@lamentis/naome 1.3.8 → 1.3.10

package/crates/naome-core/src/harness_health.rs

@@ -1,6 +1,7 @@
 mod integrity;
+mod manifest;
 
-use std::collections::{HashMap, HashSet};
+use std::collections::HashMap;
 use std::fs;
 use std::path::{Component, Path};
 
@@ -11,6 +12,7 @@ use self::integrity::{
     is_integrity_hash, native_integrity_from_naome_command, sha256_bytes,
     NAOME_COMMAND_RELATIVE_PATH, NATIVE_BINARY_RELATIVE_PATH,
 };
+use self::manifest::{string_array, validate_manifest_ownership, validate_manifest_shape};
 use crate::install_plan::{MACHINE_OWNED_PATHS, PROJECT_OWNED_PATHS};
 use crate::models::NaomeError;
 
@@ -56,62 +58,6 @@ pub fn validate_harness_health(
     Ok(errors)
 }
 
-fn validate_manifest_shape(manifest: &Value, errors: &mut Vec<String>) {
-    let Some(object) = manifest.as_object() else {
-        errors.push(".naome/manifest.json must be a JSON object.".to_string());
-        return;
-    };
-
-    if object.get("name").and_then(Value::as_str) != Some("naome") {
-        errors.push(".naome/manifest.json name must be naome.".to_string());
-    }
-
-    if !object
-        .get("harnessVersion")
-        .and_then(Value::as_str)
-        .is_some_and(is_version)
-    {
-        errors.push(".naome/manifest.json harnessVersion must be semver.".to_string());
-    }
-
-    if !string_array(object.get("machineOwned")).is_some() {
-        errors.push(".naome/manifest.json machineOwned must be a string array.".to_string());
-    }
-
-    if !string_array(object.get("projectOwned")).is_some() {
-        errors.push(".naome/manifest.json projectOwned must be a string array.".to_string());
-    }
-
-    if !object.get("integrity").is_some_and(Value::is_object) {
-        errors.push(".naome/manifest.json integrity must be an object.".to_string());
-    }
-}
-
-fn validate_manifest_ownership(manifest: &Value, errors: &mut Vec<String>) {
-    let Some(object) = manifest.as_object() else {
-        return;
-    };
-    let Some(machine_owned) = string_array(object.get("machineOwned")) else {
-        return;
-    };
-    let Some(project_owned) = string_array(object.get("projectOwned")) else {
-        return;
-    };
-
-    validate_contains_all(
-        &machine_owned,
-        MACHINE_OWNED_PATHS,
-        ".naome/manifest.json machineOwned",
-        errors,
-    );
-    validate_contains_all(
-        &project_owned,
-        PROJECT_OWNED_PATHS,
-        ".naome/manifest.json projectOwned",
-        errors,
-    );
-}
-
 fn validate_manifest_integrity(
     root: &Path,
     manifest: &Value,
@@ -186,13 +132,41 @@ fn validate_native_decision_binary(
         return Ok(());
     };
 
-    if !machine_owned
+    let wrapper_paths = [
+        NAOME_COMMAND_RELATIVE_PATH,
+        ".naome/bin/check-harness-health.js",
+        ".naome/bin/check-task-state.js",
+    ];
+    let wrapper_integrity = wrapper_paths
+        .iter()
+        .map(|relative_path| {
+            native_integrity_from_regular_file(root, relative_path)
+                .map(|expected| (*relative_path, expected))
+        })
+        .collect::<Result<Vec<_>, _>>()?;
+    let native_is_declared = machine_owned
+        .iter()
+        .any(|entry| entry == NATIVE_BINARY_RELATIVE_PATH);
+    let native_has_integrity = integrity.contains_key(NATIVE_BINARY_RELATIVE_PATH);
+    let native_path_present = fs::symlink_metadata(root.join(NATIVE_BINARY_RELATIVE_PATH)).is_ok();
+    let wrapper_requires_native = wrapper_integrity
         .iter()
-        .any(|entry| entry == NATIVE_BINARY_RELATIVE_PATH)
+        .any(|(_, expected)| expected.is_some());
+
+    if !native_is_declared
+        && !native_has_integrity
+        && !wrapper_requires_native
+        && !native_path_present
     {
         return Ok(());
     }
 
