@lamentis/naome 1.4.0 → 1.4.2

package/Cargo.lock

@@ -76,7 +76,7 @@ checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
 
 [[package]]
 name = "naome-cli"
-version = "1.4.0"
+version = "1.4.2"
 dependencies = [
  "naome-core",
  "serde_json",
@@ -84,7 +84,7 @@ dependencies = [
 
 [[package]]
 name = "naome-core"
-version = "1.4.0"
+version = "1.4.2"
 dependencies = [
  "serde",
  "serde_json",

package/README.md

@@ -6,146 +6,41 @@
 <h1 align="center">NAOME</h1>
 
 <p align="center">
-  A deterministic repository harness for AI coding agents.
+  The repository harness for long-running Codex work.
 </p>
 
-```shell
-npm install -g @lamentis/naome
-```
+NAOME wraps your repository with deterministic controls and workflows so
+agentic AI systems can take on real software work: longer tasks, safer
+iterations, and eventually more autonomous execution.
 
-NAOME gives coding agents a repository-local operating protocol: what to read,
-what to ignore, how to admit a task, which files are in scope, which checks are
-required, and when work is safe to commit.
+You install the harness. Codex and NAOME handle the workflow.
 
-## Quickstart
+## Start
 
-Install the CLI, then sync NAOME into a repository:
+Install the Lamentis NAOME package:
 
 ```shell
 npm install -g @lamentis/naome
-cd /path/to/repo
-naome sync
-```
-
-For an initialized repository, start with:
-
-```shell
-naome status
-naome next
-naome doctor
 ```
 
-For agent-driven work, route the user's request through the harness:
-
-```shell
-naome route --prompt-file /path/to/prompt.txt --execute --json
-```
-
-Prompt files should start with a fenced `naome-prompt-envelope-v1` JSON
-envelope that normalizes the raw user text into canonical routing fields. A raw
-natural-language prompt routes to a non-mutating normalization decision instead
-of becoming a task by keyword inference.
-
-## Why NAOME?
-
-- Keeps agents inside explicit task scope.
-- Blocks unowned diffs before new work starts.
-- Separates current task work from repository cleanup debt.
-- Runs changed-code quality gates without forcing legacy repositories to be
-  perfect on day one.
-- Records verification proof before a task can be treated as complete.
-- Keeps sync fast by making baseline and deep quality scans explicit.
-
-## Safety Model
-
-NAOME is repository-local. The files under `.naome/`, `.naomeignore`, and
-`docs/naome/` define the local harness contract for a repository.
-
-The harness enforces read boundaries, task admission, scope drift checks,
-repository-quality policy, verification phases, and commit gates. Existing debt
-is reportable through cleanup flows, while changed files are held to the active
-policy.
-
-## CLI Reference
-
-Common commands:
+Sync NAOME into your repository:
 
 ```shell
+cd /path/to/your/repo
 naome sync
-naome update
-naome status
-naome next
-naome doctor
-naome route --prompt-file /path/to/prompt.txt --execute --json
-naome quality init
-naome quality init --baseline
-naome quality report
-naome quality report --deep
-naome quality check --changed
-naome semantic check --changed
-naome arch validate --changed-only
-naome task render-state --write --json
-naome commit -m "type(scope): summary"
 ```
 
-Architecture fitness builds a language-agnostic graph, extracts direct imports
-for TypeScript, JavaScript, Rust, Python, and Go, and can enforce configured
-layer dependency rules such as keeping domain code independent from
-infrastructure adapters.
-
-`naome sync` installs or repairs the local harness files. It does not run a
-hidden full-repository quality scan. It also migrates any active legacy
-task-state into the local task ledger automatically and untracks local
-`.naome/tasks/` runtime folders from Git. If quality policy is newly seeded,
-run `naome quality init --baseline` deliberately; use `--deep` or
-`--deep-baseline` only when you want expensive repository-wide checks.
-
-## Repository Docs
-
-After sync, NAOME writes the agent-facing workflow into `docs/naome/`:
-
-- `docs/naome/index.md` is the entry point.
-- `docs/naome/agent-workflow.md` explains the active task workflow.
-- `docs/naome/testing.md` maps change types to required checks.
-- `docs/naome/repository-quality.md` explains quality, structure, and cleanup
-  policy.
-- `docs/naome/architecture-fitness.md` explains architecture graph validation
-  and agent feedback.
-
-Agents should follow the repository's NAOME docs instead of guessing workflow
-rules from generic project files.
+Open the repository in Codex and give the agent a normal task:
 
