ctx.skipped.push(relativePath);

package/installer/install-plan.js

@@ -34,9 +34,6 @@ function parseInstallPlan(ctx, output) {
     assertInstallPlanArray(ctx, installPlan, "machineOwned");
     assertInstallPlanArray(ctx, installPlan, "projectOwned");
     assertInstallPlanArray(ctx, installPlan, "localOnlyMachineOwned");
-    if (installPlan.optionalCodexHookPaths !== undefined) {
-      assertInstallPlanArray(ctx, installPlan, "optionalCodexHookPaths");
-    }
     assertInstallPlanArray(ctx, installPlan, "gitignoreEntries");
     assertInstallPlanArray(ctx, installPlan, "gitExcludeEntries");
     assertInstallPlanArray(ctx, installPlan, "gitUntrackPaths");
@@ -63,7 +60,6 @@ function assignInstallPlan(ctx, installPlan) {
   ctx.machineOwnedPaths = installPlan.machineOwned;
   ctx.projectOwnedPaths = installPlan.projectOwned;
   ctx.localOnlyMachineOwnedPaths = installPlan.localOnlyMachineOwned;
-  ctx.optionalCodexHookPaths = installPlan.optionalCodexHookPaths ?? ctx.optionalCodexHookPaths;
   ctx.localOnlyGitIgnoreEntries = installPlan.gitignoreEntries;
   ctx.localOnlyGitExcludeEntries = installPlan.gitExcludeEntries;
   ctx.localOnlyGitUntrackPaths = installPlan.gitUntrackPaths;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.3.4",
+  "version": "1.3.6",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "Apache-2.0",
   "type": "module",
@@ -10,7 +10,6 @@
     "ai",
     "harness",
     "repository",
-    "codex",
     "claude"
   ],
   "repository": {

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -11,7 +11,7 @@ const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
 const expectedMachineOwnedIntegrity = Object.freeze({
   ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
   ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
-  ".naome/bin/naome.js": "sha256:d343f367da21bf45272331eec2ea34862a0bf056978780c62d6cae02e0f7993a",
+  ".naome/bin/naome.js": "sha256:a34c2e50a68d15ff2722a57590ccddc504e025d3c98ea62fd700d7ec1a789b9a",
   ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",

package/templates/naome-root/.naome/bin/check-task-state.js

@@ -11,7 +11,7 @@ const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
 const expectedMachineOwnedIntegrity = Object.freeze({
   ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
   ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
-  ".naome/bin/naome.js": "sha256:d343f367da21bf45272331eec2ea34862a0bf056978780c62d6cae02e0f7993a",
+  ".naome/bin/naome.js": "sha256:a34c2e50a68d15ff2722a57590ccddc504e025d3c98ea62fd700d7ec1a789b9a",
   ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",

package/templates/naome-root/.naome/bin/naome.js

@@ -12,7 +12,7 @@ const expectedNativeBinaryIntegrity = "sha256:generated";
 function main(argv) {
   const [command, ...args] = argv;
 
-  if (isHelpRequest(argv)) {
+  if (["help", "--help", "-h"].includes(argv[0]) || ["help", "--help", "-h"].includes(argv[1])) {
     printHelp();
     process.exit(0);
   }
@@ -36,10 +36,6 @@ function main(argv) {
   process.exit(command ? 1 : 0);
 }
 
-function isHelpRequest(args) {
-  return ["help", "--help", "-h"].includes(args[0]) || ["help", "--help", "-h"].includes(args[1]);
-}
-
 function runNativeDecisionCommand(command, args) {
   const root = findHarnessRoot(process.cwd());
   if (!root) {
@@ -173,7 +169,22 @@ function commitBaseline(root, message, options = {}) {
   }
 
   const before = gitHead(root);
-  runGitOrExit(root, ["add", "-A", "--", ...changedPaths]);
+  const tracked = runGit(root, ["ls-files", "-z", "--", ...changedPaths]);
+  if (tracked.status !== 0) {
+    fail(`Cannot determine tracked task paths: ${tracked.stderr.trim() || tracked.stdout.trim()}`);
+  }
+  const trackedPaths = tracked.stdout.split("\0").filter(Boolean);
+  if (trackedPaths.length > 0) {
+    runGitOrExit(root, ["add", "-u", "--", ...trackedPaths]);
+  }
+  const untracked = runGit(root, ["ls-files", "--others", "--exclude-standard", "-z", "--", ...changedPaths]);
+  if (untracked.status !== 0) {
+    fail(`Cannot determine untracked task paths: ${untracked.stderr.trim() || untracked.stdout.trim()}`);
+  }
+  const untrackedPaths = untracked.stdout.split("\0").filter(Boolean);
+  if (untrackedPaths.length > 0) {
+    runGitOrExit(root, ["add", "--", ...untrackedPaths]);
+  }
   runOrExit(root, [process.execPath, [join(root, ".naome", "bin", "check-task-state.js"), "--commit-gate"]]);
   runGitOrExit(root, ["commit", "-m", message]);
   return { before, after: gitHead(root) };
@@ -356,47 +367,7 @@ function findAncestorWithAnyMarker(startPath, markers) {
 }
 