+    if !native_is_declared {
+        errors.push(format!(
+            ".naome/manifest.json machineOwned must include {NATIVE_BINARY_RELATIVE_PATH}."
+        ));
+    }
+
     validate_regular_file(root, NATIVE_BINARY_RELATIVE_PATH, errors)?;
 
     if !root.join(NATIVE_BINARY_RELATIVE_PATH).exists()
@@ -222,22 +196,36 @@ fn validate_native_decision_binary(
         ));
     }
 
-    let command_path = root.join(NAOME_COMMAND_RELATIVE_PATH);
-    if !command_path.exists() || has_symlink_in_path(root, NAOME_COMMAND_RELATIVE_PATH)? {
-        return Ok(());
-    }
-
-    let command_content = fs::read_to_string(command_path)?;
-    let command_expected = native_integrity_from_naome_command(&command_content);
-    if command_expected.as_deref() != Some(manifest_expected) {
-        errors.push(format!(
-            "{NAOME_COMMAND_RELATIVE_PATH} native binary integrity does not match .naome/manifest.json."
-        ));
+    for (relative_path, expected) in wrapper_integrity {
+        if expected.as_deref() != Some(manifest_expected) {
+            errors.push(format!(
+                "{relative_path} native binary integrity does not match .naome/manifest.json."
+            ));
+        }
     }
 
     Ok(())
 }
 
+fn native_integrity_from_regular_file(
+    root: &Path,
+    relative_path: &str,
+) -> Result<Option<String>, NaomeError> {
+    let file_path = root.join(relative_path);
+    if has_symlink_in_path(root, relative_path)? {
+        return Ok(None);
+    }
+    let Ok(metadata) = fs::symlink_metadata(&file_path) else {
+        return Ok(None);
+    };
+    if !metadata.is_file() {
+        return Ok(None);
+    }
+    Ok(native_integrity_from_naome_command(&fs::read_to_string(
+        file_path,
+    )?))
+}
+
 fn validate_naome_ignore(root: &Path, errors: &mut Vec<String>) -> Result<(), NaomeError> {
     let relative_path = ".naomeignore";
     if !root.join(relative_path).exists() || has_symlink_in_path(root, relative_path)? {
@@ -342,20 +330,6 @@ fn read_json(
     }
 }
 
-fn validate_contains_all(
-    actual_values: &[String],
-    expected_values: &[&str],
-    field_name: &str,
-    errors: &mut Vec<String>,
-) {
-    let actual: HashSet<&str> = actual_values.iter().map(String::as_str).collect();
-    for expected in expected_values {
-        if !actual.contains(expected) {
-            errors.push(format!("{field_name} must include {expected}."));
-        }
-    }
-}
-
 fn validate_regular_file(
     root: &Path,
     relative_path: &str,
@@ -423,25 +397,3 @@ fn has_symlink_in_path(root: &Path, relative_path: &str) -> Result<bool, NaomeEr
 
     Ok(false)
 }
-
-fn string_array(value: Option<&Value>) -> Option<Vec<String>> {
-    value.and_then(Value::as_array).and_then(|entries| {
-        entries
-            .iter()
-            .map(|entry| {
-                entry
-                    .as_str()
-                    .filter(|text| !text.trim().is_empty())
-                    .map(ToString::to_string)
-            })
-            .collect()
-    })
-}
-
-fn is_version(value: &str) -> bool {
-    let parts: Vec<&str> = value.split('.').collect();
-    parts.len() == 3
-        && parts
-            .iter()
-            .all(|part| !part.is_empty() && part.chars().all(|ch| ch.is_ascii_digit()))
-}