-## Configuration
-
-The main local policy files are:
-
-- `.naomeignore` for read boundaries.
-- `.naome/verification.json` for check phases and proof requirements.
-- `.naome/repository-quality.json` for file, symbol, duplicate, and semantic
-  quality policy.
-- `.naome/repository-structure.json` for path role, module, and directory
-  structure policy.
-- `naome.arch.yaml` for language-agnostic architecture fitness rules.
-- `.naome/task-state.json` for the compact committed active task projection.
-
-Product defaults stay generic. Repository-specific policy belongs in the local
-`.naome/` config files.
-
-## Development
-
-Useful checks for this repository:
-
-```shell
-npm run build:rust
-npm run test:decision-engine
-npm run test:naome-installer
-npm run pack:dry-run
-node .naome/bin/naome.js quality check --changed --json
-node .naome/bin/naome.js semantic check --changed --json
-node .naome/bin/naome.js arch validate --changed-only --json
-git diff --check
+```text
+Use NAOME in this repository and implement the next change.
 ```
 
+That is the product flow. You do not need to learn NAOME commands, route
+prompts, select context, or manage task state. Codex follows the repository
+harness, and NAOME supplies the deterministic checks, boundaries, task memory,
+and verification flow behind the scenes.
+
 ## License
 
 NAOME is licensed under the [Apache License 2.0](../../LICENSE).

package/crates/naome-cli/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-cli"
-version = "1.4.0"
+version = "1.4.2"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-cli/src/main.rs

@@ -37,6 +37,19 @@ const HELP: &str = r#"Usage:
   naome sync [--package-root <path>] [--installer-js <path>]
   naome install-plan [--harness-version <version>]
   naome seed-verification
+  naome task status [--json] [--exit-code] [--agent-session <id>]
+  naome task proof-plan [--json] [--exit-code] [--agent-session <id>]
+  naome task can-edit --path <path> --json [--agent-session <id>]
+  naome task run-check --check <check-id> [--record-proof] --json [--agent-session <id>]
+  naome task loop [--execute-safe] --json [--agent-session <id>]
+  naome task can-transition --to complete [--json] [--agent-session <id>]
+  naome task can-commit --json
+  naome task complete --from-can-transition --json [--agent-session <id>]
+  naome task repair --plan <id> (--dry-run|--execute-safe) --json [--agent-session <id>]
+  naome task record-proof --from-proof-plan [--dry-run] --json [--agent-session <id>]
+  naome task request-scope --path <path> --reason <reason> --json
+  naome task timeline --json
+  naome task loop-snapshot --json
   naome task render-state [--write] [--json]
   naome task migrate-ledger [--write] [--json]
   naome refresh-integrity [--root <path>] [--json]

package/crates/naome-cli/src/task_commands/can_edit.rs

@@ -0,0 +1,116 @@
+use std::path::Path;
+
+use naome_core::{naomeignore_patterns, path_matches_any, task_status_report};
+use serde_json::json;
+
+use super::common::{agent_session, print_json_with_session, value_after};
+
+pub(super) fn can_edit(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let Some(raw_path) = value_after(args, "--path") else {
+        return Err("naome task can-edit requires --path <path>".into());
+    };
+    let (path, path_error) = normalize_requested_path(raw_path);
+    let mut findings = Vec::new();
+    if let Some(message) = path_error {
+        findings.push(finding("task.edit.unsafe_path", &message, raw_path));
+    } else if is_ignored(root, &path) {
+        findings.push(finding(
+            "task.edit.ignored_path",
+            "Path is ignored by .naomeignore and is outside the active harness context.",
+            &path,
+        ));
