@lamentis/naome 1.3.8 → 1.3.10

package/crates/naome-core/tests/architecture.rs

@@ -0,0 +1,209 @@
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::process::Command;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::time::{SystemTime, UNIX_EPOCH};
+
+use naome_core::{
+    default_architecture_config_text, scan_architecture, validate_architecture, ArchitectureConfig,
+    ArchitectureScanOptions,
+};
+
+static FIXTURE_COUNTER: AtomicU64 = AtomicU64::new(0);
+
+#[test]
+fn parses_starter_architecture_config() {
+    let config = ArchitectureConfig::parse(default_architecture_config_text(), "test").unwrap();
+
+    assert!(config.layers.contains_key("application"));
+    assert_eq!(
+        config.rule("max_file_lines").value,
+        Some(400),
+        "starter config should seed a production file-size budget"
+    );
+    assert_eq!(
+        config.ignore[0].reason,
+        "Generated code is not architecture-owned."
+    );
+}
+
+#[test]
+fn path_extractor_builds_language_agnostic_graph_for_mixed_repo() {
+    let repo = FixtureRepo::new();
+    repo.write("src/domain/event.ts", "export const event = 1;\n");
+    repo.write("src/infrastructure/db.py", "client = object()\n");
+    repo.write("cmd/server/main.go", "package main\n");
+    repo.write(
+        "naome.arch.yaml",
+        r#"
+layers:
+  domain:
+    paths:
+      - "src/domain/**"
+  infrastructure:
+    paths:
+      - "src/infrastructure/**"
+contexts:
+  app:
+    paths:
+      - "src/**"
+    public_api:
+      - "src/index.ts"
+rules:
+  max_file_lines:
+    enabled: true
+    value: 400
+    severity: warning
+"#,
+    );
+
+    let scan = scan_architecture(repo.path(), ArchitectureScanOptions::default()).unwrap();
+
+    assert!(scan
+        .graph
+        .nodes
+        .iter()
+        .any(|node| node.id == "file:src/domain/event.ts"));
+    assert!(scan
+        .graph
+        .nodes
+        .iter()
+        .any(|node| node.id == "layer:domain"));
+    assert!(scan
+        .graph
+        .edges
+        .iter()
+        .any(|edge| { edge.from == "layer:domain" && edge.to == "file:src/domain/event.ts" }));
+    assert_eq!(
+        scan.file_facts
+            .get("cmd/server/main.go")
+            .unwrap()
+            .language
+            .as_deref(),
+        Some("go")
+    );
+}
+
+#[test]
+fn validates_file_size_budget_with_stable_json_shape() {
+    let repo = FixtureRepo::new();
+    repo.write(
+        "naome.arch.yaml",
+        r#"
+rules:
+  max_file_lines:
+    enabled: true
+    value: 2
+    severity: error
+"#,
+    );
+    repo.write("src/too_big.rs", "one\ntwo\nthree\n");
+
+    let report = validate_architecture(repo.path(), ArchitectureScanOptions::default()).unwrap();
+    let json = serde_json::to_string(&report).unwrap();
+
+    assert_eq!(report.status, "fail");
+    assert!(json.contains("\"schema\":\"naome.arch.validation.v1\""));
+    assert!(json.contains("\"id\":\"arch.max_file_lines\""));
+    let violation = report
+        .violations
+        .iter()
+        .find(|violation| violation.path.as_deref() == Some("src/too_big.rs"))
+        .expect("expected src/too_big.rs file-size violation");
+    assert_eq!(violation.agent_instruction, "Reduce src/too_big.rs below 2 lines or add a justified generated-code ignore rule if it is not manually owned.");
+}
+
+#[test]
+fn changed_only_generated_boundary_reports_changed_generated_file() {
+    let repo = FixtureRepo::new();
+    repo.init_git();
+    repo.write(
+        "naome.arch.yaml",
+        r#"
+rules:
+  generated_manual_boundary:
+    enabled: true
+    severity: error
+ignore:
+  - path: "generated/**"
+    reason: "Generated code is not manually edited."
+"#,
+    );
+    repo.write("generated/client.ts", "export const generated = true;\n");
+
+    let report = validate_architecture(
+        repo.path(),
+        ArchitectureScanOptions {
+            changed_only: true,
+            config_path: None,
+        },
+    )
+    .unwrap();
+
+    assert_eq!(report.status, "fail");
+    assert!(report.changed_only_degraded_to_full_scan);
+    assert_eq!(report.violations[0].id, "arch.generated_manual_boundary");
+    assert_eq!(
+        report.violations[0].path.as_deref(),
+        Some("generated/client.ts")
+    );
+}
+
+struct FixtureRepo {
+    root: PathBuf,
+}
+
+impl FixtureRepo {
+    fn new() -> Self {
+        let nonce = SystemTime::now()
+            .duration_since(UNIX_EPOCH)
+            .unwrap()
+            .as_nanos();
+        let counter = FIXTURE_COUNTER.fetch_add(1, Ordering::Relaxed);
+        let root = std::env::temp_dir().join(format!(
+            "naome-arch-fixture-{}-{nonce}-{counter}",
+            std::process::id()
+        ));
+        fs::create_dir_all(&root).unwrap();
+        fs::write(
+            root.join(".naomeignore"),
+            ".naome/archive/\n.naome/tasks/\n",
+        )
+        .unwrap();
+        Self { root }
+    }
+
+    fn path(&self) -> &Path {
+        &self.root
+    }
+
+    fn write(&self, relative_path: &str, content: &str) {
+        let path = self.root.join(relative_path);
+        fs::create_dir_all(path.parent().unwrap()).unwrap();
+        fs::write(path, content).unwrap();
+    }
+
+    fn init_git(&self) {
+        run_git(&self.root, &["init"]);
+        run_git(&self.root, &["config", "user.email", "naome@example.com"]);
+        run_git(&self.root, &["config", "user.name", "NAOME Test"]);
+        self.write("README.md", "# Fixture\n");
+        run_git(&self.root, &["add", "."]);
+        run_git(&self.root, &["commit", "-m", "baseline"]);
+    }
+}
+
+fn run_git(root: &Path, args: &[&str]) {
+    let result = Command::new("git")
+        .args(args)
+        .current_dir(root)
+        .output()
+        .unwrap();
+    assert!(
+        result.status.success(),
+        "git {:?} failed: {}{}",
+        args,
+        String::from_utf8_lossy(&result.stdout),
+        String::from_utf8_lossy(&result.stderr)
+    );
+}