package/crates/naome-core/src/install_plan.rs

@@ -12,6 +12,7 @@ pub const MACHINE_OWNED_PATHS: &[&str] = &[
     "docs/naome/agent-workflow.md",
     "docs/naome/context-economy.md",
     "docs/naome/task-ledger.md",
+    "docs/naome/architecture-fitness.md",
     "docs/naome/execution.md",
     "docs/naome/upgrade.md",
 ];
@@ -48,6 +49,7 @@ pub const LOCAL_ONLY_MACHINE_OWNED_PATHS: &[&str] = &[
     "docs/naome/agent-workflow.md",
     "docs/naome/context-economy.md",
     "docs/naome/task-ledger.md",
+    "docs/naome/architecture-fitness.md",
     "docs/naome/execution.md",
     "docs/naome/upgrade.md",
 ];

package/crates/naome-core/src/lib.rs

@@ -1,3 +1,4 @@
+mod architecture;
 mod context;
 mod decision;
 mod git;
@@ -19,6 +20,14 @@ mod verification_contract;
 mod verification_contract_policy;
 mod workflow;
 
+pub use architecture::{
+    default_architecture_config_text, format_architecture_explain, format_architecture_scan,
+    format_architecture_validation, scan_architecture, validate_architecture,
+    ArchitectureAgentFeedback, ArchitectureConfig, ArchitectureEdge, ArchitectureEdgeKind,
+    ArchitectureGraph, ArchitectureMetadata, ArchitectureNode, ArchitectureNodeKind,
+    ArchitectureScanOptions, ArchitectureScanReport, ArchitectureValidation, ArchitectureViolation,
+    ContextConfig, LayerConfig, RuleConfig, Severity, SourceRange, ViolationSummary,
+};
 pub use context::{
     select_context_for_changed_paths, select_context_for_prompt, ContextBudgetLedger,
     ContextCapsule, ContextItem, ContextSelection,
@@ -36,14 +45,13 @@ pub use journal::{append_task_journal, TaskJournalEntry};
 pub use models::{Decision, NaomeError};
 pub use quality::{
     check_repository_quality, check_repository_quality_paths, check_semantic_legacy,
-    check_semantic_legacy_paths,
-    clear_quality_cache, explain_repository_structure, init_repository_quality,
-    init_repository_quality_with_mode, plan_quality_cleanup, quality_cache_status,
-    reconcile_repository_quality, route_quality_cleanup, semantic_route_for_finding,
-    QualityCacheStatus, QualityCleanupPlan, QualityCleanupRoute, QualityCleanupTask,
-    QualityInitMode, QualityInitResult, QualityMode, QualityReconcileReport, QualityReport,
-    QualitySummary, QualityViolation, RepositoryQualityConfig, RepositoryStructureConfig,
-    SemanticFinding, SemanticReport, StructurePathExplanation,
+    check_semantic_legacy_paths, clear_quality_cache, explain_repository_structure,
+    init_repository_quality, init_repository_quality_with_mode, plan_quality_cleanup,
+    quality_cache_status, reconcile_repository_quality, route_quality_cleanup,
+    semantic_route_for_finding, QualityCacheStatus, QualityCleanupPlan, QualityCleanupRoute,
+    QualityCleanupTask, QualityInitMode, QualityInitResult, QualityMode, QualityReconcileReport,
+    QualityReport, QualitySummary, QualityViolation, RepositoryQualityConfig,
+    RepositoryStructureConfig, SemanticFinding, SemanticReport, StructurePathExplanation,
 };
 pub use repository_model::{
     explain_repository_model_path, refresh_repository_model, repository_model_drift,

package/crates/naome-core/src/quality/cache.rs

@@ -1,5 +1,6 @@
-use std::fs;
-use std::path::{Path, PathBuf};
+use std::fs::{self, OpenOptions};
+use std::io::Write;
+use std::path::{Component, Path, PathBuf};
 
 use serde::{Deserialize, Serialize};
 use sha2::{Digest, Sha256};
@@ -49,7 +50,11 @@ impl QualityCache {
     }
 