 function printHelp() {
-  const commands = [
-    "naome status [--json]",
-    "naome next [--json]",
-    "naome intent --prompt-file <path> [--json]",
-    "naome intent --prompt <text> [--json]",
-    "naome route --prompt-file <path> [--execute] [--json]",
-    "naome route --prompt <text> [--execute] [--json]",
-    "naome explain --prompt-file <path> [--json]",
-    "naome explain --prompt <text> [--json]",
-    "naome context select --changed [--json]",
-    "naome context select --prompt-file <path> [--json]",
-    "naome context select --prompt <text> [--json]",
-    "naome doctor [--json]",
-    "naome task render-state [--write] [--json]",
-    "naome task migrate-ledger [--write] [--json]",
-    "naome quality init [--baseline|--deep-baseline] [--json]",
-    "naome quality check --changed [--include-scanned-paths] [--json]",
-    "naome quality check --path <path> [--path <path>...] [--include-scanned-paths] [--json]",
-    "naome quality report [--deep] [--include-scanned-paths] [--json]",
-    "naome quality cache status [--json]",
-    "naome quality cache clear",
-    "naome semantic report [--deep] [--json]",
-    "naome semantic check --changed [--json]",
-    "naome semantic check --path <path> [--path <path>...] [--json]",
-    "naome semantic route --finding <id> [--json]",
-    "naome semantic loop [--json]",
-    "naome repo model [--write] [--json]",
-    "naome repo check [--json]",
-    "naome repo explain --path <path> [--json]",
-    "naome structure report [--json]",
-    "naome structure explain --path <path> [--json]",
-    "naome cleanup plan [--json]",
-    "naome cleanup route --path <path> [--json]",
-    "naome refresh-integrity [--json]",
-    "naome workflow agent-plan|context-delta|proof-plan|capabilities|edit-watchdog|decision-gate|digest [--json]",
-    "naome workflow search-profile|check-search|phases|processes|mutations [--json]",
-    "naome install",
-    "naome sync",
-    "naome commit -m \"type(scope): message\"",
-    "node .naome/bin/naome.js commit -m \"type(scope): message\""
-  ];
+  const commands = "naome status [--json]|naome next [--json]|naome intent --prompt-file <path> [--json]|naome intent --prompt <text> [--json]|naome route --prompt-file <path> [--execute] [--json]|naome route --prompt <text> [--execute] [--json]|naome explain --prompt-file <path> [--json]|naome explain --prompt <text> [--json]|naome context select --changed [--json]|naome context select --prompt-file <path> [--json]|naome context select --prompt <text> [--json]|naome doctor [--json]|naome task render-state [--write] [--json]|naome task migrate-ledger [--write] [--json]|naome quality init [--baseline|--deep-baseline] [--json]|naome quality check --changed [--include-scanned-paths] [--json]|naome quality check --path <path> [--path <path>...] [--include-scanned-paths] [--json]|naome quality report [--deep] [--include-scanned-paths] [--json]|naome quality cache status [--json]|naome quality cache clear|naome semantic report [--deep] [--json]|naome semantic check --changed [--json]|naome semantic check --path <path> [--path <path>...] [--json]|naome semantic route --finding <id> [--json]|naome semantic loop [--json]|naome repo model [--write] [--json]|naome repo check [--json]|naome repo explain --path <path> [--json]|naome structure report [--json]|naome structure explain --path <path> [--json]|naome cleanup plan [--json]|naome cleanup route --path <path> [--json]|naome refresh-integrity [--json]|naome workflow agent-plan|context-delta|proof-plan|capabilities|edit-watchdog|decision-gate|digest [--json]|naome workflow search-profile|check-search|phases|processes|mutations [--json]|naome install|naome sync|naome commit -m \"type(scope): message\"|node .naome/bin/naome.js commit -m \"type(scope): message\"".split("|");
   console.log(["Usage:", ...commands.map((command) => `  ${command}`)].join("\n"));
 }
 

package/templates/naome-root/.naome/manifest.json

@@ -4,7 +4,7 @@
   "integrity": {
     ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
     ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
-    ".naome/bin/naome.js": "sha256:d343f367da21bf45272331eec2ea34862a0bf056978780c62d6cae02e0f7993a",
+    ".naome/bin/naome.js": "sha256:a34c2e50a68d15ff2722a57590ccddc504e025d3c98ea62fd700d7ec1a789b9a",
     ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
     ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
     "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",

package/templates/naome-root/docs/naome/testing.md

@@ -17,10 +17,6 @@ touched-file feedback. This catches local size, symbol, duplicate, structure,
 and stale-policy issues before the task grows. It does not replace the final
 `repository-quality-check`; always run the changed-file gate before completion.
 
-Optional Codex hooks can provide the same kind of early feedback during an
-agent run. They are acceleration only; final proof still comes from the
-commands in this document and `.naome/verification.json`.
-
 ## Known Checks
 
