@lamentis/naome 1.3.8 → 1.3.10

package/installer/native.js

@@ -6,6 +6,7 @@ import {
   lstatSync,
   mkdirSync,
   readFileSync,
+  unlinkSync,
   writeFileSync,
 } from "node:fs";
 import { dirname, join, resolve } from "node:path";
@@ -32,8 +33,8 @@ export function installNativeDecisionBinary(ctx) {
   }
 
   if (usesSourceNativeFallback(ctx)) {
-    patchNaomeCommandNativeIntegrity(ctx, "sha256:generated");
-    ctx.skipped.push(ctx.nativeBinaryRelativePath);
+    removeInstalledNativeDecisionBinary(ctx);
+    patchInstalledNativeIntegrity(ctx, "sha256:generated");
     return;
   }
 
@@ -52,7 +53,7 @@ export function installNativeDecisionBinary(ctx) {
   }
 
   chmodSync(targetPath, 0o755);
-  patchNaomeCommandNativeIntegrity(ctx, `sha256:${sourceHash}`);
+  patchInstalledNativeIntegrity(ctx, `sha256:${sourceHash}`);
 }
 
 export function findNativeDecisionBinary(ctx) {
@@ -75,7 +76,7 @@ export function findNativeDecisionBinary(ctx) {
 }
 
 export function patchInstalledMachineOwnedIntegrity(ctx) {
-  const integrityBlock = formatExpectedIntegrityBlock(templateIntegrity(ctx));
+  const integrityBlock = formatExpectedIntegrityBlock(installedMachineOwnedIntegrity(ctx));
 
   for (const relativePath of [ctx.healthCheckerRelativePath, ctx.taskStateCheckerRelativePath]) {
     const targetPath = join(ctx.targetRoot, relativePath);
@@ -110,6 +111,23 @@ export function installedNativeBinaryHash(ctx) {
   return sha256(readFileSync(targetPath));
 }
 
+function removeInstalledNativeDecisionBinary(ctx) {
+  const targetPath = join(ctx.targetRoot, ctx.nativeBinaryRelativePath);
+  if (!existsSync(targetPath)) {
+    ctx.skipped.push(ctx.nativeBinaryRelativePath);
+    return;
+  }
+
+  if (hasSymlinkInTargetPath(ctx, ctx.nativeBinaryRelativePath) || !lstatSync(targetPath).isFile()) {
+    ctx.skipped.push(ctx.nativeBinaryRelativePath);
+    ctx.unsafeSkipped.push(ctx.nativeBinaryRelativePath);
+    return;
+  }
+
+  unlinkSync(targetPath);
+  ctx.updated.push(ctx.nativeBinaryRelativePath);
+}
+
 export function templateIntegrity(ctx) {
   const integrity = {};
 
@@ -121,6 +139,17 @@ export function templateIntegrity(ctx) {
   return integrity;
 }
 
+export function installedMachineOwnedIntegrity(ctx) {
+  const integrity = templateIntegrity(ctx);
+  const nativeHash = installedNativeBinaryHash(ctx);
+
+  if (!usesSourceNativeFallback(ctx) && nativeHash) {
+    integrity[ctx.nativeBinaryRelativePath] = `sha256:${nativeHash}`;
+  }
+
+  return integrity;
+}
+
 export function sha256(content) {
   return createHash("sha256").update(content).digest("hex");
 }
@@ -132,7 +161,7 @@ export function machineFileHash(ctx, relativePath, content) {
     normalized = normalized.toString("utf8").replace(ctx.integrityBlockPattern, ctx.normalizedIntegrityBlock);
   }
 
-  if (relativePath === ctx.naomeCommandRelativePath) {
+  if (hasGeneratedNativeIntegrity(ctx, relativePath)) {
     normalized = normalized.toString("utf8").replace(ctx.nativeIntegrityPattern, ctx.normalizedNativeIntegrity);
   }
 