     pub(crate) fn read(&self, path: &str, content_hash: &str) -> Option<FileAnalysis> {
-        let entry = fs::read_to_string(self.entry_path(path, content_hash)).ok()?;
+        let cache_path = self.safe_entry_path(path, content_hash).ok()?;
+        if !regular_file_without_symlink(&cache_path) {
+            return None;
+        }
+        let entry = fs::read_to_string(cache_path).ok()?;
         let entry: CacheEntry = serde_json::from_str(&entry).ok()?;
         if entry.schema == CACHE_SCHEMA
             && entry.naome_version == env!("CARGO_PKG_VERSION")
@@ -70,10 +75,7 @@ impl QualityCache {
         content_hash: &str,
         analysis: &FileAnalysis,
     ) -> Result<(), NaomeError> {
-        let cache_path = self.entry_path(path, content_hash);
-        if let Some(parent) = cache_path.parent() {
-            fs::create_dir_all(parent)?;
-        }
+        let cache_path = self.safe_entry_path(path, content_hash)?;
         let entry = CacheEntry {
             schema: CACHE_SCHEMA.to_string(),
             naome_version: env!("CARGO_PKG_VERSION").to_string(),
@@ -84,31 +86,29 @@ impl QualityCache {
             analysis: analysis.clone(),
         };
         let content = format!("{}\n", serde_json::to_string(&entry)?);
-        if fs::read_to_string(&cache_path).map_or(true, |current| current != content) {
-            fs::write(cache_path, content)?;
-        }
-        Ok(())
+        write_cache_entry(&cache_path, &content)
     }
 
-    fn entry_path(&self, path: &str, content_hash: &str) -> PathBuf {
-        self.root.join(CACHE_RELATIVE_PATH).join(stable_key(&[
+    fn safe_entry_path(&self, path: &str, content_hash: &str) -> Result<PathBuf, NaomeError> {
+        let cache_root = safe_cache_root(&self.root, true)?;
+        Ok(cache_root.join(stable_key(&[
             env!("CARGO_PKG_VERSION"),
             &self.config_hash,
             ADAPTER_VERSION,
             path,
             content_hash,
-        ]))
+        ])))
     }
 }
 
 pub fn quality_cache_status(root: &Path) -> Result<QualityCacheStatus, NaomeError> {
-    let path = root.join(CACHE_RELATIVE_PATH);
+    let path = safe_cache_root(root, false)?;
     let mut entry_count = 0;
     let mut bytes = 0;
-    if path.is_dir() {
+    if regular_directory_without_symlink(&path) {
         for entry in fs::read_dir(&path)? {
             let entry = entry?;
-            let metadata = entry.metadata()?;
+            let metadata = fs::symlink_metadata(entry.path())?;
             if metadata.is_file() {
                 entry_count += 1;
                 bytes += metadata.len();
@@ -124,13 +124,116 @@ pub fn quality_cache_status(root: &Path) -> Result<QualityCacheStatus, NaomeErro
 }
 
 pub fn clear_quality_cache(root: &Path) -> Result<QualityCacheStatus, NaomeError> {
-    let path = root.join(CACHE_RELATIVE_PATH);
-    if path.exists() {
+    let path = safe_cache_root(root, false)?;
+    if regular_directory_without_symlink(&path) {
         fs::remove_dir_all(&path)?;
     }
     quality_cache_status(root)
 }
 
