@lamentis/naome 1.4.1 → 1.4.3

package/crates/naome-cli/tests/task_cli_loop_edit.rs

@@ -0,0 +1,144 @@
+use std::process::Command;
+
+mod task_cli_support;
+
+use serde_json::json;
+
+use task_cli_support::{
+    active_task, fixture_root, init_git, run_json, task_state, task_state_with_active_task,
+    write_fixture_file,
+};
+
+#[test]
+fn can_edit_allows_in_scope_and_blocks_unsafe_paths() {
+    let root = fixture_root(task_state());
+    init_git(&root);
+
+    let allowed = run_json(&root, ["task", "can-edit", "--path", "README.md", "--json"]);
+    assert_eq!(allowed["schema"], "naome.task.can-edit.v1");
+    assert_eq!(allowed["path"], "README.md");
+    assert_eq!(allowed["allowed"], true);
+
+    let outside = run_json(
+        &root,
+        ["task", "can-edit", "--path", "src/lib.rs", "--json"],
+    );
+    assert_eq!(outside["allowed"], false);
+    assert_eq!(outside["findings"][0]["id"], "task.edit.out_of_scope");
+
+    let traversal = run_json(
+        &root,
+        ["task", "can-edit", "--path", "../README.md", "--json"],
+    );
+    assert_eq!(traversal["allowed"], false);
+    assert_eq!(traversal["findings"][0]["id"], "task.edit.unsafe_path");
+
+    let backslash_traversal = run_json(
+        &root,
+        ["task", "can-edit", "--path", "..\\README.md", "--json"],
+    );
+    assert_eq!(backslash_traversal["allowed"], false);
+    assert_eq!(
+        backslash_traversal["findings"][0]["id"],
+        "task.edit.unsafe_path"
+    );
+
+    let absolute = run_json(
+        &root,
+        ["task", "can-edit", "--path", "/tmp/file.rs", "--json"],
+    );
+    assert_eq!(absolute["allowed"], false);
+    assert_eq!(absolute["findings"][0]["id"], "task.edit.unsafe_path");
+
+    let control = run_json(
+        &root,
+        [
+            "task",
+            "can-edit",
+            "--path",
+            ".naome/task-state.json",
+            "--json",
+        ],
+    );
+    assert_eq!(control["allowed"], false);
+    assert_eq!(control["findings"][0]["id"], "task.edit.control_path");
+
+    let ignore_control = run_json(
+        &root,
+        ["task", "can-edit", "--path", ".naomeignore", "--json"],
+    );
+    assert_eq!(ignore_control["allowed"], false);
+    assert_eq!(
+        ignore_control["findings"][0]["id"],
+        "task.edit.control_path"
+    );
+}
+
+#[test]
+fn can_edit_honors_ignore_directories_wildcards_and_blocked_states() {
+    let root = fixture_root(task_state_with_active_task(active_task(json!({
+        "allowedPaths": ["**"]
+    }))));
+    std::fs::write(
+        root.join(".naomeignore"),
+        ".naome/archive/\n.naome/tasks/\ndist/\n",
+    )
+    .unwrap();
+    init_git(&root);
+    write_fixture_file(&root, "dist/bundle.js", "generated\n");
+
+    let ignored = run_json(
+        &root,
+        ["task", "can-edit", "--path", "dist/bundle.js", "--json"],
+    );
+    assert_eq!(ignored["allowed"], false);
+    assert_eq!(ignored["findings"][0]["id"], "task.edit.ignored_path");
+
+    let wildcard_root = fixture_root(task_state_with_active_task(active_task(json!({
+        "allowedPaths": ["scripts/*.js"]
+    }))));
+    init_git(&wildcard_root);
+    let wildcard = run_json(
+        &wildcard_root,
+        ["task", "can-edit", "--path", "scripts/check.js", "--json"],
+    );
+    assert_eq!(wildcard["allowed"], true);
+
+    let blocked_root = fixture_root(task_state_with_active_task(active_task(json!({
+        "allowedPaths": ["README.md"]
+    }))));
+    let mut state: serde_json::Value = serde_json::from_str(
+        &std::fs::read_to_string(blocked_root.join(".naome/task-state.json")).unwrap(),
+    )
+    .unwrap();
+    state["status"] = json!("blocked");
+    state["activeTask"]["status"] = json!("blocked");
+    task_cli_support::write_json(&blocked_root, ".naome/task-state.json", &state);
+    init_git(&blocked_root);
+    let blocked = run_json(
+        &blocked_root,
+        ["task", "can-edit", "--path", "README.md", "--json"],
+    );
+    assert_eq!(blocked["allowed"], false);
+    assert_eq!(blocked["findings"][0]["id"], "task.edit.no_active_task");
+}
+
+#[test]
+fn agent_session_is_validated_and_reflected_in_json() {
+    let root = fixture_root(task_state());
+    init_git(&root);
+
+    let status = run_json(
+        &root,
+        ["task", "status", "--json", "--agent-session", "agent-42"],
+    );
+    assert_eq!(status["agentSession"], "agent-42");
+
+    let rejected = Command::new(env!("CARGO_BIN_EXE_naome"))
+        .args(["task", "status", "--json", "--agent-session", "../bad"])
+        .current_dir(root)
+        .output()
+        .unwrap();
+    assert!(!rejected.status.success());
+    assert!(String::from_utf8_lossy(&rejected.stderr).contains("agent-session"));
+}