 | Check id | Command | Cwd | Cost | Last verified |

package/installer/codex-hooks.js

@@ -1,121 +0,0 @@
-import { createInterface } from "node:readline/promises";
-import { stdin as input, stdout as output } from "node:process";
-import { existsSync, readFileSync } from "node:fs";
-import { join } from "node:path";
-
-import { replaceHarnessFile } from "./harness-file-ops.js";
-import { printSection } from "./output.js";
-
-const HOOK_CONFIG_PATH = ".codex/hooks.json";
-const HOOK_FEATURE_CONFIG_PATH = ".codex/config.toml";
-const HOOK_DISPATCHER_PATH = ".naome/bin/codex-hook.js";
-const HOOK_IO_PATH = ".naome/bin/codex-hook-io.js";
-const HOOK_POLICY_PATH = ".naome/bin/codex-hook-policy.js";
-const HOOK_RUNTIME_PATH = ".naome/bin/codex-hook-runtime.js";
-const HOOK_DOC_PATH = "docs/naome/codex-hooks.md";
-
-const CODEX_HOOK_MACHINE_PATHS = [
-  HOOK_FEATURE_CONFIG_PATH,
-  HOOK_CONFIG_PATH,
-  HOOK_DISPATCHER_PATH,
-  HOOK_IO_PATH,
-  HOOK_POLICY_PATH,
-  HOOK_RUNTIME_PATH,
-  HOOK_DOC_PATH,
-];
-const CODEX_HOOK_EXECUTABLE_PATHS = [HOOK_DISPATCHER_PATH];
-
-export async function resolveCodexHooksPreference(ctx) {
-  const override = parseCodexHooksOverride(process.env.NAOME_CODEX_HOOKS);
-  if (override !== null) {
-    setCodexHooksEnabled(ctx, override);
-    return;
-  }
-
-  if (hasManagedCodexHooks(ctx)) {
-    setCodexHooksEnabled(ctx, true);
-    return;
-  }
-
-  if (!process.stdin.isTTY || process.env.CI === "true") {
-    setCodexHooksEnabled(ctx, false);
-    return;
-  }
-
-  printSection(ctx, "Optional Codex Hooks");
-  console.log(`${ctx.color.dim("purpose")} earlier NAOME feedback for Codex agents`);
-  console.log(`${ctx.color.dim("scope  ")} repo-local acceleration only; normal NAOME gates remain authoritative`);
-  console.log(`${ctx.color.dim("human ")} optional; declining keeps install and sync working`);
-  console.log("");
-
-  const rl = createInterface({ input, output });
-  const answer = await rl.question(`${ctx.color.yellow("?")} Install optional Codex Hooks for this repository? (y/N) `);
-  rl.close();
-
-  setCodexHooksEnabled(ctx, answer.trim().toLowerCase() === "y");
-}
-
-export function ensureCodexHooks(ctx, archiveDirName) {
-  if (!ctx.codexHooksEnabled) {
-    return;
-  }
-
-  ensureCodexHookManifestPaths(ctx);
-  for (const relativePath of ctx.optionalCodexHookPaths) {
-    replaceHarnessFile(ctx, relativePath, archiveDirName);
-  }
-}
-
-export function ensureCodexHookManifestPaths(ctx) {
-  for (const relativePath of CODEX_HOOK_MACHINE_PATHS) {
-    appendUnique(ctx.machineOwnedPaths, relativePath);
-    appendUnique(ctx.localOnlyMachineOwnedPaths, relativePath);
-    appendUnique(ctx.localOnlyGitExcludeEntries, relativePath);
-    appendUnique(ctx.localOnlyGitUntrackPaths, relativePath);
-  }
-  for (const relativePath of CODEX_HOOK_EXECUTABLE_PATHS) {
-    ctx.executableMachineOwnedPaths.add(relativePath);
-  }
-}
-
-function setCodexHooksEnabled(ctx, enabled) {
-  ctx.codexHooksEnabled = enabled;
-  if (enabled) {
-    ensureCodexHookManifestPaths(ctx);
-  }
-}
-
-function hasManagedCodexHooks(ctx) {
-  const hookConfigPath = join(ctx.targetRoot, HOOK_CONFIG_PATH);
-  if (!existsSync(hookConfigPath)) {
-    return false;
-  }
-
-  try {
-    const hooks = JSON.parse(readFileSync(hookConfigPath, "utf8"));
-    return hooks.schema === "naome.codex-hooks.v1";
-  } catch {
-    return false;
-  }
-}
-
-function parseCodexHooksOverride(value) {
-  if (value === undefined) {
-    return null;
-  }
-
-  const normalized = value.trim().toLowerCase();
-  if (["1", "true", "yes", "y", "on"].includes(normalized)) {
-    return true;
-  }
-  if (["0", "false", "no", "n", "off"].includes(normalized)) {
-    return false;
-  }
-  return null;
-}
-
-function appendUnique(values, value) {
-  if (!values.includes(value)) {
-    values.push(value);
-  }
-}

package/templates/naome-root/.codex/config.toml

@@ -1,2 +0,0 @@
-[features]
-codex_hooks = true

package/templates/naome-root/.codex/hooks.json

@@ -1,70 +0,0 @@
-{
-  "schema": "naome.codex-hooks.v1",
-  "version": 1,
-  "hooks": {
-    "SessionStart": [
-      {
-        "matcher": "startup|resume|clear",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node .naome/bin/codex-hook.js --event SessionStart"
-          }
-        ]
-      }
-    ],
-    "UserPromptSubmit": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node .naome/bin/codex-hook.js --event UserPromptSubmit"
-          }
-        ]
-      }
-    ],
-    "PreToolUse": [
-      {
-        "matcher": "*",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node .naome/bin/codex-hook.js --event PreToolUse"
-          }
-        ]
-      }
-    ],
-    "PermissionRequest": [
-      {
-        "matcher": "*",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node .naome/bin/codex-hook.js --event PermissionRequest"
-          }
-        ]
-      }
-    ],
-    "PostToolUse": [
-      {
-        "matcher": "*",
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node .naome/bin/codex-hook.js --event PostToolUse"
-          }
-        ]
-      }
-    ],
-    "Stop": [
-      {
-        "hooks": [
-          {
-            "type": "command",
-            "command": "node .naome/bin/codex-hook.js --event Stop"
-          }
-        ]
-      }
-    ]
-  }
-}