@@ -143,20 +172,36 @@ export function hasGeneratedIntegrity(ctx, relativePath) {
   return relativePath === ctx.healthCheckerRelativePath || relativePath === ctx.taskStateCheckerRelativePath;
 }
 
-function patchNaomeCommandNativeIntegrity(ctx, expectedIntegrity) {
-  const commandPath = join(ctx.targetRoot, ctx.naomeCommandRelativePath);
-  if (!existsSync(commandPath) || hasSymlinkInTargetPath(ctx, ctx.naomeCommandRelativePath)) {
-    return;
-  }
+export function hasGeneratedNativeIntegrity(ctx, relativePath) {
+  return [
+    ctx.healthCheckerRelativePath,
+    ctx.taskStateCheckerRelativePath,
+    ctx.naomeCommandRelativePath,
+  ].includes(relativePath);
+}
+
+function patchInstalledNativeIntegrity(ctx, expectedIntegrity) {
+  const nativeIntegrityPaths = [
+    ctx.healthCheckerRelativePath,
+    ctx.taskStateCheckerRelativePath,
+    ctx.naomeCommandRelativePath,
+  ];
+
+  for (const relativePath of nativeIntegrityPaths) {
+    const targetPath = join(ctx.targetRoot, relativePath);
+    if (!existsSync(targetPath) || hasSymlinkInTargetPath(ctx, relativePath)) {
+      continue;
+    }
 
-  const content = readFileSync(commandPath, "utf8");
-  const nextContent = content.replace(
-    ctx.nativeIntegrityPattern,
-    `const expectedNativeBinaryIntegrity = "${expectedIntegrity}";\n`,
-  );
+    const content = readFileSync(targetPath, "utf8");
+    const nextContent = content.replace(
+      ctx.nativeIntegrityPattern,
+      `const expectedNativeBinaryIntegrity = "${expectedIntegrity}";\n`,
+    );
 
-  if (nextContent !== content) {
-    writeFileSync(commandPath, nextContent);
-    ctx.updated.push(ctx.naomeCommandRelativePath);
+    if (nextContent !== content) {
+      writeFileSync(targetPath, nextContent);
+      ctx.updated.push(relativePath);
+    }
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lamentis/naome",
-  "version": "1.3.8",
+  "version": "1.3.10",
   "description": "Native-first CLI for the NAOME agent harness.",
   "license": "Apache-2.0",
   "type": "module",

package/templates/naome-root/.naome/bin/check-harness-health.js

@@ -7,20 +7,21 @@ const path = require("node:path");
 
 const nativeBinaryPath = process.platform === "win32" ? ".naome/bin/naome-rust.exe" : ".naome/bin/naome-rust";
 const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
+const expectedNativeBinaryIntegrity = "sha256:generated";
 
 const expectedMachineOwnedIntegrity = Object.freeze({
-  ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
-  ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
-  ".naome/bin/naome.js": "sha256:a34c2e50a68d15ff2722a57590ccddc504e025d3c98ea62fd700d7ec1a789b9a",
+  ".naome/bin/check-harness-health.js": "sha256:802d7419774981a6af1826b3882270ff8f41259d516f98c52a02b4ddc184c467",
+  ".naome/bin/check-task-state.js": "sha256:2612577b7e4ab45d9d39dd5ac54c8e7ed749d237d78f1a8d252f4dfa0b4eaaab",
+  ".naome/bin/naome.js": "sha256:f129c580fb70b3a1d92d0ab0de9fa6c131b2fc51a8dcdebe9d6f5a812a3be61b",
   ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
-  "docs/naome/agent-workflow.md": "sha256:2fd1fd02eb6849133b9e8227421914580b1c469a60388a063c1b6ed48016b48d",
+  "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",
-  "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
-  "docs/naome/task-ledger.md": "sha256:ac637a31abdd13eee15a49086594e63f5c88fe12a5cf621b227310788ae7e583",
+  "docs/naome/index.md": "sha256:cac748ed375d86d288460456fc5d606b29bd99d91148522c303d5400a083dbc5",
+  "docs/naome/task-ledger.md": "sha256:6ca7222c80079b4662fb718d3c71d686770646f1fa52b83b0e90aed1c5a1101b",
   "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"
 });
 
