@lamentis/naome 1.3.7 → 1.3.9

package/crates/naome-core/tests/quality_performance.rs

@@ -4,8 +4,8 @@ use std::fs;
 
 use naome_core::{
     check_repository_quality, check_repository_quality_paths, check_semantic_legacy,
-    init_repository_quality, init_repository_quality_with_mode, quality_cache_status,
-    QualityInitMode, QualityMode,
+    clear_quality_cache, init_repository_quality, init_repository_quality_with_mode,
+    quality_cache_status, QualityInitMode, QualityMode,
 };
 
 use repo_support::TestRepo;
@@ -140,6 +140,67 @@ fn second_report_uses_file_analysis_cache() {
     assert_eq!(second.summary.cache_misses, 0);
 }
 
+#[cfg(unix)]
+#[test]
+fn report_skips_repository_symlinks_without_caching_target_contents() {
+    let repo = quality_repo("quality-cache-skips-file-symlink");
+    let victim = repo.path().join("../naome-victim-secret.txt");
+    fs::write(&victim, "VALIDATION_SECRET_raw_lines_12345\n").unwrap();
+    std::os::unix::fs::symlink(&victim, repo.path().join("leak.txt")).unwrap();
+    repo.git(&["add", "leak.txt"]);
+    repo.git(&["commit", "-m", "tracked symlink"]);
+
+    let report = check_repository_quality(repo.path(), QualityMode::Report).unwrap();
+    let cache = quality_cache_status(repo.path()).unwrap();
+
+    assert!(!report.scanned_paths.contains(&"leak.txt".to_string()));
+    assert_eq!(cache.entry_count, 0);
+}
+
+#[cfg(unix)]
+#[test]
+fn path_budget_skips_symlinks_before_reading_target_metadata() {
+    let repo = quality_repo("quality-budget-skips-symlink");
+    let victim = repo.path().join("../naome-large-victim.txt");
+    fs::write(&victim, "x".repeat(1024 * 1024 + 1)).unwrap();
+    std::os::unix::fs::symlink(&victim, repo.path().join("large-link.txt")).unwrap();
+    repo.git(&["add", "large-link.txt"]);
+    repo.git(&["commit", "-m", "tracked large symlink"]);
+
+    let report = check_repository_quality_paths(repo.path(), &["large-link.txt"]).unwrap();
+
+    assert!(!report.scanned_paths.contains(&"large-link.txt".to_string()));
+    assert!(!report
+        .summary
+        .reason_codes
+        .contains(&"max_file_bytes".to_string()));
+    fs::remove_file(victim).unwrap();
+}
+
+#[cfg(unix)]
+#[test]
+fn cache_operations_reject_symlinked_cache_path_components() {
+    let repo = quality_repo("quality-cache-rejects-cache-symlink");
+    repo.write_file("src/a.js", "export const value = 1;\n");
+    repo.commit_all("baseline");
+    let outside = repo.path().join("../naome-outside-cache");
+    fs::create_dir_all(outside.join("quality")).unwrap();
+    fs::remove_dir_all(repo.path().join(".naome/cache")).ok();
+    std::os::unix::fs::symlink(&outside, repo.path().join(".naome/cache")).unwrap();
+
+    let report = check_repository_quality(repo.path(), QualityMode::Report).unwrap();
+    let clear_error = clear_quality_cache(repo.path()).unwrap_err();
+
+    assert_eq!(report.summary.cache_hits, 0);
+    assert!(outside.join("quality").is_dir());
+    assert!(!fs::read_dir(outside.join("quality"))
+        .unwrap()
+        .any(|entry| entry.is_ok()));
+    assert!(clear_error
+        .to_string()
+        .contains("must not contain symlinks"));
+}
+
 #[test]
 fn report_budget_marks_truncated_reports() {
     let repo = quality_repo("quality-report-budget");

package/crates/naome-core/tests/repo_support/routes.rs

@@ -6,10 +6,16 @@ use super::TestRepo;
 
 const NEW_README_TASK_PROMPT: &str = "Add another line to README as a new task.";
 
