@lamentis/naome 1.4.0 → 1.4.2

package/crates/naome-cli/src/task_commands/check_run.rs

@@ -0,0 +1,192 @@
+use std::path::Path;
+use std::process::Command;
+use std::time::Instant;
+
+use naome_core::task_status_report;
+use serde_json::{json, Value};
+
+mod output;
+mod receipts;
+mod verification;
+
+pub(super) use receipts::{evidence_fingerprint, successful_receipts, CheckRunReceipt};
+pub(super) use verification::read_verification_check;
+
+use super::common::{agent_session, print_json_with_session, value_after};
+use output::{finding, run_check_response};
+use receipts::{append_receipt, changed_paths};
+use verification::safe_command;
+
+pub(super) fn run_check_command(
+    root: &Path,
+    args: &[String],
+) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let Some(check_id) = value_after(args, "--check") else {
+        return Err("naome task run-check requires --check <check-id>".into());
+    };
+    let record = args.iter().any(|arg| arg == "--record-proof");
+    let result = run_check_by_id(root, check_id, record, session.as_deref())?;
+    print_json_with_session(result, session.as_deref())
+}
+
+pub(super) fn run_check_by_id(
+    root: &Path,
+    check_id: &str,
+    record: bool,
+    session: Option<&str>,
+) -> Result<Value, Box<dyn std::error::Error>> {
+    let Some(check) = read_verification_check(root, check_id)? else {
+        return Ok(rejected_check(
+            check_id,
+            "task.check.unknown",
+            format!("Unknown verification check id: {check_id}."),
+            "Check id is not declared in .naome/verification.json.",
+            session,
+        ));
+    };
+    let Some(command) = safe_command(root, &check)? else {
+        return Ok(rejected_check(
+            check_id,
+            "task.check.unsafe_command",
+            format!("Check {check_id} is not in the autonomous safe command allowlist."),
+            "NAOME refused to execute this check automatically.",
+            session,
+        ));
+    };
+
+    let before = changed_paths(root)?;
+    let start = Instant::now();
+    let output = Command::new(&command.program)
+        .args(&command.args)
+        .current_dir(root.join(&check.cwd))
+        .output()?;
+    let mut stdout = output.stdout;
+    let mut stderr = output.stderr;
+    let mut exit_code = output.status.code().unwrap_or(1);
+    if check.command == "git diff --check" {
+        let cached = Command::new("git")
+            .args(["diff", "--cached", "--check"])
+            .current_dir(root.join(&check.cwd))
+            .output()?;
+        if !stdout.is_empty() && !cached.stdout.is_empty() {
+            stdout.push(b'\n');
+        }
+        stdout.extend(cached.stdout);
+        if !stderr.is_empty() && !cached.stderr.is_empty() {
+            stderr.push(b'\n');
+        }
+        stderr.extend(cached.stderr);
+        if !cached.status.success() {
+            exit_code = cached.status.code().unwrap_or(1);
+        }
+    }
+    let duration_ms = start.elapsed().as_millis();
+    let after = changed_paths(root)?;
+    let evidence_paths = task_status_report(root)?.scope.in_scope_changed_paths;
+    let receipt = CheckRunReceipt {
+        check_id: check.id.clone(),
+        command: check.command.clone(),
+        cwd: check.cwd.clone(),
+        exit_code,
+        checked_at: checked_at(),
+        evidence_fingerprint: evidence_fingerprint(root, &evidence_paths)?,
+        evidence_paths,
+        stdout_summary: bounded_summary(&stdout),
+        stderr_summary: bounded_summary(&stderr),
+        duration_ms,
+        agent_session: session.map(ToString::to_string),
+    };
+    append_receipt(root, &receipt)?;
+
+    let (recorded_proof, findings) =
+        maybe_record_proof(root, record, exit_code, &check.id, session)?;
+    let mut response = run_check_response(
+        check_id,
+        true,
+        Some(exit_code),
+        recorded_proof,
+        findings,
+        if exit_code == 0 {
+            "Check executed successfully."
+        } else {
+            "Check executed and failed; inspect summaries before continuing."
+        },
+        session,
+    );
+    response["command"] = json!(check.command);
+    response["cwd"] = json!(check.cwd);
+    response["durationMs"] = json!(duration_ms);
+    response["changedPathsBefore"] = json!(before);
+    response["changedPathsAfter"] = json!(after);
+    response["stdoutSummary"] = json!(bounded_summary(&stdout));
+    response["stderrSummary"] = json!(bounded_summary(&stderr));
+    Ok(response)
+}
+
+fn maybe_record_proof(
+    root: &Path,
+    record: bool,
+    exit_code: i32,
+    check_id: &str,
+    session: Option<&str>,
+) -> Result<(bool, Vec<Value>), Box<dyn std::error::Error>> {
+    let mut findings = Vec::new();
+    if !record {
+        return Ok((false, findings));
+    }
+    if exit_code != 0 {
+        findings.push(finding(
+            "task.check.failed",
+            "Check did not exit 0; proof was not recorded.",
+        ));
+        return Ok((false, findings));
+    }
+
+    let status = task_status_report(root)?;
+    if !status.scope.out_of_scope_changed_paths.is_empty() {
+        findings.push(finding(
+            "task.scope.out_of_scope_change",
+            "Changed paths are outside task scope; proof was not recorded.",
+        ));
+        return Ok((false, findings));
+    }
+
+    let recorded = super::record::record_receipts_for_checks(
+        root,
+        &[check_id.to_string()],
+        &status.scope.in_scope_changed_paths,
+        session,
+    )?;
+    Ok((recorded, findings))
+}
+
+fn rejected_check(
+    check_id: &str,
+    finding_id: &str,
+    message: String,
+    instruction: &str,
+    session: Option<&str>,
+) -> Value {
+    run_check_response(
+        check_id,
+        false,
+        None,
+        false,
+        vec![finding(finding_id, message)],
+        instruction,
+        session,
+    )
+}
+
+fn bounded_summary(bytes: &[u8]) -> String {
+    String::from_utf8_lossy(bytes)
+        .lines()
+        .take(8)
+        .collect::<Vec<_>>()
+        .join("\n")
+}
+
+fn checked_at() -> String {
+    "1970-01-01T00:00:00.000Z".to_string()
+}