+    } else if is_control_path(&path) {
+        findings.push(finding(
+            "task.edit.control_path",
+            "NAOME control files cannot be edited through the autonomous can-edit path.",
+            &path,
+        ));
+    } else {
+        let status = task_status_report(root)?;
+        if status.task_id.is_none()
+            || matches!(
+                status.state.as_str(),
+                "idle" | "missing" | "complete" | "blocked" | "needs_human_review"
+            )
+        {
+            findings.push(finding(
+                "task.edit.no_active_task",
+                "No editable active task is available for this path.",
+                &path,
+            ));
+        } else if !path_matches_any(&path, &status.scope.allowed_paths) {
+            findings.push(finding(
+                "task.edit.out_of_scope",
+                "Path is outside activeTask.allowedPaths.",
+                &path,
+            ));
+        }
+    }
+
+    let allowed = findings.is_empty();
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.can-edit.v1",
+            "path": path,
+            "allowed": allowed,
+            "reason": if allowed { "Path is inside active task scope." } else { "Path is not safe to edit for the active task." },
+            "findings": findings,
+            "agentInstruction": if allowed { "Agent may edit this path and must rerun task loop before completion." } else { "Do not edit this path unless task scope is explicitly revised." }
+        }),
+        session.as_deref(),
+    )
+}
+
+fn normalize_requested_path(raw_path: &str) -> (String, Option<String>) {
+    if raw_path.contains('\\') {
+        return (
+            raw_path.to_string(),
+            Some("Backslash path separators are not allowed.".to_string()),
+        );
+    }
+    let path = Path::new(raw_path);
+    if path.is_absolute() {
+        return (
+            raw_path.to_string(),
+            Some("Absolute paths are not allowed.".to_string()),
+        );
+    }
+    if raw_path.split('/').any(|part| part == "..") {
+        return (
+            raw_path.to_string(),
+            Some("Parent traversal is not allowed.".to_string()),
+        );
+    }
+    let normalized = raw_path
+        .split('/')
+        .filter(|part| !part.is_empty() && *part != ".")
+        .collect::<Vec<_>>()
+        .join("/");
+    if normalized.is_empty() {
+        return (
+            raw_path.to_string(),
+            Some("Path must not be empty.".to_string()),
+        );
+    }
+    (normalized, None)
+}
+
+fn is_control_path(path: &str) -> bool {
+    path == ".naome" || path.starts_with(".naome/") || path == ".naomeignore"
+}
+
+fn is_ignored(root: &Path, path: &str) -> bool {
+    path_matches_any(path, &naomeignore_patterns(root))
+}
+
+fn finding(id: &str, message: &str, path: &str) -> serde_json::Value {
+    json!({
+        "id": id,
+        "severity": "error",
+        "message": message,
+        "path": path,
+        "suggestedFix": "Use task request-scope for legitimate scope changes or choose an allowed path.",
+        "agentInstruction": "Do not edit this path in the current task."
+    })
+}

package/crates/naome-cli/src/task_commands/check_run/output.rs

@@ -0,0 +1,34 @@
+use serde_json::{json, Value};
+
+pub(super) fn run_check_response(
+    check_id: &str,
+    executed: bool,
+    exit_code: Option<i32>,
+    recorded_proof: bool,
+    findings: Vec<Value>,
+    instruction: &str,
+    session: Option<&str>,
+) -> Value {
+    json!({
+        "schema": "naome.task.run-check.v1",
+        "checkId": check_id,
+        "executed": executed,
+        "exitCode": exit_code,
+        "recordedProof": recorded_proof,
+        "summary": instruction,
