@lamentis/naome 1.4.1 → 1.4.3

package/crates/naome-cli/src/task_commands/check_run/verification.rs

@@ -0,0 +1,165 @@
+use std::fs;
+use std::path::Path;
+use std::process::Command;
+
+use serde_json::Value;
+
+#[derive(Debug, Clone)]
+pub(in crate::task_commands) struct VerificationCheck {
+    pub(in crate::task_commands) id: String,
+    pub(in crate::task_commands) command: String,
+    pub(in crate::task_commands) cwd: String,
+}
+
+#[derive(Debug, Clone)]
+pub(super) struct SafeCommand {
+    pub(super) program: String,
+    pub(super) args: Vec<String>,
+}
+
+pub(in crate::task_commands) fn read_verification_check(
+    root: &Path,
+    check_id: &str,
+) -> Result<Option<VerificationCheck>, Box<dyn std::error::Error>> {
+    let content = fs::read_to_string(root.join(".naome/verification.json"))?;
+    let verification: Value = serde_json::from_str(&content)?;
+    Ok(verification
+        .get("checks")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .find(|check| check.get("id").and_then(Value::as_str) == Some(check_id))
+        .and_then(|check| {
+            Some(VerificationCheck {
+                id: check.get("id")?.as_str()?.to_string(),
+                command: check.get("command")?.as_str()?.to_string(),
+                cwd: check.get("cwd")?.as_str()?.to_string(),
+            })
+        }))
+}
+
+pub(super) fn safe_command(
+    root: &Path,
+    check: &VerificationCheck,
+) -> Result<Option<SafeCommand>, Box<dyn std::error::Error>> {
+    if check.cwd != "." {
+        return Ok(None);
+    }
+    let changed_paths = changed_paths(root)?;
+    match check.command.as_str() {
+        "git diff --check" => Ok(Some(command("git", &["diff", "--check"]))),
+        "node .naome/bin/check-harness-health.js" => Ok(Some(naome_command(
+            root,
+            &["check-harness-health", "--root"],
+        )?)),
+        "node .naome/bin/check-task-state.js" => {
+            Ok(Some(naome_command(root, &["check-task-state", "--root"])?))
+        }
+        "node .naome/bin/naome.js quality check --changed" => Ok(Some(naome_command(
+            root,
+            &["quality", "check", "--changed"],
+        )?)),
+        "node .naome/bin/naome.js semantic check --changed" => Ok(Some(naome_command(
+            root,
+            &["semantic", "check", "--changed"],
+        )?)),
+        "node .naome/bin/naome.js arch validate --changed-only" => Ok(Some(naome_command(
+            root,
+            &["arch", "validate", "--changed-only"],
+        )?)),
+        "npm run check:task-state" => trusted_npm_script(
+            root,
+            &changed_paths,
+            "check:task-state",
+            "node scripts/check-task-state.js",
+        ),
+        "npm run test:task-state" => trusted_npm_script(
+            root,
+            &changed_paths,
+            "test:task-state",
+            "node --test scripts/check-task-state.test.js",
+        ),
+        "npm run test:decision-engine" => trusted_npm_script(
+            root,
+            &changed_paths,
+            "test:decision-engine",
+            "cargo test --manifest-path packages/naome/Cargo.toml -p naome-core",
+        ),
+        _ => Ok(None),
+    }
+}
+
+fn command(program: &str, args: &[&str]) -> SafeCommand {
+    SafeCommand {
+        program: program.to_string(),
+        args: args.iter().map(|arg| (*arg).to_string()).collect(),
+    }
+}
+
+fn naome_command(root: &Path, args: &[&str]) -> Result<SafeCommand, Box<dyn std::error::Error>> {
+    let mut owned_args = args
+        .iter()
+        .map(|arg| (*arg).to_string())
+        .collect::<Vec<_>>();
+    if args.last() == Some(&"--root") {
+        owned_args.push(root.to_string_lossy().to_string());
+    }
+    Ok(SafeCommand {
+        program: std::env::current_exe()?.to_string_lossy().to_string(),
+        args: owned_args,
+    })
+}
+
+fn trusted_npm_script(
+    root: &Path,
+    changed_paths: &[String],
+    script: &str,
+    expected: &str,
+) -> Result<Option<SafeCommand>, Box<dyn std::error::Error>> {
+    if changed_paths
+        .iter()
+        .any(|path| path == "package.json" || path == "packages/naome/package.json")
+    {
+        return Ok(None);
+    }
+
+    let package_json = root.join("package.json");
+    let Ok(content) = fs::read_to_string(package_json) else {
+        return Ok(None);
+    };
+    let package: Value = serde_json::from_str(&content)?;
+    let actual = package
+        .get("scripts")
+        .and_then(Value::as_object)
+        .and_then(|scripts| scripts.get(script))
+        .and_then(Value::as_str);
+    if actual != Some(expected) {
+        return Ok(None);
+    }
+
+    Ok(Some(command("npm", &["run", script])))
+}
+
+fn changed_paths(root: &Path) -> Result<Vec<String>, Box<dyn std::error::Error>> {
+    let output = Command::new("git")
+        .args(["status", "--porcelain=v1", "-z", "--untracked-files=all"])
+        .current_dir(root)
+        .output()?;
+    if !output.status.success() {
+        return Ok(Vec::new());
+    }
+
+    let mut paths = Vec::new();
+    for entry in output.stdout.split(|byte| *byte == 0) {
+        if entry.len() < 4 {
+            continue;
+        }
+        let path = String::from_utf8_lossy(&entry[3..]).replace('\\', "/");
+        if !path.is_empty() {
+            paths.push(path);
+        }
+    }
+    paths.sort();
+    paths.dedup();
+    Ok(paths)
+}