+pub fn prompt_env(prompt: &str, workflow: &str, task: &str, mutation_intent: &str) -> String {
+    format!(
+        "```naome-prompt-envelope-v1\n{{\"schema\":\"naome.prompt-envelope.v1\",\"requestKind\":\"implementation\",\"mutationIntent\":\"{mutation_intent}\",\"workflowAction\":\"{workflow}\",\"taskIntent\":\"{task}\",\"risk\":\"none\",\"requestedActions\":[],\"referencedPaths\":[],\"constraints\":[],\"uncertainties\":[]}}\n```\n\n{prompt}"
+    )
+}
+
 pub fn route_commit_request(repo: &TestRepo) -> RouteDecision {
     evaluate_route(
         repo.path(),
-        "commit my changes",
+        &prompt_env("commit my changes", "commit_request", "none", "commit"),
         RouteOptions {
             execute: true,
             evaluation: EvaluationOptions::offline(),
@@ -29,7 +35,7 @@ pub fn try_route_new_task(
 ) -> Result<RouteDecision, NaomeError> {
     evaluate_route(
         repo.path(),
-        prompt,
+        &prompt_env(prompt, "none", "new_task", "modify_files"),
         RouteOptions {
             execute,
             evaluation: EvaluationOptions::offline(),

package/crates/naome-core/tests/route_baseline.rs

@@ -3,11 +3,40 @@ use std::fs;
 
 mod repo_support;
 
+use naome_core::{evaluate_route, EvaluationOptions, RouteOptions};
 use repo_support::{
     assert_commit_paths, assert_isolated_worktree_ready, route_new_task, route_readme_task,
     TestRepo,
 };
 
+#[test]
+fn execute_route_with_raw_prompt_requests_normalization_without_mutating() {
+    let repo = TestRepo::new("route-raw-prompt-normalize-first");
+    repo.init_git();
+    repo.write_file("README.md", "# Baseline\n");
+    repo.write_base_naome_state(json!({ "status": "idle", "activeTask": null }));
+    repo.git(&["add", "."]);
+    repo.git(&["commit", "-m", "baseline"]);
+    let before = repo.git_stdout(&["rev-parse", "HEAD"]);
+
+    let route = evaluate_route(
+        repo.path(),
+        "Please implement, commit, push, and create the MR.",
+        RouteOptions {
+            execute: true,
+            evaluation: EvaluationOptions::offline(),
+        },
+    )
+    .unwrap();
+
+    assert_eq!(route.prompt_intent, "prompt_normalization_required");
+    assert_eq!(route.policy_action, "normalize_prompt_first");
+    assert!(!route.mutation_performed);
+    assert!(!route.can_create_task);
+    assert_eq!(repo.git_stdout(&["rev-parse", "HEAD"]), before);
+    assert!(repo.git_status_short().is_empty());
+}
+
 #[test]
 fn dry_route_reports_auto_baseline_without_mutating() {
     let repo = TestRepo::completed_task_with_diff("route-dry-auto");

package/crates/naome-core/tests/route_completion.rs

@@ -7,6 +7,12 @@ mod repo_support;
 
 use repo_support::TestRepo;
 
+fn route_prompt(prompt: &str, workflow: &str, task: &str, mutation_intent: &str) -> String {
+    format!(
+        "```naome-prompt-envelope-v1\n{{\"schema\":\"naome.prompt-envelope.v1\",\"requestKind\":\"implementation\",\"mutationIntent\":\"{mutation_intent}\",\"workflowAction\":\"{workflow}\",\"taskIntent\":\"{task}\",\"risk\":\"none\",\"requestedActions\":[],\"referencedPaths\":[],\"constraints\":[],\"uncertainties\":[]}}\n```\n\n{prompt}"
+    )
+}
+
 #[test]
 fn execute_route_does_not_mutate_when_prompt_blocks_commit() {
     let repo = TestRepo::completed_task_with_diff("route-no-commit");
@@ -14,7 +20,12 @@ fn execute_route_does_not_mutate_when_prompt_blocks_commit() {
 
     let route = evaluate_route(
         repo.path(),
-        "Do not commit. Start a new task after this.",
+        &route_prompt(
+            "Do not commit. Start a new task after this.",
+            "no_commit_request",
+            "new_task",
+            "none",
+        ),
         RouteOptions {
             execute: true,
             evaluation: EvaluationOptions::offline(),
@@ -41,7 +52,7 @@ fn explicit_route_commit_baseline_leaves_unrelated_user_edit_unstaged() {
 
     let route = evaluate_route(
         repo.path(),
-        "commit_task_baseline",
+        &route_prompt("commit_task_baseline", "commit_request", "none", "commit"),
         RouteOptions {
             execute: true,
             evaluation: EvaluationOptions::offline(),
@@ -67,7 +78,12 @@ fn execute_route_journals_external_commit_after_completed_task() {
 