package/crates/naome-core/tests/harness_health.rs

@@ -19,11 +19,17 @@ const MACHINE_OWNED_PATHS: &[&str] = &[
     "docs/naome/first-run.md",
     "docs/naome/agent-workflow.md",
     "docs/naome/context-economy.md",
+    "docs/naome/architecture-fitness.md",
     "docs/naome/execution.md",
     "docs/naome/task-ledger.md",
     "docs/naome/upgrade.md",
 ];
 
+#[cfg(windows)]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust.exe";
+#[cfg(not(windows))]
+const NATIVE_BINARY_PATH: &str = ".naome/bin/naome-rust";
+
 const PROJECT_OWNED_PATHS: &[&str] = &[
     ".naomeignore",
     ".naome/init-state.json",
@@ -78,6 +84,99 @@ fn rejects_drifted_machine_owned_files() {
     assert!(joined.contains("docs/naome/execution.md"));
 }
 
+#[test]
+fn accepts_native_decision_binary_with_manifest_ownership_and_integrity() {
+    let mut repo = HarnessFixture::new();
+    repo.install_native_decision_binary("native decision fixture\n");
+
+    let errors = validate_harness_health(repo.path(), options(repo.integrity.clone())).unwrap();
+
+    assert!(errors.is_empty(), "{errors:#?}");
+}
+
+#[test]
+fn rejects_native_decision_binary_when_manifest_ownership_is_removed() {
+    let mut repo = HarnessFixture::new();
+    repo.install_native_decision_binary("native decision fixture\n");
+    repo.remove_native_manifest_entry();
+
+    let errors = validate_harness_health(repo.path(), options(repo.integrity.clone())).unwrap();
+    let joined = errors.join("\n");
+
+    assert!(
+        joined.contains(&format!(
+            ".naome/manifest.json machineOwned must include {NATIVE_BINARY_PATH}."
+        )),
+        "{joined}"
+    );
+    assert!(
+        joined.contains(&format!(
+            ".naome/manifest.json integrity missing {NATIVE_BINARY_PATH}."
+        )),
+        "{joined}"
+    );
+}
+
+#[test]
+fn rejects_checker_declared_native_integrity_without_native_manifest_entry() {
+    let mut repo = HarnessFixture::new();
+    let checker_path = ".naome/bin/check-task-state.js";
+    let native_hash = format!("sha256:{}", "a".repeat(64));
+    repo.write(
+        checker_path,
+        &format!("const expectedNativeBinaryIntegrity = \"{native_hash}\";\n"),
+    );
+    repo.integrity.insert(
+        checker_path.to_string(),
+        format!(
+            "sha256:{}",
+            sha256("const expectedNativeBinaryIntegrity = \"sha256:generated\";\n")
+        ),
+    );
+    write_file(
+        repo.path(),
+        ".naome/manifest.json",
+        &pretty_json(manifest_fixture(&repo.integrity)),
+    );
+
+    let errors = validate_harness_health(repo.path(), options(repo.integrity.clone())).unwrap();
+    let joined = errors.join("\n");
+
+    assert!(
+        joined.contains(&format!(
+            ".naome/manifest.json machineOwned must include {NATIVE_BINARY_PATH}."
+        )),
+        "{joined}"
+    );
+    assert!(
+        joined.contains(&format!("{NATIVE_BINARY_PATH} is missing.")),
+        "{joined}"
+    );
+}
+
+#[test]
+fn rejects_native_integrity_assignment_with_appended_code() {
+    let mut repo = HarnessFixture::new();