package/crates/naome-cli/src/task_commands/check_run.rs

@@ -0,0 +1,196 @@
+use std::path::Path;
+use std::process::Command;
+use std::time::Instant;
+
+use naome_core::task_status_report;
+use serde_json::{json, Value};
+
+mod output;
+mod receipts;
+mod verification;
+
+pub(super) use receipts::{
+    changed_paths, evidence_fingerprint, successful_receipts, CheckRunReceipt,
+};
+pub(super) use verification::read_verification_check;
+
+use super::common::{agent_session, print_json_with_session, value_after};
+use output::{finding, run_check_response};
+use receipts::append_receipt;
+use verification::safe_command;
+
+pub(super) fn run_check_command(
+    root: &Path,
+    args: &[String],
+) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let Some(check_id) = value_after(args, "--check") else {
+        return Err("naome task run-check requires --check <check-id>".into());
+    };
+    let record = args.iter().any(|arg| arg == "--record-proof");
+    let result = run_check_by_id(root, check_id, record, session.as_deref())?;
+    print_json_with_session(result, session.as_deref())
+}
+
+pub(super) fn run_check_by_id(
+    root: &Path,
+    check_id: &str,
+    record: bool,
+    session: Option<&str>,
+) -> Result<Value, Box<dyn std::error::Error>> {
+    let Some(check) = read_verification_check(root, check_id)? else {
+        return Ok(rejected_check(
+            check_id,
+            "task.check.unknown",
+            format!("Unknown verification check id: {check_id}."),
+            "Check id is not declared in .naome/verification.json.",
+            session,
+        ));
+    };
+    let Some(command) = safe_command(root, &check)? else {
+        return Ok(rejected_check(
+            check_id,
+            "task.check.unsafe_command",
+            format!("Check {check_id} is not in the autonomous safe command allowlist."),
+            "NAOME refused to execute this check automatically.",
+            session,
+        ));
+    };
+
+    let before = changed_paths(root)?;
+    let start = Instant::now();
+    let output = Command::new(&command.program)
+        .args(&command.args)
+        .current_dir(root.join(&check.cwd))
+        .output()?;
+    let mut stdout = output.stdout;
+    let mut stderr = output.stderr;
+    let mut exit_code = output.status.code().unwrap_or(1);
+    if check.command == "git diff --check" {
+        let cached = Command::new("git")
+            .args(["diff", "--cached", "--check"])
+            .current_dir(root.join(&check.cwd))
+            .output()?;
+        if !stdout.is_empty() && !cached.stdout.is_empty() {
+            stdout.push(b'\n');
+        }
+        stdout.extend(cached.stdout);
+        if !stderr.is_empty() && !cached.stderr.is_empty() {
+            stderr.push(b'\n');
+        }
+        stderr.extend(cached.stderr);
+        if !cached.status.success() {
+            exit_code = cached.status.code().unwrap_or(1);
+        }
+    }
+    let duration_ms = start.elapsed().as_millis();
+    let after = changed_paths(root)?;
+    let status = task_status_report(root)?;