     let route = evaluate_route(
         repo.path(),
-        "Create a new task for README polish.",
+        &route_prompt(
+            "Create a new task for README polish.",
+            "none",
+            "new_task",
+            "modify_files",
+        ),
         RouteOptions {
             execute: true,
             evaluation: EvaluationOptions::offline(),
@@ -94,7 +110,12 @@ fn explain_reports_winning_rule_and_mutation_plan_without_executing() {
 
     let explain = explain_route(
         repo.path(),
-        "Start a new task for README polish.",
+        &route_prompt(
+            "Start a new task for README polish.",
+            "none",
+            "new_task",
+            "modify_files",
+        ),
         EvaluationOptions::offline(),
     )
     .unwrap();
@@ -126,7 +147,7 @@ fn unhealthy_harness_route_blocks_normal_work() {
 
     let route = evaluate_route(
         repo.path(),
-        "Create a new task.",
+        &route_prompt("Create a new task.", "none", "new_task", "modify_files"),
         RouteOptions {
             execute: true,
             evaluation: EvaluationOptions::online(),

package/crates/naome-core/tests/route_harness_refresh.rs

@@ -9,6 +9,12 @@ use repo_support::{
     TestRepo,
 };
 
+fn repair_prompt(prompt: &str) -> String {
+    format!(
+        "```naome-prompt-envelope-v1\n{{\"schema\":\"naome.prompt-envelope.v1\",\"requestKind\":\"fix\",\"mutationIntent\":\"modify_files\",\"workflowAction\":\"repair_request\",\"taskIntent\":\"none\",\"risk\":\"none\",\"requestedActions\":[\"repair\"],\"referencedPaths\":[],\"constraints\":[],\"uncertainties\":[]}}\n```\n\n{prompt}"
+    )
+}
+
 #[test]
 fn execute_route_baselines_harness_refresh_before_dirty_repo_worktree() {
     let repo = TestRepo::dirty_harness_refresh_repo("route-dirty-harness-refresh-worktree", true);
@@ -66,7 +72,7 @@ fn execute_route_repair_request_baselines_harness_refresh_only() {
 
     let route = evaluate_route(
         repo.path(),
-        "please repair all",
+        &repair_prompt("please repair all"),
         RouteOptions {
             execute: true,
             evaluation: EvaluationOptions::offline(),

package/crates/naome-core/tests/route_user_diff.rs

@@ -27,7 +27,7 @@ fn execute_route_does_not_mutate_or_offer_clear_commit_for_dirty_unowned_diff()
     )
     .unwrap();
 
-    assert_eq!(route.policy_action, "block_unowned_diff");
+    assert_eq!(route.policy_action, "normalize_prompt_first");
     assert!(!route.mutation_performed);
     assert!(!route.can_create_task);
     assert_eq!(route.executed_actions, Vec::<String>::new());

package/crates/naome-core/tests/task_state_compact.rs

@@ -6,6 +6,12 @@ use task_state_compact_support::{
     compact_state, large_compact_state, large_expanded_state, legacy_state, MiniRepo,
 };
 
+fn new_task_prompt(prompt: &str) -> String {
+    format!(
+        "```naome-prompt-envelope-v1\n{{\"schema\":\"naome.prompt-envelope.v1\",\"requestKind\":\"implementation\",\"mutationIntent\":\"modify_files\",\"workflowAction\":\"none\",\"taskIntent\":\"new_task\",\"risk\":\"none\",\"requestedActions\":[],\"referencedPaths\":[],\"constraints\":[],\"uncertainties\":[]}}\n```\n\n{prompt}"
+    )
+}
+
 #[test]
 fn legacy_v1_proof_results_remain_valid() {
     let repo = MiniRepo::new();
@@ -30,7 +36,7 @@ fn compact_path_sets_and_batches_cover_completion_commit_and_route() {
 
     let route = evaluate_route(
         repo.path(),
-        "new task",
+        &new_task_prompt("new task"),
         RouteOptions {
             execute: false,
             evaluation: EvaluationOptions::offline(),

package/installer/filesystem.js

@@ -64,6 +64,44 @@ export function archiveUpgradePath(ctx, archiveDirName, relativePath) {
   return join(ctx.targetRoot, ".naome", "archive", archiveDirName, relativePath);
 }
 