+    repo.install_native_decision_binary("native decision fixture\n");
+    let native_hash = repo.integrity.get(NATIVE_BINARY_PATH).unwrap().clone();
+    repo.write(
+        ".naome/bin/check-harness-health.js",
+        &format!("const expectedNativeBinaryIntegrity = \"{native_hash}\"; process.exit(0);\n"),
+    );
+
+    let errors = validate_harness_health(repo.path(), options(repo.integrity.clone())).unwrap();
+    let joined = errors.join("\n");
+
+    assert!(
+        joined.contains(".naome/bin/check-harness-health.js integrity mismatch"),
+        "{joined}"
+    );
+    assert!(
+        joined.contains(".naome/bin/check-harness-health.js native binary integrity does not match .naome/manifest.json."),
+        "{joined}"
+    );
+}
+
 #[test]
 fn rejects_missing_archive_ignore_boundary() {
     let repo = HarnessFixture::new();
@@ -175,6 +274,53 @@ impl HarnessFixture {
     fn write(&self, relative_path: &str, content: &str) {
         write_file(&self.root, relative_path, content);
     }
+
+    fn install_native_decision_binary(&mut self, content: &str) {
+        let native_hash = format!("sha256:{}", sha256(content));
+        write_file(&self.root, NATIVE_BINARY_PATH, content);
+        self.integrity
+            .insert(NATIVE_BINARY_PATH.to_string(), native_hash.clone());
+
+        for relative_path in [
+            ".naome/bin/naome.js",
+            ".naome/bin/check-harness-health.js",
+            ".naome/bin/check-task-state.js",
+        ] {
+            let command_content =
+                format!("const expectedNativeBinaryIntegrity = \"{native_hash}\";\n");
+            let normalized_command_content =
+                "const expectedNativeBinaryIntegrity = \"sha256:generated\";\n";
+            write_file(&self.root, relative_path, &command_content);
+            self.integrity.insert(
+                relative_path.to_string(),
+                format!("sha256:{}", sha256(normalized_command_content)),
+            );
+        }
+
+        self.write_manifest_with_native_entry();
+    }
+
+    fn remove_native_manifest_entry(&self) {
+        let mut manifest = read_json_value(&self.root, ".naome/manifest.json");
+        manifest["machineOwned"]
+            .as_array_mut()
+            .unwrap()
+            .retain(|entry| entry.as_str() != Some(NATIVE_BINARY_PATH));
+        manifest["integrity"]
+            .as_object_mut()
+            .unwrap()
+            .remove(NATIVE_BINARY_PATH);
+        write_file(&self.root, ".naome/manifest.json", &pretty_json(manifest));
+    }
+
+    fn write_manifest_with_native_entry(&self) {
+        let mut manifest = manifest_fixture(&self.integrity);
+        manifest["machineOwned"]
+            .as_array_mut()
+            .unwrap()
+            .push(json!(NATIVE_BINARY_PATH));
+        write_file(&self.root, ".naome/manifest.json", &pretty_json(manifest));
+    }
 }
 
 fn manifest_fixture(integrity: &HashMap<String, String>) -> serde_json::Value {
@@ -217,6 +363,10 @@ fn machine_content(relative_path: &str) -> String {
     }
 }
 