@@ -39,7 +40,7 @@ const result = childProcess.spawnSync(binary, ["check-harness-health", "--root",
 process.exit(result.status === null ? 1 : result.status);
 
 function selectBinary(rootDir) {
-  const wantedHash = manifestNativeHash(rootDir);
+  const wantedHash = expectedNativeHash();
   const candidates = [
     process.env.NAOME_NATIVE_BIN,
     path.join(rootDir, nativeBinaryPath),
@@ -47,13 +48,13 @@ function selectBinary(rootDir) {
     path.join(rootDir, "packages", "naome", "target", "debug", nativeBinaryName)
   ].filter(Boolean);
 
-  for (const candidate of candidates) {
-    if (canRun(candidate, rootDir, wantedHash)) {
-      return candidate;
+  if (wantedHash) {
+    for (const candidate of candidates) {
+      if (canRun(candidate, rootDir, wantedHash)) {
+        return candidate;
+      }
     }
-  }
 
-  if (wantedHash) {
     stop(`No runnable NAOME native harness health binary matched ${wantedHash}. Run naome sync again.`);
   }
 
@@ -62,20 +63,19 @@ function selectBinary(rootDir) {
     return built;
   }
 
-  stop("NAOME native harness health binary is missing or incompatible. Run naome sync again.");
+  stop("NAOME native harness health binary has no trusted packaged integrity. Run naome sync again.");
 }
 
-function manifestNativeHash(rootDir) {
+function expectedNativeHash() {
   if (isSha(process.env.NAOME_EXPECTED_NATIVE_INTEGRITY)) {
     return process.env.NAOME_EXPECTED_NATIVE_INTEGRITY;
   }
 
-  try {
-    const manifest = JSON.parse(fs.readFileSync(path.join(rootDir, ".naome", "manifest.json"), "utf8"));
-    return isSha(manifest.integrity?.[nativeBinaryPath]) ? manifest.integrity[nativeBinaryPath] : null;
-  } catch {
-    return null;
+  if (isSha(expectedNativeBinaryIntegrity)) {
+    return expectedNativeBinaryIntegrity;
   }
+
+  return null;
 }
 
 function canRun(candidate, rootDir, wantedHash) {
@@ -96,6 +96,10 @@ function canRun(candidate, rootDir, wantedHash) {
 }
 
 function buildFromSource(rootDir) {
+  if (expectedNativeBinaryIntegrity !== "sha256:generated") {
+    return null;
+  }
+
   const manifest = path.join(rootDir, "packages", "naome", "Cargo.toml");
   if (!fs.existsSync(manifest)) {
     return null;

package/templates/naome-root/.naome/bin/check-task-state.js

@@ -7,20 +7,21 @@ const { spawnSync } = require("node:child_process");
 
 const nativeBinaryRelativePath = process.platform === "win32" ? ".naome/bin/naome-rust.exe" : ".naome/bin/naome-rust";
 const nativeBinaryName = process.platform === "win32" ? "naome.exe" : "naome";
+const expectedNativeBinaryIntegrity = "sha256:generated";
 