+        "findings": findings,
+        "agentInstruction": instruction,
+        "agentSession": session
+    })
+}
+
+pub(super) fn finding(id: &str, message: impl Into<String>) -> Value {
+    json!({
+        "id": id,
+        "severity": "error",
+        "message": message.into(),
+        "path": null,
+        "suggestedFix": "Use task proof-plan and declared safe checks before recording proof.",
+        "agentInstruction": "Do not record proof for failed, unknown, or unsafe checks."
+    })
+}

package/crates/naome-cli/src/task_commands/check_run/receipts.rs

@@ -0,0 +1,155 @@
+use std::fs;
+use std::path::{Path, PathBuf};
+use std::process::Command;
+
+use naome_core::task_evidence_fingerprint;
+use serde_json::{json, Value};
+
+const RECEIPTS_PATH: &str = "naome-task-check-runs.json";
+
+#[derive(Debug, Clone)]
+pub(in crate::task_commands) struct CheckRunReceipt {
+    pub(in crate::task_commands) check_id: String,
+    pub(in crate::task_commands) command: String,
+    pub(in crate::task_commands) cwd: String,
+    pub(in crate::task_commands) exit_code: i32,
+    pub(in crate::task_commands) checked_at: String,
+    pub(in crate::task_commands) evidence_paths: Vec<String>,
+    pub(in crate::task_commands) evidence_fingerprint: String,
+    pub(in crate::task_commands) stdout_summary: String,
+    pub(in crate::task_commands) stderr_summary: String,
+    pub(in crate::task_commands) duration_ms: u128,
+    pub(in crate::task_commands) agent_session: Option<String>,
+}
+
+pub(in crate::task_commands) fn successful_receipts(
+    root: &Path,
+) -> Result<Vec<CheckRunReceipt>, Box<dyn std::error::Error>> {
+    let path = receipt_path(root)?;
+    let Ok(content) = fs::read_to_string(path) else {
+        return Ok(Vec::new());
+    };
+    let value: Value = serde_json::from_str(&content)?;
+    Ok(value
+        .as_array()
+        .into_iter()
+        .flatten()
+        .filter_map(receipt_from_value)
+        .filter(|receipt| receipt.exit_code == 0)
+        .collect())
+}
+
+pub(super) fn append_receipt(
+    root: &Path,
+    receipt: &CheckRunReceipt,
+) -> Result<(), Box<dyn std::error::Error>> {
+    let path = receipt_path(root)?;
+    if let Some(parent) = path.parent() {
+        fs::create_dir_all(parent)?;
+    }
+    let mut receipts = if path.exists() {
+        serde_json::from_str::<Value>(&fs::read_to_string(&path)?)?
+            .as_array()
+            .cloned()
+            .unwrap_or_default()
+    } else {
+        Vec::new()
+    };
+    receipts.push(receipt_to_value(receipt));
+    fs::write(
+        path,
+        format!("{}\n", serde_json::to_string_pretty(&receipts)?),
+    )?;
+    Ok(())
+}
+
+pub(super) fn changed_paths(root: &Path) -> Result<Vec<String>, Box<dyn std::error::Error>> {
+    let output = Command::new("git")
+        .args(["status", "--porcelain=v1"])
+        .current_dir(root)
+        .output()?;
+    if !output.status.success() {
+        return Ok(Vec::new());
+    }
+    let mut paths = String::from_utf8_lossy(&output.stdout)
+        .lines()
+        .filter_map(|line| line.get(3..))
+        .map(|line| line.split(" -> ").last().unwrap_or(line).to_string())
+        .collect::<Vec<_>>();
+    paths.sort();
+    Ok(paths)
+}
+
+fn receipt_path(root: &Path) -> Result<PathBuf, Box<dyn std::error::Error>> {
+    let output = Command::new("git")
+        .args(["rev-parse", "--git-path", RECEIPTS_PATH])
+        .current_dir(root)
+        .output()?;
+    if output.status.success() {
+        let path = String::from_utf8_lossy(&output.stdout).trim().to_string();
+        if !path.is_empty() {
+            return Ok(root.join(path));
+        }
+    }
+    Ok(root.join(".git").join(RECEIPTS_PATH))
+}
+