+fn write_cache_entry(cache_path: &Path, content: &str) -> Result<(), NaomeError> {
+    validate_cache_entry_parent(cache_path)?;
+    match fs::symlink_metadata(cache_path) {
+        Ok(metadata) if metadata.file_type().is_symlink() || !metadata.is_file() => {
+            return Err(NaomeError::new(format!(
+                "quality cache entry must be a regular file: {}",
+                cache_path.display()
+            )));
+        }
+        Ok(_) => {
+            if fs::read_to_string(cache_path).map_or(false, |current| current == content) {
+                return Ok(());
+            }
+        }
+        Err(error) if error.kind() == std::io::ErrorKind::NotFound => {}
+        Err(error) => return Err(error.into()),
+    }
+
+    let temp_path = cache_path.with_extension(format!(
+        "tmp.{}.{}",
+        std::process::id(),
+        stable_key(&[content]).trim_end_matches(".json")
+    ));
+    validate_cache_entry_parent(&temp_path)?;
+    let mut temp = OpenOptions::new()
+        .write(true)
+        .create_new(true)
+        .open(&temp_path)?;
+    if let Err(error) = temp.write_all(content.as_bytes()) {
+        let _ = fs::remove_file(&temp_path);
+        return Err(error.into());
+    }
+    if let Err(error) = temp.sync_all() {
+        let _ = fs::remove_file(&temp_path);
+        return Err(error.into());
+    }
+    drop(temp);
+    validate_cache_entry_parent(cache_path)?;
+    if let Err(error) = fs::rename(&temp_path, cache_path) {
+        let _ = fs::remove_file(&temp_path);
+        return Err(error.into());
+    }
+    Ok(())
+}
+
+fn validate_cache_entry_parent(cache_path: &Path) -> Result<(), NaomeError> {
+    let Some(parent) = cache_path.parent() else {
+        return Err(NaomeError::new("quality cache entry path has no parent"));
+    };
+    if !regular_directory_without_symlink(parent) {
+        return Err(NaomeError::new(format!(
+            "quality cache path must be a regular directory without symlinks: {}",
+            parent.display()
+        )));
+    }
+    Ok(())
+}
+
+fn safe_cache_root(root: &Path, create: bool) -> Result<PathBuf, NaomeError> {
+    let mut current = root.to_path_buf();
+    for component in Path::new(CACHE_RELATIVE_PATH).components() {
+        let Component::Normal(component) = component else {
+            return Err(NaomeError::new(
+                "quality cache path must be repository-relative",
+            ));
+        };
+        current.push(component);
+        match fs::symlink_metadata(&current) {
+            Ok(metadata) if metadata.file_type().is_symlink() => {
+                return Err(NaomeError::new(format!(
+                    "quality cache path must not contain symlinks: {}",
+                    current.display()
+                )));
+            }
+            Ok(metadata) if metadata.is_dir() => {}
+            Ok(_) => {
+                return Err(NaomeError::new(format!(
+                    "quality cache path component is not a directory: {}",
+                    current.display()
+                )));
+            }
+            Err(error) if error.kind() == std::io::ErrorKind::NotFound && create => {
+                fs::create_dir(&current)?;
+            }
+            Err(error) if error.kind() == std::io::ErrorKind::NotFound => return Ok(current),
+            Err(error) => return Err(error.into()),
+        }
+    }
+    Ok(current)
+}
+
+fn regular_directory_without_symlink(path: &Path) -> bool {
+    fs::symlink_metadata(path)
+        .map(|metadata| metadata.is_dir() && !metadata.file_type().is_symlink())
+        .unwrap_or(false)
+}
+
+fn regular_file_without_symlink(path: &Path) -> bool {
+    fs::symlink_metadata(path)
+        .map(|metadata| metadata.is_file() && !metadata.file_type().is_symlink())
+        .unwrap_or(false)
+}
+
 pub(crate) fn content_hash(content: &str) -> String {
     stable_key(&[content])
 }

package/crates/naome-core/src/quality/scanner/analysis.rs

@@ -8,6 +8,8 @@ use super::{FileAnalysis, NormalizedLine, SymbolAnalysis};
 use crate::quality::cache::{content_hash, QualityCache};
 use normalize::{normalize_line, token_set};
 