package/templates/naome-root/.naome/bin/codex-hook-io.js

@@ -1,122 +0,0 @@
-"use strict";
-
-const { createHash } = require("node:crypto");
-const { existsSync, mkdirSync, readFileSync, writeFileSync } = require("node:fs");
-const { dirname } = require("node:path");
-const { spawnSync } = require("node:child_process");
-
-const CACHE = ".naome/cache/codex-hook-state.json";
-
-function readPayload() {
-  try {
-    return JSON.parse(readFileSync(0, "utf8") || "{}");
-  } catch {
-    return {};
-  }
-}
-
-function eventName(payload) {
-  const index = process.argv.indexOf("--event");
-  return index !== -1 && process.argv[index + 1] ? process.argv[index + 1] : payload?.hook_event_name || payload?.event || "";
-}
-
-function commandOf(payload) {
-  return [payload?.tool_input?.command, payload?.toolInput?.command, payload?.command].find((value) => typeof value === "string" && value);
-}
-
-function promptOf(payload) {
-  return [payload?.prompt, payload?.user_prompt, payload?.tool_input?.prompt, payload?.toolInput?.prompt, payload?.reason, payload?.message].find((value) => typeof value === "string" && value) || "";
-}
-
-function readJson(path) {
-  try {
-    return existsSync(path) ? JSON.parse(readFileSync(path, "utf8")) : null;
-  } catch {
-    return null;
-  }
-}
-
-function parseJson(value) {
-  try {
-    return JSON.parse(value);
-  } catch {
-    return null;
-  }
-}
-
-function readCache() {
-  return readJson(CACHE) || {};
-}
-
-function writeCache(value) {
-  try {
-    mkdirSync(dirname(CACHE), { recursive: true });
-    writeFileSync(CACHE, `${JSON.stringify(value)}\n`);
-  } catch {
-    // Best-effort cache only.
-  }
-}
-
-function run(command, args, env = process.env) {
-  return spawnSync(command, args, { cwd: process.cwd(), encoding: "utf8", env });
-}
-
-function runGit(args) {
-  return run("git", args);
-}
-
-function runNaome(args) {
-  return run(process.execPath, [".naome/bin/naome.js", ...args], { ...process.env, NO_COLOR: "1" });
-}
-
-function taskCheck(args) {
-  return run(process.execPath, [".naome/bin/check-task-state.js", ...args]);
-}
-
-function diffSignature() {
-  return createHash("sha256")
-    .update(runGit(["status", "--porcelain=v1"]).stdout || "")
-    .update(runGit(["diff", "--no-ext-diff", "HEAD", "--"]).stdout || "")
-    .digest("hex");
-}
-
-function decide(decision, reason, messages) {
-  write(decisionObject(decision, reason, messages));
-}
-
-function decisionObject(decision, reason, messages) {
-  if (decision !== "block") {
-    return {};
-  }
-  const detail = messages.filter(Boolean).join("; ");
-  return { decision, reason: compact(detail ? `${reason}: ${detail}` : reason) };
-}
-
-function write(value) {
-  process.stdout.write(`${JSON.stringify(value)}\n`);
-}
-
-function compact(value) {
-  const text = String(value);
-  return text.length > 500 ? `${text.slice(0, 497)}...` : text;
-}
-
-module.exports = {
-  commandOf,
-  compact,
-  decide,
-  decisionObject,
-  diffSignature,
-  eventName,
-  parseJson,
-  promptOf,
-  readCache,
-  readJson,
-  readPayload,
-  run,
-  runGit,
-  runNaome,
-  taskCheck,
-  write,
-  writeCache
-};