+fn receipt_to_value(receipt: &CheckRunReceipt) -> Value {
+    json!({
+        "checkId": receipt.check_id,
+        "command": receipt.command,
+        "cwd": receipt.cwd,
+        "exitCode": receipt.exit_code,
+        "checkedAt": receipt.checked_at,
+        "evidencePaths": receipt.evidence_paths,
+        "evidenceFingerprint": receipt.evidence_fingerprint,
+        "stdoutSummary": receipt.stdout_summary,
+        "stderrSummary": receipt.stderr_summary,
+        "durationMs": receipt.duration_ms,
+        "agentSession": receipt.agent_session
+    })
+}
+
+fn receipt_from_value(value: &Value) -> Option<CheckRunReceipt> {
+    Some(CheckRunReceipt {
+        check_id: value.get("checkId")?.as_str()?.to_string(),
+        command: value.get("command")?.as_str()?.to_string(),
+        cwd: value.get("cwd")?.as_str()?.to_string(),
+        exit_code: value.get("exitCode")?.as_i64()? as i32,
+        checked_at: value.get("checkedAt")?.as_str()?.to_string(),
+        evidence_paths: value
+            .get("evidencePaths")?
+            .as_array()?
+            .iter()
+            .filter_map(Value::as_str)
+            .map(ToString::to_string)
+            .collect(),
+        evidence_fingerprint: value
+            .get("evidenceFingerprint")
+            .and_then(Value::as_str)
+            .unwrap_or("")
+            .to_string(),
+        stdout_summary: value
+            .get("stdoutSummary")
+            .and_then(Value::as_str)
+            .unwrap_or("")
+            .to_string(),
+        stderr_summary: value
+            .get("stderrSummary")
+            .and_then(Value::as_str)
+            .unwrap_or("")
+            .to_string(),
+        duration_ms: value.get("durationMs").and_then(Value::as_u64).unwrap_or(0) as u128,
+        agent_session: value
+            .get("agentSession")
+            .and_then(Value::as_str)
+            .map(ToString::to_string),
+    })
+}
+
+pub(in crate::task_commands) fn evidence_fingerprint(
+    root: &Path,
+    paths: &[String],
+) -> Result<String, Box<dyn std::error::Error>> {
+    Ok(task_evidence_fingerprint(root, paths)?)
+}

package/crates/naome-cli/src/task_commands/check_run/verification.rs

@@ -0,0 +1,165 @@
+use std::fs;
+use std::path::Path;
+use std::process::Command;
+
+use serde_json::Value;
+
+#[derive(Debug, Clone)]
+pub(in crate::task_commands) struct VerificationCheck {
+    pub(in crate::task_commands) id: String,
+    pub(in crate::task_commands) command: String,
+    pub(in crate::task_commands) cwd: String,
+}
+
+#[derive(Debug, Clone)]
+pub(super) struct SafeCommand {
+    pub(super) program: String,
+    pub(super) args: Vec<String>,
+}
+
+pub(in crate::task_commands) fn read_verification_check(
+    root: &Path,
+    check_id: &str,
+) -> Result<Option<VerificationCheck>, Box<dyn std::error::Error>> {
+    let content = fs::read_to_string(root.join(".naome/verification.json"))?;
+    let verification: Value = serde_json::from_str(&content)?;
+    Ok(verification
+        .get("checks")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .find(|check| check.get("id").and_then(Value::as_str) == Some(check_id))
+        .and_then(|check| {
+            Some(VerificationCheck {
+                id: check.get("id")?.as_str()?.to_string(),
+                command: check.get("command")?.as_str()?.to_string(),
+                cwd: check.get("cwd")?.as_str()?.to_string(),
+            })
+        }))
+}
+
+pub(super) fn safe_command(
+    root: &Path,
+    check: &VerificationCheck,
+) -> Result<Option<SafeCommand>, Box<dyn std::error::Error>> {
+    if check.cwd != "." {
+        return Ok(None);
+    }
+    let changed_paths = changed_paths(root)?;
+    match check.command.as_str() {