+export function assertWritableArchivePath(ctx, archiveDirName, relativePath) {
+  const archiveRelativePath = join(".naome", "archive", archiveDirName, relativePath);
+  const parts = archiveRelativePath.split(/[\\/]+/);
+  let current = ctx.targetRoot;
+
+  for (let index = 0; index < parts.length; index += 1) {
+    const part = parts[index];
+    const isLeaf = index === parts.length - 1;
+    current = join(current, part);
+
+    try {
+      const stats = lstatSync(current);
+      if (stats.isSymbolicLink()) {
+        printError(ctx, `NAOME cannot archive ${relativePath} safely.`);
+        console.error(`${archiveRelativePath} must not contain symbolic links.`);
+        process.exit(1);
+      }
+
+      if (!isLeaf && !stats.isDirectory()) {
+        printError(ctx, `NAOME cannot archive ${relativePath} because the archive path is not a directory.`);
+        console.error(`${join(...parts.slice(0, index + 1))} must be a regular directory or must not exist.`);
+        process.exit(1);
+      }
+
+      if (isLeaf && existsSync(current) && !stats.isFile()) {
+        printError(ctx, `NAOME cannot archive ${relativePath} because the archive path is not a file.`);
+        console.error(`${archiveRelativePath} must be a regular file or must not exist.`);
+        process.exit(1);
+      }
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        continue;
+      }
+      throw error;
+    }
+  }
+}
+
 export function ensureArchiveDirectory(ctx) {
   const archivePath = ".naome/archive";
   const targetPath = join(ctx.targetRoot, archivePath);

package/installer/flows.js

@@ -31,6 +31,8 @@ const legacyOptionalHookPaths = [
   "docs/naome/codex-hooks.md",
 ];
 
+const trustedRetiredMachineOwnedPaths = new Set(legacyOptionalHookPaths);
+
 export async function runFreshInstall(ctx) {
   await confirmAgentsTakeover(ctx);
 
@@ -110,8 +112,11 @@ function removeRetiredMachineOwnedFiles(ctx, manifest, archiveDirName, options =
     ...ctx.localOnlyMachineOwnedPaths,
     ctx.nativeBinaryRelativePath,
   ].filter(Boolean));
+  const manifestRetiredPaths = Array.isArray(manifest?.machineOwned)
+    ? manifest.machineOwned.filter((path) => trustedRetiredMachineOwnedPaths.has(path))
+    : [];
   const retiredPaths = [
-    ...(Array.isArray(manifest?.machineOwned) ? manifest.machineOwned : []),
+    ...manifestRetiredPaths,
     ...(Array.isArray(options.extraPaths) ? options.extraPaths : []),
   ];
 

package/installer/harness-file-ops.js

@@ -9,8 +9,8 @@ import {
 } from "node:fs";
 import { dirname, join, relative } from "node:path";
 
-import { archiveUpgradePath, hasSymlinkInTargetPath } from "./filesystem.js";
-import { hasGeneratedIntegrity, machineFileHash } from "./native.js";
+import { archiveUpgradePath, assertWritableArchivePath, hasSymlinkInTargetPath } from "./filesystem.js";
+import { machineFileHash } from "./native.js";
 import { printError } from "./output.js";
 
 export function ensureTemplateFile(ctx, relativePath) {
@@ -55,8 +55,13 @@ export function removeLegacyHarnessFile(ctx, relativePath, archiveDirName) {
     return;
   }
 
-  const archivePath = archiveUpgradePath(ctx, archiveDirName, relativePath);
+  const archivePath = safeArchivePath(ctx, archiveDirName, relativePath);
+  if (archivePath === null) {
+    failUnsafeArchivePath(ctx, archiveDirName, relativePath);
+  }
+
   mkdirSync(dirname(archivePath), { recursive: true });
+  assertWritableArchivePath(ctx, archiveDirName, relativePath);
   copyFileSync(targetPath, archivePath);
   unlinkSync(targetPath);
   ctx.updated.push(relativePath);
@@ -128,17 +133,40 @@ function replaceChangedHarnessFile(ctx, relativePath, archiveDirName, sourcePath
     return;
   }
 
-  const archivePath = archiveUpgradePath(ctx, archiveDirName, relativePath);
+  const archivePath = safeArchivePath(ctx, archiveDirName, relativePath);
+  if (archivePath === null) {
+    failUnsafeArchivePath(ctx, archiveDirName, relativePath);
+  }
+
   mkdirSync(dirname(archivePath), { recursive: true });
+  assertWritableArchivePath(ctx, archiveDirName, relativePath);
   copyFileSync(targetPath, archivePath);
   writeFileSync(targetPath, nextContent);
   ctx.updated.push(relativePath);
   ctx.archived.push({ from: relativePath, to: relative(ctx.targetRoot, archivePath) });
 }
 