package/templates/naome-root/.naome/bin/codex-hook-policy.js

@@ -1,180 +0,0 @@
-"use strict";
-
-const { readFileSync } = require("node:fs");
-
-const CHEAP = new Set(["diff-check", "repository-quality-check", "repository-semantic-check", "task-state-progress-check"]);
-const EXPENSIVE = new Set(["installer-tests", "rust-build", "package-dry-run", "harness-health-tests", "task-state-tests", "verification-contract-tests"]);
-
-function classifyPrompt(prompt) {
-  const value = prompt.toLowerCase();
-  if (/status|where are we|progress/.test(value)) return "status_request";
-  if (/review|comment|pr feedback/.test(value)) return "review";
-  if (/commit/.test(value)) return "commit";
-  if (/push/.test(value) && !/ci|check|fail/.test(value)) return "push";
-  if (/ci|check|failing|failed|workflow|actions/.test(value)) return "ci_fix";
-  if (/continue|keep going|resume|do so/.test(value)) return "continuation";
-  return "new_task";
-}
-
-function riskyPromptCodes(prompt) {
-  const value = prompt.toLowerCase();
-  return [
-    ["reset|clean|rm\\s+-rf", "risky-destructive"],
-    ["force push|--force|--force-with-lease|\\spush\\s+-f", "risky-force-push"],
-    ["--no-verify|bypass.*hook|skip.*hook", "risky-hook-bypass"],
-    ["publish|release|npm publish", "risky-release"]
-  ].filter(([pattern]) => new RegExp(pattern).test(value)).map(([, code]) => code);
-}
-
-function permissionRiskCodes(value) {
-  const lower = value.toLowerCase();
-  return [...new Set([
-    ["https?:|network|fetch|curl|wget|push|pull|gh\\s+|npm\\s+(install|publish)", "network"],
-    ["\\bgit\\b|push|commit|merge|rebase", "git"],
-    ["write|stage|commit|push|apply|patch|install|sync", "write"],
-    ["publish|npm publish", "publish"],
-    ["release|tag", "release"],
-    ["reset|clean|--force|-f\\b|rm\\s+-rf", "destructive"]
-  ].filter(([pattern]) => new RegExp(pattern).test(lower)).map(([, code]) => code))];
-}
-
-function hardBlockedCommand(command) {
-  const value = command.replace(/\s+/g, " ").trim();
-  return [
-    [/(\bgit\s+reset\b.*\B--hard\b|\bgit\s+reset\s+--hard\b)/, "destructive-git-reset-hard: hard reset requires explicit human review."],
-    [/\bgit\s+clean\b.*(^|\s)-[^\s]*f|\bgit\s+clean\b.*--force\b/, "destructive-git-clean: forced clean requires explicit human review."],
-    [/\brm\b(?=.*(?:^|\s)-[^\s]*r)(?=.*(?:^|\s)-[^\s]*f)(?=.*(?:^|\s)(?:--\s+)?(?:\.\/)?(?:[^/\s]+\/)*\.git(?:\/|\s|$))/, "destructive-git-dir-removal: removing .git is blocked."],
-    [/--no-verify\b/, "hook-bypass-command: --no-verify is blocked."],
-    [/\bgit\s+push\b.*(?:--force(?:-with-lease)?\b|(^|\s)-f(\s|$))/, "force-push-command: force pushes require fresh human review."]
-  ].find(([pattern]) => pattern.test(value))?.[1] || null;
-}
-
-function searchSegments(command) {
-  return command
-    .split(/&&|\|\||[;|]/)
-    .map((part) => part.trim().replace(/^(?:cd\s+\S+\s+)?/, ""))
-    .filter((part) => /^(rg|grep|find)\b/.test(part));
-}
-
-function forbiddenPath(payload, command) {
-  const input = payload?.tool_input || payload?.toolInput || {};
-  const values = [command, ...["path", "file_path", "filepath", "target_file", "pattern"].map((key) => input[key])].filter(Boolean);
-  return values.some((value) => tokens(value).some(blockedPath)) ? "read-boundary-violation: command or tool input touches a path blocked by .naomeignore." : null;
-}
-
-function blockedPath(path) {
-  if (/(^|\/)\.naome\/archive(\/|$)/.test(path)) return true;
-  return ignoredPatterns().some((pattern) => pathMatches(path, pattern));
-}
-
-function tokens(value) {
-  return String(value).replace(/\\/g, "/").split(/[\s"'`,]+/).map((token) => token.replace(/^\.\//, "").replace(/[):;]+$/, "")).filter(Boolean);
-}
-
-function ignoredPatterns() {
-  try {
-    return readFileSync(".naomeignore", "utf8").split(/\r?\n/).map((line) => line.trim()).filter((line) => line && !line.startsWith("#"));
-  } catch {
-    return [".naome/archive/"];
-  }
-}
-
-function pathMatches(path, pattern) {
-  const actual = String(path).replace(/\\/g, "/");
-  const glob = String(pattern).replace(/\\/g, "/");
-  if (glob.endsWith("/")) return actual.startsWith(glob);
-  if (glob.endsWith("/**")) return actual.startsWith(glob.slice(0, -3));
-  if (!glob.includes("*")) return actual === glob;
-  return new RegExp(`^${glob.replace(/[.+?^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, ".*").replace(/\*/g, "[^/]*")}$`).test(actual);
-}
-
-function looksLikeWriteTool(payload, command) {
-  const name = String(payload?.tool_name || payload?.toolName || payload?.name || "").toLowerCase();
-  if (/edit|write|patch|notebookedit|multiedit/.test(name)) return true;
-  if (!command) return false;
-  if (/^(git status|git diff|rg\b|grep\b|find\b|sed\b|cat\b|nl\b|wc\b|ls\b|pwd\b)/.test(command.trim())) return false;
-  return />|>>|\b(apply_patch|cp|mv|touch|mkdir|rm|npm install|cargo build|node --test|writeFileSync)\b/.test(command);
-}
-
-function touchedPaths(payload, command) {
-  const paths = [];
-  collectInputPaths(payload?.tool_input || payload?.toolInput || {}, paths);
-  collectCommandPaths(command, paths);
-  return [...new Set(paths.map(cleanPath).filter(Boolean))];
-}
-
-function collectInputPaths(value, paths) {
-  if (Array.isArray(value)) return value.forEach((entry) => collectInputPaths(entry, paths));
-  if (!value || typeof value !== "object") return;
-  for (const [key, child] of Object.entries(value)) {
-    if (/^(path|paths|file|files|file_path|filepath|target_file)$/.test(key)) collectPathValue(child, paths);
-    if (child && typeof child === "object") collectInputPaths(child, paths);
-  }
-}
-
-function collectPathValue(value, paths) {
-  if (Array.isArray(value)) return value.forEach((entry) => collectPathValue(entry, paths));
-  if (typeof value === "string") paths.push(value);
-}
-
-function collectCommandPaths(command, paths) {
-  if (!command) return;
-  for (const segment of command.split(/&&|\|\||[;]/).map((part) => part.trim())) {
-    const parts = tokens(segment);
-    if (/^(touch|mkdir|rm)$/.test(parts[0])) paths.push(...parts.slice(1).filter((part) => !part.startsWith("-")));
-    if (/^(cp|mv)$/.test(parts[0])) paths.push(...parts.slice(1).filter((part) => !part.startsWith("-")).slice(-1));
-  }
-}
-
-function cleanPath(path) {
-  return String(path).replace(/\\/g, "/").replace(/^\.\//, "").replace(/[):;]+$/, "");
-}
-
-function scopeDrift(paths, allowed) {
-  if (!Array.isArray(allowed)) return [];
-  return paths.filter((path) => !isControlStatePath(path) && !allowed.some((pattern) => pathMatches(path, pattern)));
-}
-
-function isControlStatePath(path) {
-  return path === ".naome/task-state.json" || path.startsWith(".naome/tasks/") || path.startsWith(".naome/cache/");
-}
-
-function owedProof(paths, verification) {
-  const checks = new Set();
-  for (const type of verification?.changeTypes || []) {
-    if (paths.some((path) => (type.paths || []).some((pattern) => pathMatches(path, pattern)))) {
-      for (const check of type.requiredChecks || []) if (!CHEAP.has(check)) checks.add(check);
-    }
-  }
-  return [...checks].sort();
-}
-
-function expensiveProof(checks) {
-  return checks.filter((check) => EXPENSIVE.has(check));
-}
-
-function pushUnique(codes, code, messages, message) {
-  if (!codes.includes(code)) codes.push(code);
-  if (!messages.includes(message)) messages.push(message);
-}
-
-function primaryReason(codes) {
-  if (codes.includes("scope-drift")) return "scope-drift";
-  if (codes.some((code) => code.endsWith("-failed"))) return "cheap-gate-failed";
-  return codes[0] || "naome-hook-warning";
-}
-
-module.exports = {
-  classifyPrompt,
-  expensiveProof,
-  forbiddenPath,
-  hardBlockedCommand,
-  looksLikeWriteTool,
-  owedProof,
-  permissionRiskCodes,
-  primaryReason,
-  pushUnique,
-  riskyPromptCodes,
-  scopeDrift,
-  searchSegments, touchedPaths
-};