 const expectedMachineOwnedIntegrity = Object.freeze({
-  ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
-  ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
-  ".naome/bin/naome.js": "sha256:a34c2e50a68d15ff2722a57590ccddc504e025d3c98ea62fd700d7ec1a789b9a",
+  ".naome/bin/check-harness-health.js": "sha256:802d7419774981a6af1826b3882270ff8f41259d516f98c52a02b4ddc184c467",
+  ".naome/bin/check-task-state.js": "sha256:2612577b7e4ab45d9d39dd5ac54c8e7ed749d237d78f1a8d252f4dfa0b4eaaab",
+  ".naome/bin/naome.js": "sha256:f129c580fb70b3a1d92d0ab0de9fa6c131b2fc51a8dcdebe9d6f5a812a3be61b",
   ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
   ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
   "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
-  "docs/naome/agent-workflow.md": "sha256:2fd1fd02eb6849133b9e8227421914580b1c469a60388a063c1b6ed48016b48d",
+  "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
   "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
   "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
   "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",
-  "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
-  "docs/naome/task-ledger.md": "sha256:ac637a31abdd13eee15a49086594e63f5c88fe12a5cf621b227310788ae7e583",
+  "docs/naome/index.md": "sha256:cac748ed375d86d288460456fc5d606b29bd99d91148522c303d5400a083dbc5",
+  "docs/naome/task-ledger.md": "sha256:6ca7222c80079b4662fb718d3c71d686770646f1fa52b83b0e90aed1c5a1101b",
   "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"
 });
 
@@ -62,7 +63,7 @@ function modeArgs(argv) {
 }
 
 function resolveNativeDecisionBinary(root) {
-  const expectedIntegrity = expectedNativeIntegrity(root);
+  const expectedIntegrity = expectedNativeIntegrity();
   const candidates = [
     process.env.NAOME_NATIVE_BIN,
     join(root, nativeBinaryRelativePath),
@@ -70,13 +71,13 @@ function resolveNativeDecisionBinary(root) {
     join(root, "packages", "naome", "target", "debug", nativeBinaryName)
   ].filter(Boolean);
 
-  for (const candidate of candidates) {
-    if (isUsableNativeBinary(candidate, root, expectedIntegrity)) {
-      return candidate;
+  if (expectedIntegrity) {
+    for (const candidate of candidates) {
+      if (isUsableNativeBinary(candidate, root, expectedIntegrity)) {
+        return candidate;
+      }
     }
-  }
 
-  if (expectedIntegrity) {
     fail(`No runnable NAOME native task-state binary matched ${expectedIntegrity}. Run naome sync again.`);
   }
 
@@ -88,29 +89,16 @@ function resolveNativeDecisionBinary(root) {
   fail("NAOME native task-state binary is missing or incompatible. Run naome sync again.");
 }
 
-function expectedNativeIntegrity(root) {
+function expectedNativeIntegrity() {
   if (isIntegrityHash(process.env.NAOME_EXPECTED_NATIVE_INTEGRITY)) {
     return process.env.NAOME_EXPECTED_NATIVE_INTEGRITY;
   }
 
-  const manifestPath = join(root, ".naome", "manifest.json");
-  if (!existsSync(manifestPath)) {
-    return null;
-  }
-
-  let manifest;
-  try {
-    manifest = JSON.parse(readFileSync(manifestPath, "utf8"));
-  } catch {
-    return null;
-  }
-
-  const expected = manifest.integrity?.[nativeBinaryRelativePath];
-  if (!isIntegrityHash(expected)) {
+  if (expectedNativeBinaryIntegrity === "sha256:generated") {
     return null;
   }
 
-  return expected;
+  return expectedNativeBinaryIntegrity;
 }
 
 function isUsableNativeBinary(candidate, root, expectedIntegrity) {
@@ -125,30 +113,35 @@ function isUsableNativeBinary(candidate, root, expectedIntegrity) {
     }
   }
 
-  const probe = spawnSync(candidate, [], {
-    cwd: root,
-    encoding: "utf8",
-    stdio: "ignore"
-  });
+  const probe = spawnSync(candidate, [], { cwd: root, stdio: ["ignore", "ignore", "ignore"] });
   return !probe.error && probe.status !== null;
 }
 
 function buildSourceNativeBinary(root) {
-  const manifestPath = join(root, "packages", "naome", "Cargo.toml");
+  if (expectedNativeBinaryIntegrity !== "sha256:generated") {
+    return null;
+  }
+
+  const packageRoot = join(root, "packages", "naome");
+  const manifestPath = join(packageRoot, "Cargo.toml");
   if (!existsSync(manifestPath)) {
     return null;
   }
 