+use super::repo_paths::regular_repo_file_path;
+
 pub(super) fn analyze_repo_file(
     root: &Path,
     path: &str,
@@ -16,8 +18,8 @@ pub(super) fn analyze_repo_file(
     cache: &QualityCache,
     allow_cache: bool,
 ) -> Option<(FileAnalysis, bool)> {
-    let full_path = root.join(path);
-    if !full_path.is_file() || is_binary_extension(path) {
+    let full_path = regular_repo_file_path(root, path)?;
+    if is_binary_extension(path) {
         return None;
     }
     if allow_cache {

package/crates/naome-core/src/quality/scanner/repo_paths.rs

@@ -1,6 +1,6 @@
 use std::collections::{HashMap, HashSet};
 use std::fs;
-use std::path::Path;
+use std::path::{Component, Path};
 use std::process::Command;
 
 use crate::models::NaomeError;
@@ -44,8 +44,10 @@ pub(super) fn added_lines_by_path(
         if !target_paths.contains(&path) {
             continue;
         }
-        if let Ok(content) = fs::read_to_string(root.join(&path)) {
-            added.insert(path, content.lines().count());
+        if let Some(file_path) = regular_repo_file_path(root, &path) {
+            if let Ok(content) = fs::read_to_string(file_path) {
+                added.insert(path, content.lines().count());
+            }
         }
     }
     Ok(added)
@@ -92,3 +94,25 @@ fn untracked_paths(root: &Path) -> Result<Vec<String>, NaomeError> {
         .map(|entry| String::from_utf8_lossy(entry).replace('\\', "/"))
         .collect())
 }
+
+pub(super) fn regular_repo_file_path(root: &Path, path: &str) -> Option<std::path::PathBuf> {
+    let relative = Path::new(path);
+    if relative.is_absolute() {
+        return None;
+    }
+    let mut current = root.to_path_buf();
+    for component in relative.components() {
+        let Component::Normal(component) = component else {
+            return None;
+        };
+        current.push(component);
+        let metadata = fs::symlink_metadata(&current).ok()?;
+        if metadata.file_type().is_symlink() {
+            return None;
+        }
+    }
+    fs::symlink_metadata(&current)
+        .ok()
+        .filter(|metadata| metadata.is_file())
+        .map(|_| current)
+}

package/crates/naome-core/src/quality/scanner.rs

@@ -9,7 +9,7 @@ use sha2::{Digest, Sha256};
 
 use crate::{git, models::NaomeError, paths};
 pub(crate) use repo_paths::collect_repo_paths;
-use repo_paths::{added_lines_by_path, tracked_blob_hashes};
+use repo_paths::{added_lines_by_path, regular_repo_file_path, tracked_blob_hashes};
 
 use super::cache::QualityCache;
 use super::types::{
@@ -317,7 +317,10 @@ fn max_file_bytes(mode: QualityMode) -> u64 {
 }
 
 fn file_exceeds_budget(root: &Path, path: &str, mode: QualityMode) -> bool {
-    fs::metadata(root.join(path)).map_or(false, |metadata| {
+    let Some(full_path) = regular_repo_file_path(root, path) else {
+        return false;
+    };
+    fs::symlink_metadata(full_path).map_or(false, |metadata| {
         metadata.is_file() && metadata.len() > max_file_bytes(mode)
     })
 }

package/crates/naome-core/src/workflow/integrity_support.rs

@@ -23,8 +23,14 @@ pub(super) fn refresh_support_files(
             changed.push(path.to_string());
         }
     }
-    if replace_native_integrity(root, integrity)? {
-        changed.push(NAOME_COMMAND_PATH.to_string());
+    for path in [
+        NAOME_COMMAND_PATH,
+        HEALTH_CHECKER_PATH,
+        TASK_STATE_CHECKER_PATH,
+    ] {
+        if replace_native_integrity(root, path, integrity)? {
+            changed.push(path.to_string());
+        }
     }
     Ok(changed)
 }
@@ -76,12 +82,13 @@ fn render_expected_integrity_block(integrity: &BTreeMap<String, String>) -> Stri
 
 fn replace_native_integrity(
     root: &Path,
+    relative_path: &str,
     integrity: &BTreeMap<String, String>,
 ) -> Result<bool, NaomeError> {
     let Some(native_hash) = integrity.get(NATIVE_BINARY_PATH) else {
         return Ok(false);
     };
-    let path = root.join(NAOME_COMMAND_PATH);
+    let path = root.join(relative_path);
     if !path.is_file() {
         return Ok(false);
     }