package/templates/naome-root/.naome/bin/codex-hook-runtime.js

@@ -1,174 +0,0 @@
-"use strict";
-
-const io = require("./codex-hook-io.js");
-const policy = require("./codex-hook-policy.js");
-
-function handleCodexHook() {
-  const payload = io.readPayload();
-  const event = io.eventName(payload);
-  try {
-    if (event === "UserPromptSubmit") return userPrompt(payload); if (event === "PreToolUse") return preTool(payload);
-    if (event === "PermissionRequest") return permission(payload); if (event === "PostToolUse") return postTool(payload);
-    if (event === "Stop") return stop(payload);
-  } catch {
-    return io.write({});
-  }
-  io.write({});
-}
-
-function userPrompt(payload) {
-  const prompt = io.promptOf(payload);
-  const classification = policy.classifyPrompt(prompt);
-  const risky = policy.riskyPromptCodes(prompt);
-  const status = io.parseJson(io.runNaome(["status", "--json"]).stdout);
-  const codes = [`prompt-${classification}`, ...risky];
-  if (status?.state === "dirty_unowned_diff") codes.push("repo-dirty-unowned");
-  if (["new_task", "ci_fix"].includes(classification)) codes.push("route-required", "context-selection-required");
-  io.decide("warn", "prompt-guidance", [`prompt:${classification}`, status?.state ? `repo:${status.state}` : null, risky.length ? `risk:${risky.join(",")}` : null, ["new_task", "ci_fix"].includes(classification) ? "run route and context select before feature work" : null], { classification, reasonCodes: codes });
-}
-
-function preTool(payload) {
-  const command = io.commandOf(payload);
-  const boundary = policy.forbiddenPath(payload, command);
-  if (boundary) return io.decide("block", boundary, [boundary], { reasonCodes: [boundary.split(":")[0]] });
-  if (!command) return io.write({});
-  const hard = policy.hardBlockedCommand(command);
-  if (hard) return io.decide("block", hard, [hard], { reasonCodes: [hard.split(":")[0]] });
-  const preflight = commitPushPreflight(command);
-  if (preflight) return io.decide("block", preflight, [preflight], { reasonCodes: [preflight.split(":")[0]] });
-  const search = validateSearch(command);
-  if (search) return io.decide("block", search, [search], { reasonCodes: [search.split(":")[0]] });
-  io.write({});
-}
-
-function permission(payload) {
-  const risks = policy.permissionRiskCodes(`${io.commandOf(payload) || ""} ${io.promptOf(payload)}`);
-  if (!risks.length) return io.write({});
-  io.decide("warn", "permission-risk-summary", [`permission risks: ${risks.join(",")}; approve only if this matches the current NAOME task.`], { riskCodes: risks, reasonCodes: ["permission-risk-summary"] });
-}
-
-function postTool(payload) {
-  const command = io.commandOf(payload);
-  const changedPaths = changedFiles();
-  if (!changedPaths.length) return io.write({});
-  if (!policy.looksLikeWriteTool(payload, command)) {
-    const cache = io.readCache();
-    io.writeCache({ ...cache, postToolUse: { signature: io.diffSignature(), decision: {} } });
-    return io.write({});
-  }
-  const checkedPaths = postToolCheckedPaths(payload, command, changedPaths);
-  if (!checkedPaths.length) return io.write({});
-  const signature = `${io.diffSignature()}:${checkedPaths.join("\0")}`;
-  const cache = io.readCache();
-  if (cache.postToolUse?.signature === signature) return io.write({});
-  const result = changedState(checkedPaths, { pathScoped: true });
-  const decision = result.codes.length ? io.decisionObject("warn", policy.primaryReason(result.codes), result.messages, { reasonCodes: result.codes, changedPaths: checkedPaths, owedProof: result.expensiveOwed, cheapGates: result.gates }) : {};
-  io.writeCache({ ...cache, postToolUse: { signature, decision, changedPaths, checkedPaths, cheapGateCommands: result.gateCommands } });
-  io.write(decision);
-}
-
-function stop(payload) {
-  const changedPaths = changedFiles();
-  const result = changedState(changedPaths);
-  for (const check of [io.taskCheck([]), io.taskCheck(["--progress"])]) {
-    const output = `${check.stdout || ""}\n${check.stderr || ""}`;
-    if (check.status && /outside allowedPaths|scope drift/i.test(output)) policy.pushUnique(result.codes, "scope-drift", result.messages, "scope drift blocks completion");
-    if (check.status && /missing proof|proofResults missing|failed proof/i.test(output)) policy.pushUnique(result.codes, "missing-proof", result.messages, "missing required proof blocks completion");
-  }
-  const prompt = io.promptOf(payload);
-  if (/push/i.test(prompt) && /\[ahead [1-9]/.test(io.runGit(["status", "--short", "--branch"]).stdout || "")) {
-    policy.pushUnique(result.codes, "unpushed-branch", result.messages, "branch has unpushed commits");
-  }
-  if (/resolve|review comment|github comment/i.test(prompt) && /CHANGES_REQUESTED/.test(io.run("gh", ["pr", "view", "--json", "reviewDecision"]).stdout || "")) {
-    policy.pushUnique(result.codes, "unresolved-review-comments", result.messages, "GitHub review still appears unresolved");
-  }
-  if (result.codes.length) return io.decide("block", policy.primaryReason(result.codes), result.messages, { reasonCodes: result.codes, changedPaths, cheapGates: result.gates });
-  io.write({});
-}
-
-function changedState(changedPaths, options = {}) {
-  const codes = [];
-  const messages = [];
-  const state = io.readJson(".naome/task-state.json");
-  const drift = policy.scopeDrift(changedPaths, state?.activeTask?.allowedPaths);