-  const result = spawnSync("cargo", ["build", "--release", "--manifest-path", manifestPath, "-p", "naome-cli"], {
-    cwd: root,
-    encoding: "utf8",
-    stdio: "ignore"
-  });
+  const result = spawnSync(
+    "cargo",
+    ["build", "--release", "--manifest-path", manifestPath, "-p", "naome-cli"],
+    {
+      cwd: root,
+      encoding: "utf8",
+      stdio: "ignore"
+    }
+  );
   if (result.status !== 0) {
     return null;
   }
 
-  const builtPath = join(root, "packages", "naome", "target", "release", nativeBinaryName);
+  const builtPath = join(packageRoot, "target", "release", nativeBinaryName);
   return existsSync(builtPath) ? builtPath : null;
 }
 

package/templates/naome-root/.naome/bin/naome.js

@@ -27,7 +27,7 @@ function main(argv) {
     return;
   }
 
-  if (["status", "next", "intent", "route", "explain", "context", "doctor", "task", "quality", "semantic", "repo", "structure", "cleanup", "refresh-integrity", "workflow"].includes(command)) {
+  if (["status", "next", "intent", "route", "explain", "context", "doctor", "task", "quality", "semantic", "arch", "repo", "structure", "cleanup", "refresh-integrity", "workflow"].includes(command)) {
     runNativeDecisionCommand(command, args);
     return;
   }
@@ -367,7 +367,7 @@ function findAncestorWithAnyMarker(startPath, markers) {
 }
 
 function printHelp() {
-  const commands = "naome status [--json]|naome next [--json]|naome intent --prompt-file <path> [--json]|naome intent --prompt <text> [--json]|naome route --prompt-file <path> [--execute] [--json]|naome route --prompt <text> [--execute] [--json]|naome explain --prompt-file <path> [--json]|naome explain --prompt <text> [--json]|naome context select --changed [--json]|naome context select --prompt-file <path> [--json]|naome context select --prompt <text> [--json]|naome doctor [--json]|naome task render-state [--write] [--json]|naome task migrate-ledger [--write] [--json]|naome quality init [--baseline|--deep-baseline] [--json]|naome quality check --changed [--include-scanned-paths] [--json]|naome quality check --path <path> [--path <path>...] [--include-scanned-paths] [--json]|naome quality report [--deep] [--include-scanned-paths] [--json]|naome quality cache status [--json]|naome quality cache clear|naome semantic report [--deep] [--json]|naome semantic check --changed [--json]|naome semantic check --path <path> [--path <path>...] [--json]|naome semantic route --finding <id> [--json]|naome semantic loop [--json]|naome repo model [--write] [--json]|naome repo check [--json]|naome repo explain --path <path> [--json]|naome structure report [--json]|naome structure explain --path <path> [--json]|naome cleanup plan [--json]|naome cleanup route --path <path> [--json]|naome refresh-integrity [--json]|naome workflow agent-plan|context-delta|proof-plan|capabilities|edit-watchdog|decision-gate|digest [--json]|naome workflow search-profile|check-search|phases|processes|mutations [--json]|naome install|naome sync|naome commit -m \"type(scope): message\"|node .naome/bin/naome.js commit -m \"type(scope): message\"".split("|");
+  const commands = "naome status [--json]|naome next [--json]|naome intent --prompt-file <path> [--json]|naome intent --prompt <text> [--json]|naome route --prompt-file <path> [--execute] [--json]|naome route --prompt <text> [--execute] [--json]|naome explain --prompt-file <path> [--json]|naome explain --prompt <text> [--json]|naome context select --changed [--json]|naome context select --prompt-file <path> [--json]|naome context select --prompt <text> [--json]|naome doctor [--json]|naome task render-state [--write] [--json]|naome task migrate-ledger [--write] [--json]|naome quality init [--baseline|--deep-baseline] [--json]|naome quality check --changed [--include-scanned-paths] [--json]|naome quality check --path <path> [--path <path>...] [--include-scanned-paths] [--json]|naome quality report [--deep] [--include-scanned-paths] [--json]|naome quality cache status [--json]|naome quality cache clear|naome semantic report [--deep] [--json]|naome semantic check --changed [--json]|naome semantic check --path <path> [--path <path>...] [--json]|naome semantic route --finding <id> [--json]|naome semantic loop [--json]|naome arch init [--config <path>] [--json]|naome arch explain [--config <path>] [--json]|naome arch scan [--config <path>] [--changed-only] [--write] [--output <path>] [--json]|naome arch validate [--config <path>] [--changed-only] [--json|--agent-feedback]|naome repo model [--write] [--json]|naome repo check [--json]|naome repo explain --path <path> [--json]|naome structure report [--json]|naome structure explain --path <path> [--json]|naome cleanup plan [--json]|naome cleanup route --path <path> [--json]|naome refresh-integrity [--json]|naome workflow agent-plan|context-delta|proof-plan|capabilities|edit-watchdog|decision-gate|digest [--json]|naome workflow search-profile|check-search|phases|processes|mutations [--json]|naome install|naome sync|naome commit -m \"type(scope): message\"|node .naome/bin/naome.js commit -m \"type(scope): message\"".split("|");
   console.log(["Usage:", ...commands.map((command) => `  ${command}`)].join("\n"));
 }
 

