@lamentis/naome 1.4.1 → 1.4.3

package/crates/naome-cli/src/task_commands/path_policy.rs

@@ -0,0 +1,57 @@
+use std::path::Path;
+
+use naome_core::{naomeignore_patterns, path_matches_any};
+use serde_json::json;
+
+pub(super) fn normalize_requested_path(raw_path: &str) -> (String, Option<String>) {
+    if raw_path.contains('\\') {
+        return (
+            raw_path.to_string(),
+            Some("Backslash path separators are not allowed.".to_string()),
+        );
+    }
+    let path = Path::new(raw_path);
+    if path.is_absolute() {
+        return (
+            raw_path.to_string(),
+            Some("Absolute paths are not allowed.".to_string()),
+        );
+    }
+    if raw_path.split('/').any(|part| part == "..") {
+        return (
+            raw_path.to_string(),
+            Some("Parent traversal is not allowed.".to_string()),
+        );
+    }
+    let normalized = raw_path
+        .split('/')
+        .filter(|part| !part.is_empty() && *part != ".")
+        .collect::<Vec<_>>()
+        .join("/");
+    if normalized.is_empty() {
+        return (
+            raw_path.to_string(),
+            Some("Path must not be empty.".to_string()),
+        );
+    }
+    (normalized, None)
+}
+
+pub(super) fn is_control_path(path: &str) -> bool {
+    path == ".naome" || path.starts_with(".naome/") || path == ".naomeignore"
+}
+
+pub(super) fn is_ignored(root: &Path, path: &str) -> bool {
+    path_matches_any(path, &naomeignore_patterns(root))
+}
+
+pub(super) fn edit_finding(id: &str, message: &str, path: &str) -> serde_json::Value {
+    json!({
+        "id": id,
+        "severity": "error",
+        "message": message,
+        "path": path,
+        "suggestedFix": "Use task request-scope for legitimate scope changes or choose an allowed path.",
+        "agentInstruction": "Do not edit this path in the current task."
+    })
+}