-function unchangedMachineHash(ctx, relativePath, currentContent, nextContent) {
-  return (
-    !hasGeneratedIntegrity(ctx, relativePath) &&
-    machineFileHash(ctx, relativePath, currentContent) === machineFileHash(ctx, relativePath, nextContent)
+function safeArchivePath(ctx, archiveDirName, relativePath) {
+  const archivePath = archiveUpgradePath(ctx, archiveDirName, relativePath);
+  const archiveParent = relative(ctx.targetRoot, dirname(archivePath));
+  if (hasSymlinkInTargetPath(ctx, archiveParent)) {
+    return null;
+  }
+  if (existsSync(archivePath)) {
+    return null;
+  }
+
+  return archivePath;
+}
+
+function failUnsafeArchivePath(ctx, archiveDirName, relativePath) {
+  printError(ctx, `NAOME cannot archive ${relativePath} safely.`);
+  console.error(
+    `${relative(ctx.targetRoot, archiveUpgradePath(ctx, archiveDirName, relativePath))} must not contain symlinks or pre-existing files.`
   );
+  process.exit(1);
+}
+
+function unchangedMachineHash(ctx, relativePath, currentContent, nextContent) {
+  return machineFileHash(ctx, relativePath, currentContent) === machineFileHash(ctx, relativePath, nextContent);
 }

package/installer/manifest-state.js

@@ -2,7 +2,7 @@ import { existsSync, lstatSync, mkdirSync, readFileSync, writeFileSync } from "n
 import { dirname, join } from "node:path";
 
 import { hasSymlinkInTargetPath } from "./filesystem.js";
-import { installedNativeBinaryHash, templateIntegrity, usesSourceNativeFallback } from "./native.js";
+import { installedMachineOwnedIntegrity, installedNativeBinaryHash, usesSourceNativeFallback } from "./native.js";
 import { printError } from "./output.js";
 import { isVersion } from "./version.js";
 
@@ -118,7 +118,7 @@ function applyManifestHealthMetadata(ctx, manifest) {
   manifest.harnessVersion = ctx.packageVersion;
   manifest.machineOwned = [...ctx.machineOwnedPaths];
   manifest.projectOwned = ctx.projectOwnedPaths;
-  manifest.integrity = templateIntegrity(ctx);
+  manifest.integrity = installedMachineOwnedIntegrity(ctx);
 
   const nativeHash = installedNativeBinaryHash(ctx);
   if (!usesSourceNativeFallback(ctx) && nativeHash) {

package/installer/native.js

@@ -6,6 +6,7 @@ import {
   lstatSync,
   mkdirSync,
   readFileSync,
+  unlinkSync,
   writeFileSync,
 } from "node:fs";
 import { dirname, join, resolve } from "node:path";
@@ -32,8 +33,8 @@ export function installNativeDecisionBinary(ctx) {
   }
 
   if (usesSourceNativeFallback(ctx)) {
-    patchNaomeCommandNativeIntegrity(ctx, "sha256:generated");
-    ctx.skipped.push(ctx.nativeBinaryRelativePath);
+    removeInstalledNativeDecisionBinary(ctx);
+    patchInstalledNativeIntegrity(ctx, "sha256:generated");
     return;
   }
 
@@ -52,7 +53,7 @@ export function installNativeDecisionBinary(ctx) {
   }
 
   chmodSync(targetPath, 0o755);
-  patchNaomeCommandNativeIntegrity(ctx, `sha256:${sourceHash}`);
+  patchInstalledNativeIntegrity(ctx, `sha256:${sourceHash}`);
 }
 
 export function findNativeDecisionBinary(ctx) {
@@ -75,7 +76,7 @@ export function findNativeDecisionBinary(ctx) {
 }
 
 export function patchInstalledMachineOwnedIntegrity(ctx) {
-  const integrityBlock = formatExpectedIntegrityBlock(templateIntegrity(ctx));
+  const integrityBlock = formatExpectedIntegrityBlock(installedMachineOwnedIntegrity(ctx));
 
   for (const relativePath of [ctx.healthCheckerRelativePath, ctx.taskStateCheckerRelativePath]) {
     const targetPath = join(ctx.targetRoot, relativePath);
@@ -110,6 +111,23 @@ export function installedNativeBinaryHash(ctx) {
   return sha256(readFileSync(targetPath));
 }
 