package/crates/naome-cli/src/task_commands/common.rs

@@ -0,0 +1,70 @@
+use std::fs;
+use std::path::Path;
+
+use serde_json::{json, Value};
+
+pub(super) fn read_task_state(root: &Path) -> Result<Value, Box<dyn std::error::Error>> {
+    Ok(serde_json::from_str(&fs::read_to_string(
+        root.join(".naome/task-state.json"),
+    )?)?)
+}
+
+pub(super) fn write_task_state(
+    root: &Path,
+    state: &Value,
+) -> Result<(), Box<dyn std::error::Error>> {
+    fs::write(
+        root.join(".naome/task-state.json"),
+        format!("{}\n", serde_json::to_string_pretty(state)?),
+    )?;
+    Ok(())
+}
+
+pub(super) fn print_json(value: Value) -> Result<(), Box<dyn std::error::Error>> {
+    println!("{}", serde_json::to_string_pretty(&value)?);
+    Ok(())
+}
+
+pub(super) fn print_json_with_session(
+    mut value: Value,
+    session: Option<&str>,
+) -> Result<(), Box<dyn std::error::Error>> {
+    value["agentSession"] = session.map_or(Value::Null, |session| json!(session));
+    print_json(value)
+}
+
+pub(super) fn value_after<'a>(args: &'a [String], flag: &str) -> Option<&'a str> {
+    args.windows(2)
+        .find(|window| window[0] == flag)
+        .map(|window| window[1].as_str())
+}
+
+pub(super) fn repeated_values(args: &[String], flag: &str) -> Vec<String> {
+    let mut values = args
+        .windows(2)
+        .filter(|window| window[0] == flag)
+        .map(|window| window[1].clone())
+        .collect::<Vec<_>>();
+    values.sort();
+    values.dedup();
+    values
+}
+
+pub(super) fn agent_session(args: &[String]) -> Result<Option<String>, Box<dyn std::error::Error>> {
+    let Some(value) = value_after(args, "--agent-session") else {
+        return Ok(None);
+    };
+    if value.is_empty()
+        || value.len() > 80
+        || value.contains('/')
+        || value.contains('\\')
+        || !value.is_ascii()
+        || value.chars().any(|character| character.is_control())
+    {
+        return Err(
+            "invalid --agent-session; expected ASCII id up to 80 chars without path separators"
+                .into(),
+        );
+    }
+    Ok(Some(value.to_string()))
+}