package/crates/naome-cli/src/task_commands/planner/checks.rs

@@ -0,0 +1,166 @@
+use std::collections::{BTreeMap, BTreeSet};
+use std::fs;
+use std::path::Path;
+
+use naome_core::TaskProofStatus;
+use serde_json::{json, Value};
+
+use crate::task_commands::check_run;
+
+use super::impact::impact_kind;
+
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub(super) struct VerificationCheck {
+    id: String,
+    command: String,
+    cwd: String,
+}
+
+pub(in crate::task_commands) fn changed_paths(root: &Path) -> Vec<String> {
+    check_run::changed_paths(root).unwrap_or_default()
+}
+
+fn read_verification_checks(root: &Path) -> Vec<VerificationCheck> {
+    let Ok(content) = fs::read_to_string(root.join(".naome/verification.json")) else {
+        return Vec::new();
+    };
+    let Ok(value) = serde_json::from_str::<Value>(&content) else {
+        return Vec::new();
+    };
+    let mut checks = value
+        .get("checks")
+        .and_then(Value::as_array)
+        .into_iter()
+        .flatten()
+        .filter_map(|check| {
+            Some(VerificationCheck {
+                id: check.get("id")?.as_str()?.to_string(),
+                command: check.get("command")?.as_str()?.to_string(),
+                cwd: check.get("cwd")?.as_str()?.to_string(),
+            })
+        })
+        .collect::<Vec<_>>();
+    checks.sort_by(|left, right| left.id.cmp(&right.id));
+    checks
+}
+
+pub(in crate::task_commands) fn planned_commands(
+    root: &Path,
+    paths: &[String],
+    proof: Option<&TaskProofStatus>,
+) -> Vec<Value> {
+    let mut selected = BTreeMap::<String, (VerificationCheck, BTreeSet<String>, String)>::new();
+    for check in read_verification_checks(root) {
+        let reasons = check_reasons(&check, paths, proof);
+        if reasons.is_empty() {
+            continue;
+        }
+        let proof_reason = proof_reason(&reasons).to_string();
+        selected.insert(check.id.clone(), (check, reasons, proof_reason));
+    }
+    selected
+        .into_values()
+        .map(|(check, reasons, proof_reason)| command_value(check, reasons, proof_reason, paths))
+        .collect()
+}
+
+fn check_reasons(
+    check: &VerificationCheck,
+    paths: &[String],
+    proof: Option<&TaskProofStatus>,
+) -> BTreeSet<String> {
+    let mut reasons = BTreeSet::new();
+    if let Some(proof) = proof {
+        if proof.missing_checks.contains(&check.id) {
+            reasons.insert("missing-proof".to_string());
+        }
+        if proof.stale_checks.contains(&check.id) {
+            reasons.insert("stale-proof".to_string());
+        }
+    }
+    for path in paths {
+        if check_is_impacted(check, path) {
+            reasons.insert(impact_kind(path).to_string());
+        }
+    }
+    reasons
+}
+
+fn command_value(
+    check: VerificationCheck,
+    reasons: BTreeSet<String>,
+    proof_reason: String,
+    paths: &[String],
+) -> Value {
+    let selection_reason = reasons.into_iter().collect::<Vec<_>>().join(",");
+    json!({
+        "checkId": check.id,
+        "command": check.command,
+        "cwd": check.cwd,
+        "reason": selection_reason,
+        "selectionReason": selection_reason,
+        "impactedPaths": paths,
+        "proofReason": proof_reason,
+        "safeToExecute": safe_to_execute(&check, paths)
+    })
+}
+
+fn proof_reason(reasons: &BTreeSet<String>) -> &'static str {
+    if reasons.contains("missing-proof") {
+        "missing"
+    } else if reasons.contains("stale-proof") {
+        "stale"
+    } else if reasons.contains("final_only") || reasons.contains("release_only") {
+        "final"
+    } else {
+        "impacted"
+    }
+}
+
+fn check_is_impacted(check: &VerificationCheck, path: &str) -> bool {
+    let command = check.command.as_str();
+    match impact_kind(path) {
+        "changed_task_state" => {
+            command.contains("check-task-state") || command.contains("test:task-state")
+        }
+        "changed_architecture_config" => command.contains("arch validate"),
+        "changed_package_metadata" => {
+            command.contains("pack:dry-run") || command.contains("test:decision-engine")
+        }
+        "changed_native_binary" | "changed_templates" => {
+            command.contains("check-harness-health") || command.contains("pack:dry-run")
+        }
+        "changed_docs" => command.contains("quality check") || command.contains("semantic check"),
+        "changed_tests" => {
+            command.contains("quality check")
+                || command.contains("semantic check")
+                || command.contains("test:")
+        }
+        _ => {
+            command == "git diff --check"
+                || command.contains("quality check")
+                || command.contains("semantic check")
+                || command.contains("arch validate")
+        }
+    }
+}
+
+fn safe_to_execute(check: &VerificationCheck, paths: &[String]) -> bool {
+    if check.cwd != "." {
+        return false;
+    }
+    match check.command.as_str() {
+        "git diff --check"
+        | "node .naome/bin/check-harness-health.js"
+        | "node .naome/bin/check-task-state.js"
+        | "node .naome/bin/naome.js quality check --changed"
+        | "node .naome/bin/naome.js semantic check --changed"
+        | "node .naome/bin/naome.js arch validate --changed-only" => true,
+        "npm run check:task-state" | "npm run test:task-state" | "npm run test:decision-engine" => {
+            !paths
+                .iter()
+                .any(|path| path == "package.json" || path == "packages/naome/package.json")
+        }
+        _ => false,
+    }
+}

package/crates/naome-cli/src/task_commands/planner/impact.rs

@@ -0,0 +1,35 @@
+pub(in crate::task_commands) fn impact_kind(path: &str) -> &'static str {
+    if path == ".naome/task-state.json" {
+        "changed_task_state"
+    } else if path == "naome.arch.yaml" || path.ends_with("/naome.arch.yaml") {
+        "changed_architecture_config"
+    } else if path == "package.json"
+        || path.ends_with("/package.json")
+        || path.ends_with("Cargo.toml")
+        || path.ends_with("Cargo.lock")
+    {
+        "changed_package_metadata"
+    } else if path.contains("/native/") || path.ends_with(".node") || path.ends_with(".so") {
+        "changed_native_binary"
+    } else if path.contains("/templates/") || path.starts_with("templates/") {
+        "changed_templates"
+    } else if path.ends_with(".md") || path.starts_with("docs/") {
+        "changed_docs"
+    } else if path.contains("test") || path.contains("spec") {
+        "changed_tests"
+    } else {
+        "changed_source"
+    }
+}
+
+pub(in crate::task_commands) fn path_risk(path: &str) -> &'static str {
+    match impact_kind(path) {
+        "changed_package_metadata"
+        | "changed_native_binary"
+        | "changed_templates"
+        | "changed_task_state"
+        | "changed_architecture_config" => "high",
+        "changed_source" | "changed_tests" => "medium",
+        _ => "low",
+    }
+}