+fn read_json_value(root: &Path, relative_path: &str) -> serde_json::Value {
+    serde_json::from_str(&fs::read_to_string(root.join(relative_path)).unwrap()).unwrap()
+}
+
 fn write_file(root: &Path, relative_path: &str, content: &str) {
     let path = root.join(relative_path);
     fs::create_dir_all(path.parent().unwrap()).unwrap();

package/crates/naome-core/tests/quality_performance.rs

@@ -4,8 +4,8 @@ use std::fs;
 
 use naome_core::{
     check_repository_quality, check_repository_quality_paths, check_semantic_legacy,
-    init_repository_quality, init_repository_quality_with_mode, quality_cache_status,
-    QualityInitMode, QualityMode,
+    clear_quality_cache, init_repository_quality, init_repository_quality_with_mode,
+    quality_cache_status, QualityInitMode, QualityMode,
 };
 
 use repo_support::TestRepo;
@@ -140,6 +140,67 @@ fn second_report_uses_file_analysis_cache() {
     assert_eq!(second.summary.cache_misses, 0);
 }
 
+#[cfg(unix)]
+#[test]
+fn report_skips_repository_symlinks_without_caching_target_contents() {
+    let repo = quality_repo("quality-cache-skips-file-symlink");
+    let victim = repo.path().join("../naome-victim-secret.txt");
+    fs::write(&victim, "VALIDATION_SECRET_raw_lines_12345\n").unwrap();
+    std::os::unix::fs::symlink(&victim, repo.path().join("leak.txt")).unwrap();
+    repo.git(&["add", "leak.txt"]);
+    repo.git(&["commit", "-m", "tracked symlink"]);
+
+    let report = check_repository_quality(repo.path(), QualityMode::Report).unwrap();
+    let cache = quality_cache_status(repo.path()).unwrap();
+
+    assert!(!report.scanned_paths.contains(&"leak.txt".to_string()));
+    assert_eq!(cache.entry_count, 0);
+}
+
+#[cfg(unix)]
+#[test]
+fn path_budget_skips_symlinks_before_reading_target_metadata() {
+    let repo = quality_repo("quality-budget-skips-symlink");
+    let victim = repo.path().join("../naome-large-victim.txt");
+    fs::write(&victim, "x".repeat(1024 * 1024 + 1)).unwrap();
+    std::os::unix::fs::symlink(&victim, repo.path().join("large-link.txt")).unwrap();
+    repo.git(&["add", "large-link.txt"]);
+    repo.git(&["commit", "-m", "tracked large symlink"]);
+
+    let report = check_repository_quality_paths(repo.path(), &["large-link.txt"]).unwrap();
+
+    assert!(!report.scanned_paths.contains(&"large-link.txt".to_string()));
+    assert!(!report
+        .summary
+        .reason_codes
+        .contains(&"max_file_bytes".to_string()));
+    fs::remove_file(victim).unwrap();
+}
+
+#[cfg(unix)]
+#[test]
+fn cache_operations_reject_symlinked_cache_path_components() {
+    let repo = quality_repo("quality-cache-rejects-cache-symlink");
+    repo.write_file("src/a.js", "export const value = 1;\n");
+    repo.commit_all("baseline");
+    let outside = repo.path().join("../naome-outside-cache");
+    fs::create_dir_all(outside.join("quality")).unwrap();
+    fs::remove_dir_all(repo.path().join(".naome/cache")).ok();
+    std::os::unix::fs::symlink(&outside, repo.path().join(".naome/cache")).unwrap();
+
+    let report = check_repository_quality(repo.path(), QualityMode::Report).unwrap();
+    let clear_error = clear_quality_cache(repo.path()).unwrap_err();
+
+    assert_eq!(report.summary.cache_hits, 0);
+    assert!(outside.join("quality").is_dir());
+    assert!(!fs::read_dir(outside.join("quality"))
+        .unwrap()
+        .any(|entry| entry.is_ok()));
+    assert!(clear_error
+        .to_string()
+        .contains("must not contain symlinks"));
+}
+
 #[test]
 fn report_budget_marks_truncated_reports() {
     let repo = quality_repo("quality-report-budget");

package/installer/filesystem.js

@@ -64,6 +64,44 @@ export function archiveUpgradePath(ctx, archiveDirName, relativePath) {
   return join(ctx.targetRoot, ".naome", "archive", archiveDirName, relativePath);
 }
 