package/crates/naome-cli/src/task_commands/complete.rs

@@ -0,0 +1,43 @@
+use std::path::Path;
+
+use naome_core::task_transition_readiness;
+use serde_json::json;
+
+use super::common::{agent_session, print_json_with_session, read_task_state, write_task_state};
+
+pub(super) fn complete_task(
+    root: &Path,
+    args: &[String],
+) -> Result<(), Box<dyn std::error::Error>> {
+    if !args.iter().any(|arg| arg == "--from-can-transition") {
+        return Err("naome task complete requires --from-can-transition".into());
+    }
+    let session = agent_session(args)?;
+    let readiness = task_transition_readiness(root, "complete")?;
+    if !readiness.allowed {
+        return print_json_with_session(
+            json!({
+                "schema": "naome.task.complete.v1",
+                "completed": false,
+                "blockingFindings": readiness.blocking_findings,
+                "agentLoop": readiness.agent_loop,
+                "agentInstruction": "Do not complete the task until can-transition allows completion."
+            }),
+            session.as_deref(),
+        );
+    }
+    let mut state = read_task_state(root)?;
+    state["status"] = json!("complete");
+    state["updatedAt"] = json!("1970-01-01T00:00:00.000Z");
+    write_task_state(root, &state)?;
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.complete.v1",
+            "completed": true,
+            "blockingFindings": [],
+            "agentLoop": readiness.agent_loop,
+            "agentInstruction": "Task completed through guarded can-transition readiness."
+        }),
+        session.as_deref(),
+    )
+}

package/crates/naome-cli/src/task_commands/loop_control.rs

@@ -0,0 +1,55 @@
+use std::path::Path;
+
+use naome_core::{task_proof_plan, task_status_report, task_transition_readiness};
+use serde_json::json;
+
+use super::common::{agent_session, print_json_with_session};
+
+pub(super) fn task_loop(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let execute_safe = args.iter().any(|arg| arg == "--execute-safe");
+    let mut executed_steps = Vec::new();
+
+    if execute_safe {
+        let plan = task_proof_plan(root)?;
+        for item in plan
+            .repair_plan
+            .iter()
+            .filter(|item| item.kind == "rerun_check" && item.safe_to_execute)
+        {
+            if let Some(check_id) = item.check_ids.first() {
+                executed_steps.push(super::check_run::run_check_by_id(
+                    root,
+                    check_id,
+                    true,
+                    session.as_deref(),
+                )?);
+            }
+        }
+    }
+
+    let status = task_status_report(root)?;
+    let proof_plan = task_proof_plan(root)?;
+    let transition = task_transition_readiness(root, "complete")?;
+    let can_commit = json!({
+        "schema": "naome.task.commit-readiness.v1",
+        "allowed": transition.allowed && status.agent_loop.can_commit,
+        "commitPaths": status.scope.in_scope_changed_paths,
+        "blockingFindings": transition.blocking_findings,
+        "agentLoop": status.agent_loop
+    });
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.loop.v1",
+            "mode": if execute_safe { "execute_safe" } else { "read_only" },
+            "status": status,
+            "proofPlan": proof_plan,
+            "canTransition": transition,
+            "canCommit": can_commit,
+            "executedSteps": executed_steps,
+            "nextAction": status.next_action_v2,
+            "agentInstruction": if execute_safe { "Executed only safe check/proof steps; no edits, git recovery, commit, push, or PR actions were performed." } else { "Read-only loop report; execute only safe plans explicitly marked safe." }
+        }),
+        session.as_deref(),
+    )
+}

package/crates/naome-cli/src/task_commands/readiness.rs

@@ -0,0 +1,44 @@
+use std::collections::BTreeSet;
+use std::path::Path;
+
+use naome_core::{task_status_report, task_transition_readiness};
+use serde_json::json;
+
+use super::common::{agent_session, print_json_with_session};
+
+pub(super) fn can_commit(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let status = task_status_report(root)?;
+    let transition = task_transition_readiness(root, "complete")?;
+    let required = commit_requirements(&status, &transition.blocking_findings);
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.commit-readiness.v1",
+            "allowed": transition.allowed && status.agent_loop.can_commit && required.is_empty(),
+            "commitPaths": status.scope.in_scope_changed_paths,
+            "blockingFindings": transition.blocking_findings,
+            "requiredBeforeCommit": required,
+            "agentLoop": status.agent_loop
+        }),
+        session.as_deref(),
+    )
+}
+
+fn commit_requirements(
+    status: &naome_core::TaskStatusReportV1,
+    blockers: &[naome_core::TaskStatusFinding],
+) -> Vec<String> {
+    let mut requirements = BTreeSet::new();
+    for check in status
+        .proof
+        .missing_checks
+        .iter()
+        .chain(status.proof.stale_checks.iter())
+    {
+        requirements.insert(format!("Run and record required check: {check}."));
+    }
+    for finding in blockers {
+        requirements.insert(finding.suggested_fix.clone());
+    }
+    requirements.into_iter().collect()
+}