+    let evidence_paths = status.scope.in_scope_changed_paths;
+    let receipt = CheckRunReceipt {
+        task_id: status.task_id,
+        check_id: check.id.clone(),
+        command: check.command.clone(),
+        cwd: check.cwd.clone(),
+        exit_code,
+        checked_at: checked_at(),
+        evidence_fingerprint: evidence_fingerprint(root, &evidence_paths)?,
+        evidence_paths,
+        stdout_summary: bounded_summary(&stdout),
+        stderr_summary: bounded_summary(&stderr),
+        duration_ms,
+        agent_session: session.map(ToString::to_string),
+    };
+    append_receipt(root, &receipt)?;
+
+    let (recorded_proof, findings) =
+        maybe_record_proof(root, record, exit_code, &check.id, session)?;
+    let mut response = run_check_response(
+        check_id,
+        true,
+        Some(exit_code),
+        recorded_proof,
+        findings,
+        if exit_code == 0 {
+            "Check executed successfully."
+        } else {
+            "Check executed and failed; inspect summaries before continuing."
+        },
+        session,
+    );
+    response["command"] = json!(check.command);
+    response["cwd"] = json!(check.cwd);
+    response["durationMs"] = json!(duration_ms);
+    response["changedPathsBefore"] = json!(before);
+    response["changedPathsAfter"] = json!(after);
+    response["stdoutSummary"] = json!(bounded_summary(&stdout));
+    response["stderrSummary"] = json!(bounded_summary(&stderr));
+    Ok(response)
+}
+
+fn maybe_record_proof(
+    root: &Path,
+    record: bool,
+    exit_code: i32,
+    check_id: &str,
+    session: Option<&str>,
+) -> Result<(bool, Vec<Value>), Box<dyn std::error::Error>> {
+    let mut findings = Vec::new();
+    if !record {
+        return Ok((false, findings));
+    }
+    if exit_code != 0 {
+        findings.push(finding(
+            "task.check.failed",
+            "Check did not exit 0; proof was not recorded.",
+        ));
+        return Ok((false, findings));
+    }
+
+    let status = task_status_report(root)?;
+    if !status.scope.out_of_scope_changed_paths.is_empty() {
+        findings.push(finding(
+            "task.scope.out_of_scope_change",
+            "Changed paths are outside task scope; proof was not recorded.",
+        ));
+        return Ok((false, findings));
+    }
+
+    let recorded = super::record::record_receipts_for_checks(
+        root,
+        &[check_id.to_string()],
+        &status.scope.in_scope_changed_paths,
+        session,
+    )?;
+    Ok((recorded, findings))
+}
+
+fn rejected_check(
+    check_id: &str,
+    finding_id: &str,
+    message: String,
+    instruction: &str,
+    session: Option<&str>,
+) -> Value {
+    run_check_response(
+        check_id,
+        false,
+        None,
+        false,
+        vec![finding(finding_id, message)],
+        instruction,
+        session,
+    )
+}
+
+fn bounded_summary(bytes: &[u8]) -> String {
+    String::from_utf8_lossy(bytes)
+        .lines()
+        .take(8)
+        .collect::<Vec<_>>()
+        .join("\n")
+}
+
+fn checked_at() -> String {
+    "1970-01-01T00:00:00.000Z".to_string()
+}