+export function assertWritableArchivePath(ctx, archiveDirName, relativePath) {
+  const archiveRelativePath = join(".naome", "archive", archiveDirName, relativePath);
+  const parts = archiveRelativePath.split(/[\\/]+/);
+  let current = ctx.targetRoot;
+
+  for (let index = 0; index < parts.length; index += 1) {
+    const part = parts[index];
+    const isLeaf = index === parts.length - 1;
+    current = join(current, part);
+
+    try {
+      const stats = lstatSync(current);
+      if (stats.isSymbolicLink()) {
+        printError(ctx, `NAOME cannot archive ${relativePath} safely.`);
+        console.error(`${archiveRelativePath} must not contain symbolic links.`);
+        process.exit(1);
+      }
+
+      if (!isLeaf && !stats.isDirectory()) {
+        printError(ctx, `NAOME cannot archive ${relativePath} because the archive path is not a directory.`);
+        console.error(`${join(...parts.slice(0, index + 1))} must be a regular directory or must not exist.`);
+        process.exit(1);
+      }
+
+      if (isLeaf && existsSync(current) && !stats.isFile()) {
+        printError(ctx, `NAOME cannot archive ${relativePath} because the archive path is not a file.`);
+        console.error(`${archiveRelativePath} must be a regular file or must not exist.`);
+        process.exit(1);
+      }
+    } catch (error) {
+      if (error.code === "ENOENT") {
+        continue;
+      }
+      throw error;
+    }
+  }
+}
+
 export function ensureArchiveDirectory(ctx) {
   const archivePath = ".naome/archive";
   const targetPath = join(ctx.targetRoot, archivePath);

package/installer/flows.js

@@ -31,6 +31,8 @@ const legacyOptionalHookPaths = [
   "docs/naome/codex-hooks.md",
 ];
 
+const trustedRetiredMachineOwnedPaths = new Set(legacyOptionalHookPaths);
+
 export async function runFreshInstall(ctx) {
   await confirmAgentsTakeover(ctx);
 
@@ -110,8 +112,11 @@ function removeRetiredMachineOwnedFiles(ctx, manifest, archiveDirName, options =
     ...ctx.localOnlyMachineOwnedPaths,
     ctx.nativeBinaryRelativePath,
   ].filter(Boolean));
+  const manifestRetiredPaths = Array.isArray(manifest?.machineOwned)
+    ? manifest.machineOwned.filter((path) => trustedRetiredMachineOwnedPaths.has(path))
+    : [];
   const retiredPaths = [
-    ...(Array.isArray(manifest?.machineOwned) ? manifest.machineOwned : []),
+    ...manifestRetiredPaths,
     ...(Array.isArray(options.extraPaths) ? options.extraPaths : []),
   ];
 

package/installer/harness-file-ops.js

@@ -9,8 +9,8 @@ import {
 } from "node:fs";
 import { dirname, join, relative } from "node:path";
 
-import { archiveUpgradePath, hasSymlinkInTargetPath } from "./filesystem.js";
-import { hasGeneratedIntegrity, machineFileHash } from "./native.js";
+import { archiveUpgradePath, assertWritableArchivePath, hasSymlinkInTargetPath } from "./filesystem.js";
+import { machineFileHash } from "./native.js";
 import { printError } from "./output.js";
 
 export function ensureTemplateFile(ctx, relativePath) {
@@ -55,8 +55,13 @@ export function removeLegacyHarnessFile(ctx, relativePath, archiveDirName) {
     return;
   }
 
-  const archivePath = archiveUpgradePath(ctx, archiveDirName, relativePath);
+  const archivePath = safeArchivePath(ctx, archiveDirName, relativePath);
+  if (archivePath === null) {
+    failUnsafeArchivePath(ctx, archiveDirName, relativePath);
+  }
+
   mkdirSync(dirname(archivePath), { recursive: true });
+  assertWritableArchivePath(ctx, archiveDirName, relativePath);
   copyFileSync(targetPath, archivePath);
   unlinkSync(targetPath);
   ctx.updated.push(relativePath);
@@ -128,17 +133,40 @@ function replaceChangedHarnessFile(ctx, relativePath, archiveDirName, sourcePath
     return;
   }
 
-  const archivePath = archiveUpgradePath(ctx, archiveDirName, relativePath);
+  const archivePath = safeArchivePath(ctx, archiveDirName, relativePath);
+  if (archivePath === null) {
+    failUnsafeArchivePath(ctx, archiveDirName, relativePath);
+  }
+
   mkdirSync(dirname(archivePath), { recursive: true });
+  assertWritableArchivePath(ctx, archiveDirName, relativePath);
   copyFileSync(targetPath, archivePath);
   writeFileSync(targetPath, nextContent);
   ctx.updated.push(relativePath);
   ctx.archived.push({ from: relativePath, to: relative(ctx.targetRoot, archivePath) });
 }
 