package/crates/naome-cli/src/task_commands/record.rs

@@ -0,0 +1,236 @@
+use std::path::Path;
+
+use naome_core::task_proof_plan;
+use serde_json::{json, Value};
+
+use super::check_run::{evidence_fingerprint, successful_receipts, CheckRunReceipt};
+use super::common::{agent_session, print_json_with_session, read_task_state, write_task_state};
+
+pub(super) fn record_proof(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    if !args.iter().any(|arg| arg == "--from-proof-plan") {
+        return Err("naome task record-proof requires --from-proof-plan".into());
+    }
+    let session = agent_session(args)?;
+    let dry_run = args.iter().any(|arg| arg == "--dry-run");
+    print_json_with_session(
+        record_proof_payload(root, dry_run, session.as_deref())?,
+        session.as_deref(),
+    )
+}
+
+pub(super) fn record_proof_value(
+    root: &Path,
+    session: Option<&str>,
+) -> Result<Value, Box<dyn std::error::Error>> {
+    record_proof_payload(root, false, session)
+}
+
+fn record_proof_payload(
+    root: &Path,
+    dry_run: bool,
+    session: Option<&str>,
+) -> Result<Value, Box<dyn std::error::Error>> {
+    let plan = task_proof_plan(root)?;
+    let paths = plan.proof_recording.paths.clone();
+    let check_ids = plan.proof_recording.checks_to_record.clone();
+    let (can_record, findings, receipts) = recordable_receipts(root, &check_ids, &paths)?;
+    let recorded = !dry_run && can_record && !check_ids.is_empty();
+    let recorded_ids = if recorded {
+        write_proof_batch(
+            root,
+            &plan.proof_recording.path_set_id,
+            &plan.proof_recording.proof_batch_id,
+            &paths,
+            &receipts,
+        )?
+    } else {
+        RecordedProof {
+            path_set_id: plan.proof_recording.path_set_id.clone(),
+            proof_batch_id: plan.proof_recording.proof_batch_id.clone(),
+        }
+    };
+    Ok(json!({
+            "schema": "naome.task.record-proof.v1",
+            "dryRun": dry_run,
+            "recorded": recorded,
+            "pathSetId": recorded_ids.path_set_id,
+            "paths": paths,
+            "proofBatchId": recorded_ids.proof_batch_id,
+            "checksRecorded": if recorded || dry_run && can_record { check_ids } else { Vec::<String>::new() },
+            "findings": findings,
+            "agentInstruction": if recorded { "Proof recorded from recent successful safe check evidence." } else { "Run task run-check --record-proof or task loop --execute-safe before recording proof." },
+            "agentSession": session
+    }))
+}
+
+struct RecordedProof {
+    path_set_id: String,
+    proof_batch_id: String,
+}
+
+pub(super) fn record_receipts_for_checks(
+    root: &Path,
+    check_ids: &[String],
+    paths: &[String],
+    session: Option<&str>,
+) -> Result<bool, Box<dyn std::error::Error>> {
+    let (can_record, _findings, receipts) = recordable_receipts(root, check_ids, paths)?;
+    if !can_record || receipts.is_empty() {
+        return Ok(false);
+    }
+    let task_id = read_task_state(root)?
+        .get("activeTask")
+        .and_then(|task| task.get("id"))
+        .and_then(Value::as_str)
+        .unwrap_or("task")
+        .to_string();
+    let batch_id = format!("{task_id}-proof");
+    let receipts = receipts
+        .into_iter()
+        .map(|mut receipt| {
+            if receipt.agent_session.is_none() {
+                receipt.agent_session = session.map(ToString::to_string);
+            }
+            receipt
+        })
+        .collect::<Vec<_>>();
+    write_proof_batch(root, "current-task-diff", &batch_id, paths, &receipts)?;
+    Ok(true)
+}
+
+fn write_proof_batch(
+    root: &Path,
+    path_set_base: &str,
+    proof_batch_base: &str,
+    paths: &[String],
+    receipts: &[CheckRunReceipt],
+) -> Result<RecordedProof, Box<dyn std::error::Error>> {
+    let mut state = read_task_state(root)?;
+    let checked_at = receipts
+        .first()
+        .map(|receipt| receipt.checked_at.clone())
+        .unwrap_or_else(|| "1970-01-01T00:00:00.000Z".to_string());
+    let active = state
+        .get_mut("activeTask")
+        .and_then(Value::as_object_mut)
+        .ok_or("task-state has no activeTask object")?;
+    let path_sets = active
+        .entry("proofPathSets")
+        .or_insert_with(|| json!({}))