package/crates/naome-cli/src/task_commands/commit_preflight.rs

@@ -0,0 +1,89 @@
+use std::path::Path;
+
+use naome_core::{task_status_exit_code, task_status_report, task_transition_readiness};
+use naome_core::{TaskStatusFinding, TaskStatusReportV1};
+use serde_json::{json, Value};
+
+use super::common::{agent_session, print_json_with_session};
+
+pub(super) fn commit_preflight(
+    root: &Path,
+    args: &[String],
+) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let status = task_status_report(root)?;
+    let transition = task_transition_readiness(root, "complete")?;
+    let would_pass = transition.allowed && status.agent_loop.can_commit;
+    let blocking = if would_pass {
+        Vec::new()
+    } else if !transition.blocking_findings.is_empty() {
+        transition.blocking_findings.clone()
+    } else {
+        status.findings.clone()
+    };
+    let exit_code = commit_preflight_exit_code(would_pass, &status);
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.commit-preflight.v1",
+            "wouldPass": would_pass,
+            "commitPaths": status.scope.in_scope_changed_paths,
+            "blockingFindings": blocking,
+            "nextAction": commit_preflight_next_action(would_pass, &blocking, &status)?,
+            "agentInstruction": if would_pass { "Commit gate preflight is clean; use the normal NAOME commit path." } else { "Resolve blocking findings before committing." }
+        }),
+        session.as_deref(),
+    )?;
+    if args.iter().any(|arg| arg == "--exit-code") {
+        std::process::exit(exit_code);
+    }
+    Ok(())
+}
+
+fn commit_preflight_exit_code(would_pass: bool, status: &TaskStatusReportV1) -> i32 {
+    if would_pass {
+        return 0;
+    }
+    let code = task_status_exit_code(&status.findings, &status.proof);
+    if code == 0 {
+        1
+    } else {
+        code
+    }
+}
+
+fn commit_preflight_next_action(
+    would_pass: bool,
+    blocking: &[TaskStatusFinding],
+    status: &TaskStatusReportV1,
+) -> Result<Value, Box<dyn std::error::Error>> {
+    if would_pass {
+        return Ok(json!({
+            "type": "commit_ready",
+            "reason": "Task state, scope, proof, and transition checks are commit-ready.",
+            "commands": [],
+            "paths": status.scope.in_scope_changed_paths,
+            "checkIds": [],
+            "safeToExecute": false,
+            "requiresUserApproval": true
+        }));
+    }
+    if has_status_blocker(status) {
+        return Ok(serde_json::to_value(&status.next_action_v2)?);
+    }
+    if let Some(primary) = blocking.first() {
+        return Ok(json!({
+            "type": "blocked",
+            "reason": primary.message,
+            "commands": [],
+            "paths": primary.path.as_ref().map(|path| vec![path.clone()]).unwrap_or_default(),
+            "checkIds": [],
+            "safeToExecute": false,
+            "requiresUserApproval": true
+        }));
+    }
+    Ok(serde_json::to_value(&status.next_action_v2)?)
+}
+
+fn has_status_blocker(status: &TaskStatusReportV1) -> bool {
+    task_status_exit_code(&status.findings, &status.proof) != 0
+}

package/crates/naome-cli/src/task_commands/common.rs

@@ -1,7 +1,7 @@
 use std::fs;
 use std::path::Path;
 
-use serde_json::Value;
+use serde_json::{json, Value};
 
 pub(super) fn read_task_state(root: &Path) -> Result<Value, Box<dyn std::error::Error>> {
     Ok(serde_json::from_str(&fs::read_to_string(
@@ -9,11 +9,30 @@ pub(super) fn read_task_state(root: &Path) -> Result<Value, Box<dyn std::error::
     )?)?)
 }
 
+pub(super) fn write_task_state(
+    root: &Path,
+    state: &Value,
+) -> Result<(), Box<dyn std::error::Error>> {
+    fs::write(
+        root.join(".naome/task-state.json"),
+        format!("{}\n", serde_json::to_string_pretty(state)?),
+    )?;
+    Ok(())
+}
+
 pub(super) fn print_json(value: Value) -> Result<(), Box<dyn std::error::Error>> {
     println!("{}", serde_json::to_string_pretty(&value)?);
     Ok(())
 }
 