-  if (drift.length) policy.pushUnique(codes, "scope-drift", messages, `scope drift: ${drift.join(", ")}`);
-  const expensiveOwed = missingExpensiveProof(changedPaths, policy.expensiveProof(policy.owedProof(changedPaths, io.readJson(".naome/verification.json"))), state?.activeTask);
-  if (expensiveOwed.length) policy.pushUnique(codes, "owed-proof", messages, `owed proof: ${expensiveOwed.join(", ")}`);
-  if (repoStale()) policy.pushUnique(codes, "repository-model-stale", messages, "repository model is stale");
-  const gatePaths = options.pathScoped ? changedPaths : [];
-  const gates = cheapGates(gatePaths);
-  for (const gate of gates) policy.pushUnique(codes, gate.code, messages, gate.message);
-  return { codes, messages, expensiveOwed, gates, gateCommands: cheapGateCommands(gatePaths) };
-}
-
-function commitPushPreflight(command) {
-  if (!/\bgit\s+(commit|push)\b/.test(command.replace(/\s+/g, " "))) return null;
-  if (/\bgit\s+commit\b/.test(command)) return "commit-preflight: use `node .naome/bin/naome.js commit -m ...` so NAOME owns staging, proof, and commit gates.";
-  for (const gate of cheapGates()) return `push-preflight: ${gate.checkId} failed before git push.`;
-  return repoStale() ? "push-preflight: repository-model-stale failed before git push." : null;
-}
-
-function cheapGates(paths = []) {
-  return cheapGateChecks(paths).flatMap(([checkId, command, fn]) => fn().status ? [{ code: `${checkId}-failed`, checkId, command, message: `cheap gate failed: ${checkId}` }] : []);
-}
-function cheapGateCommands(paths = []) {
-  return cheapGateChecks(paths).map(([, command]) => command);
-}
-function cheapGateChecks(paths = []) {
-  const pathArgs = paths.flatMap((path) => ["--path", path]);
-  const displayPaths = paths.map(shellPath).join(" ");
-  const checks = [
-    ["diff-check", paths.length ? `git diff --check -- ${displayPaths}` : "git diff --check", () => io.runGit(paths.length ? ["diff", "--check", "--", ...paths] : ["diff", "--check"])],
-    ["repository-quality-check", paths.length ? `node .naome/bin/naome.js quality check ${pathArgs.join(" ")}` : "node .naome/bin/naome.js quality check --changed", () => io.runNaome(paths.length ? ["quality", "check", ...pathArgs] : ["quality", "check", "--changed"])],
-    ["repository-semantic-check", paths.length ? `node .naome/bin/naome.js semantic check ${pathArgs.join(" ")}` : "node .naome/bin/naome.js semantic check --changed", () => io.runNaome(paths.length ? ["semantic", "check", ...pathArgs] : ["semantic", "check", "--changed"])]
-  ];
-  if (!paths.length && hasActiveTask()) checks.push(["task-state-progress-check", "node .naome/bin/check-task-state.js --progress", () => io.taskCheck(["--progress"])]);
-  return checks;
-}
-function validateSearch(command) {
-  for (const segment of policy.searchSegments(command)) {
-    const result = io.runNaome(["workflow", "check-search", "--command", segment, "--json"]);
-    if (result.status === 0) continue;
-    const ids = io.parseJson(result.stdout)?.findings?.map((finding) => finding.id).filter(Boolean);
-    return ids?.length ? `${ids.join(",")}: NAOME rejected this broad search command.` : io.compact(`unsafe-search-command: ${result.stdout || result.stderr}`);
-  }
-  return null;
-}
-function changedFiles() {
-  const result = io.runGit(["status", "--porcelain=v1"]);
-  return result.status ? [] : result.stdout.split(/\r?\n/).filter(Boolean).map((line) => line.replace(/^..\s+/, "").split(" -> ").pop()).filter((path, index, paths) => path && paths.indexOf(path) === index);
-}
-function postToolCheckedPaths(payload, command, changedPaths) {
-  const touched = policy.touchedPaths(payload, command);
-  if (!touched.length) return changedPaths;
-  return changedPaths.filter((path) => touched.some((touch) => path === touch || path.startsWith(`${touch}/`)));
-}
-function shellPath(path) {
-  return /[^A-Za-z0-9_./:-]/.test(path) ? JSON.stringify(path) : path;
-}
-function repoStale() {
-  const result = io.runNaome(["repo", "check", "--json"]);
-  return result.status !== 0 && /repository model is stale|repository-model-stale/i.test(`${result.stdout}\n${result.stderr}`);
-}
-
-function hasActiveTask() {
-  const state = io.readJson(".naome/task-state.json"); return Boolean(state?.activeTask && state.status === "implementing");
-}
-function missingExpensiveProof(changedPaths, checkIds, activeTask) {
-  const proofPaths = changedPaths.filter((path) => !isControlStatePath(path));
-  return proofPaths.length ? checkIds.filter((checkId) => !proofCoversChangedPaths(activeTask, checkId, proofPaths)) : [];
-}
-function proofCoversChangedPaths(activeTask, checkId, changedPaths) {
-  const proof = (activeTask?.proofResults || []).find((entry) => entry.checkId === checkId && entry.exitCode === 0);
-  const evidence = Array.isArray(proof?.evidence) ? proof.evidence : [];
-  return changedPaths.every((changedPath) => evidence.some((path) => evidenceCoversPath(path, changedPath)));
-}
-function evidenceCoversPath(evidencePath, changedPath) {
-  const evidence = String(evidencePath);
-  return evidence === changedPath || (evidence.endsWith("/") && String(changedPath).startsWith(evidence)) || (evidence.endsWith("/**") && String(changedPath).startsWith(evidence.slice(0, -3)));
-}
-function isControlStatePath(path) {
-  return path === ".naome/task-state.json" || path.startsWith(".naome/tasks/") || path.startsWith(".naome/cache/");
-}
-
-module.exports = { handleCodexHook };