+        .as_object_mut()
+        .ok_or("activeTask.proofPathSets must be an object")?;
+    let path_set_id = unique_path_set_id(path_sets, path_set_base);
+    path_sets.insert(path_set_id.clone(), json!(paths));
+    let batches = active
+        .entry("proofBatches")
+        .or_insert_with(|| json!([]))
+        .as_array_mut()
+        .ok_or("activeTask.proofBatches must be an array")?;
+    let proof_batch_id = unique_proof_batch_id(batches, proof_batch_base);
+    batches.push(proof_batch(
+        receipts,
+        &checked_at,
+        &path_set_id,
+        &proof_batch_id,
+    ));
+    write_task_state(root, &state)?;
+    Ok(RecordedProof {
+        path_set_id,
+        proof_batch_id,
+    })
+}
+
+fn proof_batch(
+    receipts: &[CheckRunReceipt],
+    checked_at: &str,
+    path_set_id: &str,
+    proof_batch_id: &str,
+) -> Value {
+    json!({
+        "id": proof_batch_id,
+        "checkedAt": checked_at,
+        "evidencePathSet": path_set_id,
+        "proofs": receipts.iter().map(|receipt| {
+            json!({
+                "checkId": receipt.check_id,
+                "command": receipt.command,
+                "cwd": receipt.cwd,
+                "exitCode": receipt.exit_code,
+                "checkedAt": receipt.checked_at,
+                "evidenceFingerprint": receipt.evidence_fingerprint,
+                "stdoutSummary": receipt.stdout_summary,
+                "stderrSummary": receipt.stderr_summary,
+                "durationMs": receipt.duration_ms,
+                "agentSession": receipt.agent_session
+            })
+        }).collect::<Vec<_>>()
+    })
+}
+
+fn recordable_receipts(
+    root: &Path,
+    check_ids: &[String],
+    paths: &[String],
+) -> Result<(bool, Vec<Value>, Vec<CheckRunReceipt>), Box<dyn std::error::Error>> {
+    let receipts = successful_receipts(root)?;
+    let current_fingerprint = evidence_fingerprint(root, paths)?;
+    let mut selected = Vec::new();
+    let mut findings = Vec::new();
+    for check_id in check_ids {
+        let expected = super::check_run::read_verification_check(root, check_id)?;
+        let receipt = receipts
+            .iter()
+            .rev()
+            .find(|receipt| {
+                receipt.check_id == *check_id
+                    && expected.as_ref().is_some_and(|check| {
+                        receipt.command == check.command && receipt.cwd == check.cwd
+                    })
+                    && paths.iter().all(|path| {
+                        receipt
+                            .evidence_paths
+                            .iter()
+                            .any(|evidence| evidence == path)
+                    })
+                    && receipt.evidence_fingerprint == current_fingerprint
+            })
+            .cloned();
+        match receipt {
+            Some(receipt) => selected.push(receipt),
+            None => findings.push(json!({
+                "id": "task.proof.no_recent_success",
+                "severity": "error",
+                "message": format!("No recent successful safe check evidence covers current task paths for {check_id}."),
+                "path": null,
+                "suggestedFix": "Run naome task run-check --check <id> --record-proof --json or naome task loop --execute-safe --json.",
+                "agentInstruction": "Do not record proof until NAOME has just executed the check successfully."
+            })),
+        }
+    }
+    Ok((findings.is_empty(), findings, selected))
+}
+
+fn unique_path_set_id(path_sets: &serde_json::Map<String, Value>, base: &str) -> String {
+    unique_id(base, |candidate| path_sets.contains_key(candidate))
+}
+
+fn unique_proof_batch_id(batches: &[Value], base: &str) -> String {
+    unique_id(base, |candidate| {
+        batches
+            .iter()
+            .any(|batch| batch.get("id").and_then(Value::as_str) == Some(candidate))
+    })
+}
+
+fn unique_id(base: &str, exists: impl Fn(&str) -> bool) -> String {
+    if !exists(base) {
+        return base.to_string();
+    }
+    for index in 2.. {
+        let candidate = format!("{base}-{index}");
+        if !exists(&candidate) {
+            return candidate;
+        }
+    }
+    unreachable!("unbounded proof id suffix search must find an available id")
+}