package/templates/naome-root/.naome/manifest.json

@@ -1,18 +1,19 @@
 {
-  "harnessVersion": "1.3.8",
+  "harnessVersion": "1.3.10",
   "installedAt": null,
   "integrity": {
-    ".naome/bin/check-harness-health.js": "sha256:dc4de52b79c69600b9ba47b924e2c2b8de61a2cbfab6d1ccc0f1924d963db657",
-    ".naome/bin/check-task-state.js": "sha256:df54489a22b426180266e5e0fb5f9ec381477419f688435248afbf2b9b38ea81",
-    ".naome/bin/naome.js": "sha256:a34c2e50a68d15ff2722a57590ccddc504e025d3c98ea62fd700d7ec1a789b9a",
+    ".naome/bin/check-harness-health.js": "sha256:802d7419774981a6af1826b3882270ff8f41259d516f98c52a02b4ddc184c467",
+    ".naome/bin/check-task-state.js": "sha256:2612577b7e4ab45d9d39dd5ac54c8e7ed749d237d78f1a8d252f4dfa0b4eaaab",
+    ".naome/bin/naome.js": "sha256:f129c580fb70b3a1d92d0ab0de9fa6c131b2fc51a8dcdebe9d6f5a812a3be61b",
     ".naome/package.json": "sha256:8005a3491db7d92f36ac66369861589f9c47123d3a7c71e643fc2c06168cd45a",
     ".naome/task-contract.schema.json": "sha256:1b3b62350328d0d6d660e36d1d1baaa2b88718530db774f9ab2a9e2fcba369c8",
     "AGENTS.md": "sha256:e8b2fc786c1c72b69ba8f2b2ffce4f459e799c7453ce9ff4a9f6448a8f9e6b4f",
     "docs/naome/agent-workflow.md": "sha256:0be1c29adfbcd3fd73c4f904080ffc67237692fe413871a30243538c4db38ac7",
+    "docs/naome/architecture-fitness.md": "sha256:ec2cff9f2090d9b6bfeb2464a650cff97790c4d3e626fd40a42374d5f79c7c38",
     "docs/naome/context-economy.md": "sha256:3ed5075815ecf4ada46a5e65438769310307c35759fcd46b13dc0b96e02bebd9",
     "docs/naome/execution.md": "sha256:bfc5d55838942ec8e3d790b59e3c634ff5bf6a2298265cef3dca9788a097eafb",
     "docs/naome/first-run.md": "sha256:1466ce8c65e19a1514885f917db14e8a772350e3f6d1c03a66326963365919e1",
-    "docs/naome/index.md": "sha256:07ef776f49130319a5280bdb3ae38af22141708253f38eb983a4336fbae1b25a",
+    "docs/naome/index.md": "sha256:cac748ed375d86d288460456fc5d606b29bd99d91148522c303d5400a083dbc5",
     "docs/naome/task-ledger.md": "sha256:6ca7222c80079b4662fb718d3c71d686770646f1fa52b83b0e90aed1c5a1101b",
     "docs/naome/upgrade.md": "sha256:2c60f0441bbd98bd528d109b30a7ded4b0ad55d61ffb9f52edac9e93b7999cb1"
   },
@@ -27,8 +28,9 @@
     "docs/naome/first-run.md",
     "docs/naome/agent-workflow.md",
     "docs/naome/context-economy.md",
-    "docs/naome/execution.md",
     "docs/naome/task-ledger.md",
+    "docs/naome/architecture-fitness.md",
+    "docs/naome/execution.md",
     "docs/naome/upgrade.md"
   ],
   "name": "naome",