package/crates/naome-cli/src/task_commands/planner/mod.rs

@@ -0,0 +1,24 @@
+use serde_json::Value;
+
+mod checks;
+mod impact;
+
+pub(super) use checks::{changed_paths, planned_commands};
+pub(super) use impact::path_risk;
+
+pub(super) fn split_safe_commands(commands: &[Value]) -> (Vec<Value>, Vec<Value>) {
+    let mut safe = Vec::new();
+    let mut deferred = Vec::new();
+    for command in commands {
+        if command
+            .get("safeToExecute")
+            .and_then(Value::as_bool)
+            .unwrap_or(false)
+        {
+            safe.push(command.clone());
+        } else {
+            deferred.push(command.clone());
+        }
+    }
+    (safe, deferred)
+}

package/crates/naome-cli/src/task_commands/preflight.rs

@@ -0,0 +1,208 @@
+use std::path::Path;
+
+use naome_core::{path_matches_any, task_status_report, TaskStatusReportV1};
+use serde_json::{json, Value};
+
+use super::common::{agent_session, print_json_with_session, repeated_values};
+use super::path_policy::{is_control_path, is_ignored, normalize_requested_path};
+use super::planner;
+
+pub(super) fn preflight(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
+    let paths = requested_paths(root, args);
+    let status = task_status_report(root)?;
+    let mut findings = target_findings(selector_supplied(args));
+    let mut must_not_edit = Vec::new();
+    let mut normalized_paths = Vec::new();
+    let path_reports = path_reports(
+        root,
+        &paths,
+        &status,
+        &mut findings,
+        &mut must_not_edit,
+        &mut normalized_paths,
+    );
+    normalized_paths.sort();
+    normalized_paths.dedup();
+    must_not_edit.sort();
+    must_not_edit.dedup();
+    let recommended = planner::planned_commands(root, &normalized_paths, Some(&status.proof));
+    let (safe, _deferred) = planner::split_safe_commands(&recommended);
+    let blocked = !findings.is_empty() || !must_not_edit.is_empty();
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.preflight.v1",
+            "paths": path_reports,
+            "recommendedCommands": recommended,
+            "safeCommands": safe,
+            "mustNotEdit": must_not_edit,
+            "expectedProofPathSet": normalized_paths,
+            "findings": findings,
+            "nextAction": {
+                "type": if blocked { "blocked" } else { "edit" },
+                "reason": if blocked { "Preflight is blocked until every requested path is explicit and editable." } else { "All requested paths are editable." },
+                "paths": must_not_edit,
+                "commands": [],
+                "checkIds": [],
+                "safeToExecute": !blocked,
+                "requiresUserApproval": blocked
+            }
+        }),
+        session.as_deref(),
+    )
+}
+
+fn requested_paths(root: &Path, args: &[String]) -> Vec<String> {
+    let mut paths = if args.iter().any(|arg| arg == "--from-changed") {
+        planner::changed_paths(root)
+    } else {
+        repeated_values(args, "--path")
+    };
+    paths.sort();
+    paths.dedup();
+    paths
+}
+
+fn selector_supplied(args: &[String]) -> bool {
+    args.iter()
+        .any(|arg| arg == "--from-changed" || arg == "--path")
+}
+
+fn target_findings(selector_supplied: bool) -> Vec<Value> {
+    if !selector_supplied {
+        vec![finding(
+            "task.preflight.missing_target_paths",
+            "Preflight requires --from-changed or at least one --path.",
+            "",
+        )]
+    } else {
+        Vec::new()
+    }
+}
+
+fn path_reports(
+    root: &Path,
+    paths: &[String],
+    status: &TaskStatusReportV1,
+    findings: &mut Vec<Value>,
+    must_not_edit: &mut Vec<String>,
+    normalized_paths: &mut Vec<String>,
+) -> Vec<Value> {
+    paths
+        .iter()
+        .map(|raw_path| {
+            path_report(
+                root,
+                raw_path,
+                status,
+                findings,
+                must_not_edit,
+                normalized_paths,
+            )
+        })
+        .collect()
+}
+
+fn path_report(
+    root: &Path,
+    raw_path: &str,
+    status: &TaskStatusReportV1,
+    findings: &mut Vec<Value>,
+    must_not_edit: &mut Vec<String>,
+    normalized_paths: &mut Vec<String>,
+) -> Value {
+    let (path, path_error) = normalize_requested_path(raw_path);
+    let ignored = path_error.is_none() && is_ignored(root, &path);
+    let control = path_error.is_none() && is_control_path(&path);
+    let in_scope = path_error.is_none() && path_matches_any(&path, &status.scope.allowed_paths);
+    let editable = path_editable(status, path_error.is_none(), ignored, control, in_scope);
+    track_path_report(&path, editable, must_not_edit, normalized_paths);
+    add_path_finding(&path, path_error, ignored, control, in_scope, findings);
+    let commands =
+        planner::planned_commands(root, std::slice::from_ref(&path), Some(&status.proof));
+    json!({
+        "path": path,
+        "editable": editable,
+        "reason": if editable { "Path is editable for the active task." } else { "Path is not editable without scope or state repair." },
+        "ignored": ignored,
+        "controlPath": control,
+        "inScope": in_scope,
+        "impactedChecks": commands.iter().filter_map(|command| command.get("checkId").and_then(Value::as_str).map(ToString::to_string)).collect::<Vec<_>>(),
+        "requiredBeforeCommit": commands,
+        "risk": planner::path_risk(raw_path),
+        "agentInstruction": if editable { "Agent may edit this path, then rerun task agent-snapshot or task loop." } else { "Do not edit this path in the current task." }
+    })
+}
+
+fn path_editable(
+    status: &TaskStatusReportV1,
+    valid_path: bool,
+    ignored: bool,
+    control: bool,
+    in_scope: bool,
+) -> bool {
+    valid_path
+        && !ignored
+        && !control
+        && in_scope
+        && status.task_id.is_some()
+        && !matches!(
+            status.state.as_str(),
+            "idle" | "missing" | "complete" | "blocked" | "needs_human_review"
+        )
+}
+
+fn track_path_report(
+    path: &str,
+    editable: bool,
+    must_not_edit: &mut Vec<String>,
+    normalized_paths: &mut Vec<String>,
+) {
+    if editable {
+        normalized_paths.push(path.to_string());
+    } else {
+        must_not_edit.push(path.to_string());
+    }
+}
+
+fn add_path_finding(
+    path: &str,
+    path_error: Option<String>,
+    ignored: bool,
+    control: bool,
+    in_scope: bool,
+    findings: &mut Vec<Value>,
+) {
+    if let Some(message) = path_error {
+        findings.push(finding("task.preflight.unsafe_path", &message, path));
+    } else if ignored {
+        findings.push(finding(
+            "task.preflight.ignored_path",
+            "Path is ignored by .naomeignore.",
+            path,
+        ));
+    } else if control {
+        findings.push(finding(
+            "task.preflight.control_path",
+            "Path is a NAOME control path.",
+            path,
+        ));
+    } else if !in_scope {
+        findings.push(finding(
+            "task.preflight.out_of_scope",
+            "Path is outside active task scope.",
+            path,
+        ));
+    }
+}
+
+fn finding(id: &str, message: &str, path: &str) -> Value {
+    json!({
+        "id": id,
+        "severity": "error",
+        "message": message,
+        "path": path,
+        "suggestedFix": "Use an in-scope non-control path or request explicit scope revision.",
+        "agentInstruction": "Do not edit this path unless a human-approved task scope revision allows it."
+    })
+}