+function removeInstalledNativeDecisionBinary(ctx) {
+  const targetPath = join(ctx.targetRoot, ctx.nativeBinaryRelativePath);
+  if (!existsSync(targetPath)) {
+    ctx.skipped.push(ctx.nativeBinaryRelativePath);
+    return;
+  }
+
+  if (hasSymlinkInTargetPath(ctx, ctx.nativeBinaryRelativePath) || !lstatSync(targetPath).isFile()) {
+    ctx.skipped.push(ctx.nativeBinaryRelativePath);
+    ctx.unsafeSkipped.push(ctx.nativeBinaryRelativePath);
+    return;
+  }
+
+  unlinkSync(targetPath);
+  ctx.updated.push(ctx.nativeBinaryRelativePath);
+}
+
 export function templateIntegrity(ctx) {
   const integrity = {};
 
@@ -121,6 +139,17 @@ export function templateIntegrity(ctx) {
   return integrity;
 }
 
+export function installedMachineOwnedIntegrity(ctx) {
+  const integrity = templateIntegrity(ctx);
+  const nativeHash = installedNativeBinaryHash(ctx);
+
+  if (!usesSourceNativeFallback(ctx) && nativeHash) {
+    integrity[ctx.nativeBinaryRelativePath] = `sha256:${nativeHash}`;
+  }
+
+  return integrity;
+}
+
 export function sha256(content) {
   return createHash("sha256").update(content).digest("hex");
 }
@@ -132,7 +161,7 @@ export function machineFileHash(ctx, relativePath, content) {
     normalized = normalized.toString("utf8").replace(ctx.integrityBlockPattern, ctx.normalizedIntegrityBlock);
   }
 
-  if (relativePath === ctx.naomeCommandRelativePath) {
+  if (hasGeneratedNativeIntegrity(ctx, relativePath)) {
     normalized = normalized.toString("utf8").replace(ctx.nativeIntegrityPattern, ctx.normalizedNativeIntegrity);
   }
 
@@ -143,20 +172,36 @@ export function hasGeneratedIntegrity(ctx, relativePath) {
   return relativePath === ctx.healthCheckerRelativePath || relativePath === ctx.taskStateCheckerRelativePath;
 }
 
-function patchNaomeCommandNativeIntegrity(ctx, expectedIntegrity) {
-  const commandPath = join(ctx.targetRoot, ctx.naomeCommandRelativePath);
-  if (!existsSync(commandPath) || hasSymlinkInTargetPath(ctx, ctx.naomeCommandRelativePath)) {
-    return;
-  }
+export function hasGeneratedNativeIntegrity(ctx, relativePath) {
+  return [
+    ctx.healthCheckerRelativePath,
+    ctx.taskStateCheckerRelativePath,
+    ctx.naomeCommandRelativePath,
+  ].includes(relativePath);
+}
+
+function patchInstalledNativeIntegrity(ctx, expectedIntegrity) {
+  const nativeIntegrityPaths = [
+    ctx.healthCheckerRelativePath,
+    ctx.taskStateCheckerRelativePath,
+    ctx.naomeCommandRelativePath,
+  ];
+
+  for (const relativePath of nativeIntegrityPaths) {
+    const targetPath = join(ctx.targetRoot, relativePath);
+    if (!existsSync(targetPath) || hasSymlinkInTargetPath(ctx, relativePath)) {
+      continue;
+    }
 
-  const content = readFileSync(commandPath, "utf8");
-  const nextContent = content.replace(
-    ctx.nativeIntegrityPattern,
-    `const expectedNativeBinaryIntegrity = "${expectedIntegrity}";\n`,
-  );
+    const content = readFileSync(targetPath, "utf8");
+    const nextContent = content.replace(
+      ctx.nativeIntegrityPattern,
+      `const expectedNativeBinaryIntegrity = "${expectedIntegrity}";\n`,
+    );
 
-  if (nextContent !== content) {
-    writeFileSync(commandPath, nextContent);
-    ctx.updated.push(ctx.naomeCommandRelativePath);
+    if (nextContent !== content) {
+      writeFileSync(targetPath, nextContent);
+      ctx.updated.push(relativePath);
+    }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.3.7",
+  "version": "1.3.9",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "Apache-2.0",
   "type": "module",