+pub(super) fn print_json_with_session(
+    mut value: Value,
+    session: Option<&str>,
+) -> Result<(), Box<dyn std::error::Error>> {
+    value["agentSession"] = session.map_or(Value::Null, |session| json!(session));
+    print_json(value)
+}
+
 pub(super) fn value_after<'a>(args: &'a [String], flag: &str) -> Option<&'a str> {
     args.windows(2)
         .find(|window| window[0] == flag)
@@ -30,3 +49,22 @@ pub(super) fn repeated_values(args: &[String], flag: &str) -> Vec<String> {
     values.dedup();
     values
 }
+
+pub(super) fn agent_session(args: &[String]) -> Result<Option<String>, Box<dyn std::error::Error>> {
+    let Some(value) = value_after(args, "--agent-session") else {
+        return Ok(None);
+    };
+    if value.is_empty()
+        || value.len() > 80
+        || value.contains('/')
+        || value.contains('\\')
+        || !value.is_ascii()
+        || value.chars().any(|character| character.is_control())
+    {
+        return Err(
+            "invalid --agent-session; expected ASCII id up to 80 chars without path separators"
+                .into(),
+        );
+    }
+    Ok(Some(value.to_string()))
+}

package/crates/naome-cli/src/task_commands/compact_proof.rs

@@ -0,0 +1,69 @@
+use std::path::Path;
+
+use serde_json::{json, Value};
+
+use super::common::{agent_session, print_json_with_session, read_task_state, write_task_state};
+
+pub(super) fn compact_proof(
+    root: &Path,
+    args: &[String],
+) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let dry_run = args.iter().any(|arg| arg == "--dry-run");
+    let mut state = read_task_state(root)?;
+    let before = serde_json::to_vec_pretty(&state)?.len();
+    let removed = compact_state(&mut state);
+    let after = serde_json::to_vec_pretty(&state)?.len();
+    if !dry_run && removed > 0 {
+        write_task_state(root, &state)?;
+    }
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.compact-proof.v1",
+            "dryRun": dry_run,
+            "compacted": !dry_run && removed > 0,
+            "removedVerboseFields": removed,
+            "beforeBytes": before,
+            "afterBytes": after,
+            "savedBytes": before.saturating_sub(after),
+            "agentInstruction": if dry_run { "Review compaction summary; rerun without --dry-run to compact tracked proof." } else { "Tracked proof is compact while preserving check ids, evidence path sets, and fingerprints." }
+        }),
+        session.as_deref(),
+    )
+}
+
+pub(super) fn compact_state(state: &mut Value) -> usize {
+    let mut removed = 0;
+    let Some(active) = state.get_mut("activeTask") else {
+        return 0;
+    };
+    if let Some(batches) = active.get_mut("proofBatches").and_then(Value::as_array_mut) {
+        for batch in batches {
+            if let Some(proofs) = batch.get_mut("proofs").and_then(Value::as_array_mut) {
+                for proof in proofs {
+                    removed += remove_key(proof, "stdoutSummary");
+                    removed += remove_key(proof, "stderrSummary");
+                    removed += remove_key(proof, "durationMs");
+                }
+            }
+        }
+    }
+    if let Some(results) = active.get_mut("proofResults").and_then(Value::as_array_mut) {
+        for proof in results {
+            removed += remove_key(proof, "stdoutSummary");
+            removed += remove_key(proof, "stderrSummary");
+            removed += remove_key(proof, "durationMs");
+            removed += remove_key(proof, "stdout");
+            removed += remove_key(proof, "stderr");
+        }
+    }
+    removed
+}
+
+fn remove_key(value: &mut Value, key: &str) -> usize {
+    value
+        .as_object_mut()
+        .and_then(|object| object.remove(key))
+        .map(|_| 1)
+        .unwrap_or(0)
+}