package/crates/naome-cli/src/task_commands/readiness.rs

@@ -4,20 +4,24 @@ use std::path::Path;
 use naome_core::{task_status_report, task_transition_readiness};
 use serde_json::json;
 
-use super::common::print_json;
+use super::common::{agent_session, print_json_with_session};
 
-pub(super) fn can_commit(root: &Path, _args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+pub(super) fn can_commit(root: &Path, args: &[String]) -> Result<(), Box<dyn std::error::Error>> {
+    let session = agent_session(args)?;
     let status = task_status_report(root)?;
     let transition = task_transition_readiness(root, "complete")?;
     let required = commit_requirements(&status, &transition.blocking_findings);
-    print_json(json!({
-        "schema": "naome.task.commit-readiness.v1",
-        "allowed": transition.allowed && status.agent_loop.can_commit && required.is_empty(),
-        "commitPaths": status.scope.in_scope_changed_paths,
-        "blockingFindings": transition.blocking_findings,
-        "requiredBeforeCommit": required,
-        "agentLoop": status.agent_loop
-    }))
+    print_json_with_session(
+        json!({
+            "schema": "naome.task.commit-readiness.v1",
+            "allowed": transition.allowed && status.agent_loop.can_commit && required.is_empty(),
+            "commitPaths": status.scope.in_scope_changed_paths,
+            "blockingFindings": transition.blocking_findings,
+            "requiredBeforeCommit": required,
+            "agentLoop": status.agent_loop
+        }),
+        session.as_deref(),
+    )
 }
 
 fn commit_requirements(