+        "git diff --check" => Ok(Some(command("git", &["diff", "--check"]))),
+        "node .naome/bin/check-harness-health.js" => Ok(Some(naome_command(
+            root,
+            &["check-harness-health", "--root"],
+        )?)),
+        "node .naome/bin/check-task-state.js" => {
+            Ok(Some(naome_command(root, &["check-task-state", "--root"])?))
+        }
+        "node .naome/bin/naome.js quality check --changed" => Ok(Some(naome_command(
+            root,
+            &["quality", "check", "--changed"],
+        )?)),
+        "node .naome/bin/naome.js semantic check --changed" => Ok(Some(naome_command(
+            root,
+            &["semantic", "check", "--changed"],
+        )?)),
+        "node .naome/bin/naome.js arch validate --changed-only" => Ok(Some(naome_command(
+            root,
+            &["arch", "validate", "--changed-only"],
+        )?)),
+        "npm run check:task-state" => trusted_npm_script(
+            root,
+            &changed_paths,
+            "check:task-state",
+            "node scripts/check-task-state.js",
+        ),
+        "npm run test:task-state" => trusted_npm_script(
+            root,
+            &changed_paths,
+            "test:task-state",
+            "node --test scripts/check-task-state.test.js",
+        ),
+        "npm run test:decision-engine" => trusted_npm_script(
+            root,
+            &changed_paths,
+            "test:decision-engine",
+            "cargo test --manifest-path packages/naome/Cargo.toml -p naome-core",
+        ),
+        _ => Ok(None),
+    }
+}
+
+fn command(program: &str, args: &[&str]) -> SafeCommand {
+    SafeCommand {
+        program: program.to_string(),
+        args: args.iter().map(|arg| (*arg).to_string()).collect(),
+    }
+}
+
+fn naome_command(root: &Path, args: &[&str]) -> Result<SafeCommand, Box<dyn std::error::Error>> {
+    let mut owned_args = args
+        .iter()
+        .map(|arg| (*arg).to_string())
+        .collect::<Vec<_>>();
+    if args.last() == Some(&"--root") {
+        owned_args.push(root.to_string_lossy().to_string());
+    }
+    Ok(SafeCommand {
+        program: std::env::current_exe()?.to_string_lossy().to_string(),
+        args: owned_args,
+    })
+}
+
+fn trusted_npm_script(
+    root: &Path,
+    changed_paths: &[String],
+    script: &str,
+    expected: &str,
+) -> Result<Option<SafeCommand>, Box<dyn std::error::Error>> {
+    if changed_paths
+        .iter()
+        .any(|path| path == "package.json" || path == "packages/naome/package.json")
+    {
+        return Ok(None);
+    }
+
+    let package_json = root.join("package.json");
+    let Ok(content) = fs::read_to_string(package_json) else {
+        return Ok(None);
+    };
+    let package: Value = serde_json::from_str(&content)?;
+    let actual = package
+        .get("scripts")
+        .and_then(Value::as_object)
+        .and_then(|scripts| scripts.get(script))
+        .and_then(Value::as_str);
+    if actual != Some(expected) {
+        return Ok(None);
+    }
+
+    Ok(Some(command("npm", &["run", script])))
+}
+
+fn changed_paths(root: &Path) -> Result<Vec<String>, Box<dyn std::error::Error>> {
+    let output = Command::new("git")
+        .args(["status", "--porcelain=v1", "-z", "--untracked-files=all"])
+        .current_dir(root)
+        .output()?;
+    if !output.status.success() {
+        return Ok(Vec::new());
+    }
+
+    let mut paths = Vec::new();
+    for entry in output.stdout.split(|byte| *byte == 0) {
+        if entry.len() < 4 {
+            continue;
+        }
+        let path = String::from_utf8_lossy(&entry[3..]).replace('\\', "/");
+        if !path.is_empty() {
+            paths.push(path);
+        }
+    }
+    paths.sort();
+    paths.dedup();
+    Ok(paths)
+}