-function unchangedMachineHash(ctx, relativePath, currentContent, nextContent) {
-  return (
-    !hasGeneratedIntegrity(ctx, relativePath) &&
-    machineFileHash(ctx, relativePath, currentContent) === machineFileHash(ctx, relativePath, nextContent)
+function safeArchivePath(ctx, archiveDirName, relativePath) {
+  const archivePath = archiveUpgradePath(ctx, archiveDirName, relativePath);
+  const archiveParent = relative(ctx.targetRoot, dirname(archivePath));
+  if (hasSymlinkInTargetPath(ctx, archiveParent)) {
+    return null;
+  }
+  if (existsSync(archivePath)) {
+    return null;
+  }
+
+  return archivePath;
+}
+
+function failUnsafeArchivePath(ctx, archiveDirName, relativePath) {
+  printError(ctx, `NAOME cannot archive ${relativePath} safely.`);
+  console.error(
+    `${relative(ctx.targetRoot, archiveUpgradePath(ctx, archiveDirName, relativePath))} must not contain symlinks or pre-existing files.`
   );
+  process.exit(1);
+}
+
+function unchangedMachineHash(ctx, relativePath, currentContent, nextContent) {
+  return machineFileHash(ctx, relativePath, currentContent) === machineFileHash(ctx, relativePath, nextContent);
 }

package/installer/harness-files.js

@@ -22,6 +22,7 @@ export function ensureCoreHarnessFiles(ctx, archiveDirName) {
   replaceHarnessFile(ctx, "docs/naome/task-ledger.md", archiveDirName);
   ensureTemplateFile(ctx, "docs/naome/repository-model.md");
   ensureTemplateFile(ctx, "docs/naome/security.md");
+  ensureTemplateFile(ctx, "docs/naome/architecture-fitness.md");
   replaceHarnessFile(ctx, "docs/naome/upgrade.md", archiveDirName);
 }
 
@@ -39,6 +40,7 @@ export function ensureTaskControlHarnessFiles(ctx, archiveDirName) {
   replaceHarnessFile(ctx, "docs/naome/agent-workflow.md", archiveDirName);
   replaceHarnessFile(ctx, "docs/naome/context-economy.md", archiveDirName);
   replaceHarnessFile(ctx, "docs/naome/execution.md", archiveDirName);
+  ensureTemplateFile(ctx, "docs/naome/architecture-fitness.md");
   replaceHarnessFile(ctx, "docs/naome/upgrade.md", archiveDirName);
 }
 
@@ -57,6 +59,7 @@ export function ensureHarnessHealthFiles(ctx, archiveDirName) {
   replaceHarnessFile(ctx, "docs/naome/context-economy.md", archiveDirName);
   replaceHarnessFile(ctx, "docs/naome/execution.md", archiveDirName);
   ensureTemplateFile(ctx, "docs/naome/security.md");
+  ensureTemplateFile(ctx, "docs/naome/architecture-fitness.md");
   replaceHarnessFile(ctx, "docs/naome/upgrade.md", archiveDirName);
   ensureNaomeIgnore(ctx);
 }

package/installer/manifest-state.js

@@ -2,7 +2,7 @@ import { existsSync, lstatSync, mkdirSync, readFileSync, writeFileSync } from "n
 import { dirname, join } from "node:path";
 
 import { hasSymlinkInTargetPath } from "./filesystem.js";
-import { installedNativeBinaryHash, templateIntegrity, usesSourceNativeFallback } from "./native.js";
+import { installedMachineOwnedIntegrity, installedNativeBinaryHash, usesSourceNativeFallback } from "./native.js";
 import { printError } from "./output.js";
 import { isVersion } from "./version.js";
 
@@ -118,7 +118,7 @@ function applyManifestHealthMetadata(ctx, manifest) {
   manifest.harnessVersion = ctx.packageVersion;
   manifest.machineOwned = [...ctx.machineOwnedPaths];
   manifest.projectOwned = ctx.projectOwnedPaths;
-  manifest.integrity = templateIntegrity(ctx);
+  manifest.integrity = installedMachineOwnedIntegrity(ctx);
 
   const nativeHash = installedNativeBinaryHash(ctx);
   if (!usesSourceNativeFallback(ctx) && nativeHash) {