package/templates/naome-root/.naome/verification.json

@@ -65,6 +65,19 @@
         ".naome/repository-quality-baseline.json"
       ],
       "lastVerified": null
+    },
+    {
+      "id": "architecture-fitness-check",
+      "command": "node .naome/bin/naome.js arch validate --changed-only",
+      "cwd": ".",
+      "purpose": "Validate changed files against deterministic NAOME architecture fitness rules.",
+      "cost": "fast",
+      "source": "NAOME built-in",
+      "evidence": [
+        "naome.arch.yaml",
+        "docs/naome/architecture-fitness.md"
+      ],
+      "lastVerified": null
     }
   ],
   "phases": [
@@ -81,7 +94,8 @@
       "order": 20,
       "checkIds": [
         "repository-quality-check",
-        "repository-semantic-check"
+        "repository-semantic-check",
+        "architecture-fitness-check"
       ]
     },
     {

package/templates/naome-root/docs/naome/architecture-fitness.md

@@ -0,0 +1,97 @@
+# Architecture Fitness
+
+NAOME architecture fitness validates repository structure with deterministic
+rules before agent changes are accepted. The rule layer is language-agnostic:
+language-specific extractors feed a normalized graph, and rules evaluate graph
+facts instead of prompt text.
+
+## Commands
+
+- `naome arch init` writes a starter `naome.arch.yaml`.
+- `naome arch explain` prints inferred layers, contexts, rules, and extractors.
+- `naome arch scan --json` emits the normalized graph.
+- `naome arch scan --write` writes `.naome/architecture-graph.json`.
+- `naome arch validate` runs architecture rules with human output.
+- `naome arch validate --json` emits stable machine-readable output.
+- `naome arch validate --agent-feedback` emits compact repair instructions.
+- `naome arch validate --changed-only` uses changed paths when available and
+  safely degrades to a full scan for graph-level soundness.
+
+## Graph Model
+
+The foundation graph uses stable IDs and normalized node and edge kinds. Nodes
+cover repositories, directories, files, layers, bounded contexts, modules,
+symbols, packages, and external dependencies. Edges cover containment and the
+dependency edge kinds required by later extractor slices.
+
+Each node and edge carries path, language, source range when known, confidence,
+extractor name, raw origin data, stable ID, and a human-readable label.
+
+## Configuration
+
+`naome.arch.yaml` defines layers, bounded contexts, rules, and ignored paths.
+Ignored paths require a reason so agents cannot silently suppress architecture
+ownership.
+
+```yaml
+layers:
+  domain:
+    paths:
+      - "src/domain/**"
+  infrastructure:
+    paths:
+      - "src/infrastructure/**"
+
+contexts:
+  billing:
+    paths:
+      - "src/billing/**"
+    public_api:
+      - "src/billing/index.ts"
+
+rules:
+  max_file_lines:
+    enabled: true
+    value: 400
+    severity: warning
+  generated_manual_boundary:
+    enabled: true
+    severity: error
+
+ignore:
+  - path: "generated/**"
+    reason: "Generated code is not architecture-owned."
+```
+
+## Current Rules
+
+- `arch.max_file_lines` enforces the configured file line budget.
+- `arch.generated_manual_boundary` prevents changed files under explicitly
+  ignored generated paths from being accepted without regeneration or a config