package/crates/naome-cli/src/task_commands/complete.rs

@@ -0,0 +1,43 @@
+use std::path::Path;
+
+use naome_core::task_transition_readiness;
+use serde_json::json;
+
+use super::common::{agent_session, print_json_with_session, read_task_state, write_task_state};
+
+pub(super) fn complete_task(
+    root: &Path,
+    args: &[String],
+) -> Result<(), Box<dyn std::error::Error>> {
+    if !args.iter().any(|arg| arg == "--from-can-transition") {
+        return Err("naome task complete requires --from-can-transition".into());
+    }
+    let session = agent_session(args)?;
+    let readiness = task_transition_readiness(root, "complete")?;
+    if !readiness.allowed {
+        return print_json_with_session(
+            json!({
+                "schema": "naome.task.complete.v1",
+                "completed": false,
+                "blockingFindings": readiness.blocking_findings,
+                "agentLoop": readiness.agent_loop,
+                "agentInstruction": "Do not complete the task until can-transition allows completion."
+            }),
+            session.as_deref(),
+        );
+    }
+    let mut state = read_task_state(root)?;
+    state["status"] = json!("complete");
+    state["updatedAt"] = json!("1970-01-01T00:00:00.000Z");
+    write_task_state(root, &state)?;
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.complete.v1",
+            "completed": true,
+            "blockingFindings": [],
+            "agentLoop": readiness.agent_loop,
+            "agentInstruction": "Task completed through guarded can-transition readiness."
+        }),
+        session.as_deref(),
+    )
+}

package/crates/naome-cli/src/task_commands/loop_control.rs

@@ -0,0 +1,73 @@
+use std::path::Path;
+
+use naome_core::{task_proof_plan, task_status_report, task_transition_readiness};
+use serde_json::json;
+
+use super::common::{agent_session, print_json_with_session, read_task_state, write_task_state};
+
+pub(super) fn task_loop(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let execute_safe = args.iter().any(|arg| arg == "--execute-safe");
+    let mut executed_steps = Vec::new();
+
+    if execute_safe {
+        let plan = task_proof_plan(root)?;
+        for item in plan
+            .repair_plan
+            .iter()
+            .filter(|item| item.kind == "rerun_check" && item.safe_to_execute)
+        {
+            if let Some(check_id) = item.check_ids.first() {
+                let step =
+                    super::check_run::run_check_by_id(root, check_id, true, session.as_deref())?;
+                let failed = step
+                    .get("exitCode")
+                    .and_then(serde_json::Value::as_i64)
+                    .is_some_and(|code| code != 0);
+                executed_steps.push(step);
+                if failed {
+                    break;
+                }
+            }
+        }
+        if executed_steps
+            .iter()
+            .all(|step| step.get("exitCode").and_then(serde_json::Value::as_i64) == Some(0))
+        {
+            let mut state = read_task_state(root)?;
+            if super::compact_proof::compact_state(&mut state) > 0 {
+                write_task_state(root, &state)?;
+                executed_steps.push(json!({
+                    "schema": "naome.task.compact-proof.v1",
+                    "compacted": true,
+                    "agentInstruction": "Compacted tracked proof after safe check execution."
+                }));
+            }
+        }
+    }
+
+    let status = task_status_report(root)?;
+    let proof_plan = task_proof_plan(root)?;
+    let transition = task_transition_readiness(root, "complete")?;
+    let can_commit = json!({
+        "schema": "naome.task.commit-readiness.v1",
+        "allowed": transition.allowed && status.agent_loop.can_commit,
+        "commitPaths": status.scope.in_scope_changed_paths,
+        "blockingFindings": transition.blocking_findings,
+        "agentLoop": status.agent_loop
+    });
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.loop.v1",
+            "mode": if execute_safe { "execute_safe" } else { "read_only" },
+            "status": status,
+            "proofPlan": proof_plan,
+            "canTransition": transition,
+            "canCommit": can_commit,
+            "executedSteps": executed_steps,
+            "nextAction": status.next_action_v2,
+            "agentInstruction": if execute_safe { "Executed only safe check/proof steps; no edits, git recovery, commit, push, or PR actions were performed." } else { "Read-only loop report; execute only safe plans explicitly marked safe." }
+        }),
+        session.as_deref(),
+    )
+}