package/templates/naome-root/.naome/bin/codex-hook.js

@@ -1,6 +0,0 @@
-#!/usr/bin/env node
-"use strict";
-
-const { handleCodexHook } = require("./codex-hook-runtime.js");
-
-handleCodexHook();

package/templates/naome-root/docs/naome/codex-hooks.md

@@ -1,82 +0,0 @@
-# Optional Codex Hooks
-
-NAOME can install repo-local Codex hooks as an optional acceleration layer for coding agents.
-
-Hooks are not the source of truth. They provide earlier feedback before an agent spends tokens on work that normal NAOME gates would reject later.
-
-Authoritative enforcement remains in:
-
-- `.naome/task-state.json` validation
-- `naome route`
-- `naome quality` and `naome semantic` gates
-- `naome commit`
-- repository Git hooks
-- verification proof checks
-
-## Install Or Skip
-
-`naome install` and `naome sync` may ask whether to install optional Codex hooks.
-
-Answering no is valid. The repository remains fully usable for humans, CI, and agents without Codex hook support.
-
-For non-interactive environments, NAOME skips optional hooks unless explicitly requested:
-
-```sh
-NAOME_CODEX_HOOKS=1 naome sync
-NAOME_CODEX_HOOKS=0 naome sync
-```
-
-## Events
-
-The installed dispatcher listens to these Codex events:
-
-- `UserPromptSubmit`: performs read-only prompt classification and repo/task inspection. Codex Desktop currently accepts no non-blocking warning decision here, so advisory output is intentionally silent.
-- `PreToolUse`: blocks clear unsafe commands before execution, including destructive Git operations, hook bypasses, force pushes, `.naome/archive` reads, `.naomeignore` reads, and broad searches that do not honor NAOME search boundaries. It also runs commit/push preflight checks.
-- `PostToolUse`: after edits, records changed-file state, narrows checks to files touched by the current tool call when Codex provides a path, compares those files with active task ownership, checks repository-model freshness, and runs cheap path-scoped gates. Non-blocking edit guidance is cached for later Stop/preflight decisions rather than emitted as an unsupported warning.
-- `PermissionRequest`: performs read-only escalation risk classification. Codex Desktop currently accepts no non-blocking warning decision here, so advisory output is intentionally silent.
-- `Stop`: prevents misleading completion claims when scope drift, stale repository-model data, missing proof, an unpushed requested branch, or unresolved requested review comments are still visible.
-
-## Blocking And Advisory Checks
-
-Hard blocks are reserved for clear safety violations:
-
-- destructive commands such as hard resets, forced cleans, and deleting `.git`
-- hook bypasses such as `--no-verify`
-- force pushes, including `--force`, `--force-with-lease`, and `-f`
-- reads or searches inside `.naome/archive` or paths matched by `.naomeignore`
-- broad search commands that fail NAOME search-profile validation
-- commit/push attempts that would skip required ownership, scope, proof, or repository-model checks
-- final responses that would claim completion while required proof or scope checks are still failing
-
-Hook output is conservative for Codex Desktop compatibility: hooks emit `{}` for allowed/advisory outcomes and emit only `{"decision":"block","reason":"..."}` for true blocks. Stable reason codes are embedded in the block reason text.
-
-## Edit-Time Gates
-
-After file edits, hooks run only fast deterministic gates. When the tool input identifies touched files, PostToolUse scopes these checks to those files instead of the whole diff:
-
-- `git diff --check -- <touched-paths>`
-- `node .naome/bin/naome.js quality check --path <touched-path>`
-- `node .naome/bin/naome.js semantic check --path <touched-path>`
-- active-task scope checking for the touched paths
-
-If the touched paths cannot be inferred, PostToolUse falls back to the current changed-file set. These checks are debounced by the current diff signature plus the checked path set. Repeated hook calls over the same content reuse the previous result so normal editing stays responsive.
-
-Stop, commit, and push preflight stay full-diff checks. They verify the complete changed-file set so earlier unrelated drift or proof failures cannot be hidden by a later narrow edit.
-
-Full suites such as installer tests, Rust builds, package dry-runs, and CI-like workflows are treated as owed proof based on changed paths. They are not run automatically after every edit because they are too slow and noisy for real-time feedback.
-
-Every hook advisory calculation maps to a normal NAOME command or gate. If hooks are unavailable, disabled, or not installed, humans can keep working by following the normal route, context-selection, task-state, quality, semantic, verification, and commit gates directly.
-
-## Local Files
-
-Opting in installs:
-
-- `.codex/config.toml`
-- `.codex/hooks.json`
-- `.naome/bin/codex-hook.js`
-- `.naome/bin/codex-hook-io.js`
-- `.naome/bin/codex-hook-policy.js`
-- `.naome/bin/codex-hook-runtime.js`
-- `docs/naome/codex-hooks.md`
-
-These files are repo-local. They are managed only after opt-in and are not required by repositories that decline hooks.