+  change.
+
+## Agent Integration
+
+Agents should run `naome arch validate --changed-only --json` after changing
+source or template files. JSON output includes status, severity counts,
+violations, concrete suggestions, and `agentFeedback` entries optimized for
+repair loops.
+
+## CI Integration
+
+Use `node .naome/bin/naome.js arch validate --changed-only` as a fast gate.
+The first foundation release reports warnings for existing file-size debt and
+fails only on configured error rules.
+
+## Language Support
+
+The v1.3.10 foundation classifies TypeScript, JavaScript, Rust, Python, Go,
+Java, Kotlin, and Swift files by path extension. Import extractors, resolver
+rules, cycle detection, layer dependency rules, and manifest extraction are
+planned follow-up slices before v1.4.0.
+
+## Limitations
+
+This release intentionally starts with path extraction, graph construction,
+file budgets, generated/manual boundaries, JSON output, human output, and CLI
+integration. It does not yet resolve imports or validate cross-layer imports.

package/templates/naome-root/docs/naome/index.md

@@ -22,9 +22,10 @@ for the current step.
 15. `testing.md`
 16. `repository-quality.md`, when repository-quality checks or cleanup are relevant
 17. `repository-structure.md`, when path roles or structure cleanup are relevant
-18. `security.md`
-19. `agent-workflow.md`
-20. `decisions.md`, when changing durable project policy
+18. `architecture-fitness.md`, when architecture graph or rule feedback matters
+19. `security.md`
+20. `agent-workflow.md`
+21. `decisions.md`, when changing durable project policy
 
 ## Source Types
 

package/templates/naome-root/docs/naome/testing.md

@@ -26,6 +26,7 @@ and stale-policy issues before the task grows. It does not replace the final
 | naome-task-state | `node .naome/bin/check-task-state.js` | `.` | fast | null |
 | repository-quality-check | `node .naome/bin/naome.js quality check --changed` | `.` | fast | null |
 | repository-semantic-check | `node .naome/bin/naome.js semantic check --changed` | `.` | fast | null |
+| architecture-fitness-check | `node .naome/bin/naome.js arch validate --changed-only` | `.` | fast | null |
 
 ## Verification Phases
 
@@ -52,6 +53,7 @@ phase is failing or missing.
 - `.naome/bin/check-harness-health.js`
 - `.naome/bin/check-task-state.js`
 - `.naome/task-contract.schema.json`
+- `docs/naome/architecture-fitness.md`
 
 ## Rules
 
@@ -66,8 +68,9 @@ phase is failing or missing.
   and 12 release gates.
 - Store long command output as a compact summary that preserves command, cwd,
   exit code, relevant lines, affected paths, and artifacts.
-- When intake defines change types, include `repository-quality-check` and
-  `repository-semantic-check` as required checks for source, structure,
-  documentation, harness, template, and CI changes.
+- When intake defines change types, include `repository-quality-check`,
+  `repository-semantic-check`, and `architecture-fitness-check` as required
+  checks for source, structure, documentation, harness, template, and CI
+  changes.
 - Before completion, select proof from the Verification Map when possible.
 - Report exact commands and results. Do not claim proof that did not run.