package/crates/naome-cli/tests/task_cli_support/mod.rs

@@ -131,6 +131,34 @@ pub fn write_json(root: &std::path::Path, path: &str, value: &Value) {
     );
 }
 
+pub fn write_verification_checks(root: &std::path::Path, checks: Value) {
+    write_json(
+        root,
+        ".naome/verification.json",
+        &json!({
+            "schema": "naome.verification.v1",
+            "version": 1,
+            "status": "ready",
+            "checks": checks
+        }),
+    );
+}
+
+pub fn run_json<const N: usize>(root: &std::path::Path, args: [&str; N]) -> Value {
+    let output = Command::new(env!("CARGO_BIN_EXE_naome"))
+        .args(args)
+        .current_dir(root)
+        .output()
+        .unwrap();
+    assert!(
+        output.status.success(),
+        "{}{}",
+        String::from_utf8_lossy(&output.stdout),
+        String::from_utf8_lossy(&output.stderr)
+    );
+    serde_json::from_slice(&output.stdout).unwrap()
+}
+
 fn verification() -> Value {
     json!({
         "schema": "naome.verification.v1",

package/crates/naome-core/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "naome-core"
-version = "1.4.1"
+version = "1.4.3"
 edition.workspace = true
 license.workspace = true
 repository.workspace = true

package/crates/naome-core/src/lib.rs

@@ -68,13 +68,13 @@ pub use task_ledger::{
     TaskLedgerProjection, TaskLedgerStatus,
 };
 pub use task_state::{
-    completed_task_commit_paths, format_task_proof_plan, format_task_status, task_proof_plan,
-    task_status_exit_code, task_status_report, task_transition_readiness, validate_task_state,
-    AgentLoop, NextActionV2, PolicyHints, ProofRecording, ProofRecordingAfterSuccess,
-    RecoveryGuidance, RepairPlanItem, TaskFeedback, TaskGitStatus, TaskModeStatus,
-    TaskProofPlanReport, TaskProofStatus, TaskRecommendedCommand, TaskScopeStatus, TaskStateMode,
-    TaskStateOptions, TaskStateReport, TaskStatusFinding, TaskStatusReportV1,
-    TransitionReadinessReport,
+    completed_task_commit_paths, format_task_proof_plan, format_task_status,
+    task_evidence_fingerprint, task_proof_plan, task_status_exit_code, task_status_report,
+    task_transition_readiness, validate_task_state, AgentLoop, NextActionV2, PolicyHints,
+    ProofRecording, ProofRecordingAfterSuccess, RecoveryGuidance, RepairPlanItem, TaskFeedback,
+    TaskGitStatus, TaskModeStatus, TaskProofPlanReport, TaskProofStatus, TaskRecommendedCommand,
+    TaskScopeStatus, TaskStateMode, TaskStateOptions, TaskStateReport, TaskStatusFinding,
+    TaskStatusReportV1, TransitionReadinessReport,
 };
 pub use verification::seed_builtin_verification_checks;
 pub use verification_contract::validate_verification_contract;

package/crates/naome-core/src/task_state/evidence_fingerprint.rs

@@ -0,0 +1,47 @@
+use std::fs;
+use std::path::Path;
+
+use crate::models::NaomeError;
+
+pub fn task_evidence_fingerprint(root: &Path, paths: &[String]) -> Result<String, NaomeError> {
+    let mut paths = paths.to_vec();
+    paths.sort();
+    let mut hash = Fnv64::new();
+    for path in paths {
+        hash.update(path.as_bytes());
+        hash.update(b"\0");
+        match fs::read(root.join(&path)) {
+            Ok(content) => {
+                hash.update(b"file:");
+                hash.update(content.len().to_string().as_bytes());
+                hash.update(b":");
+                hash.update(&content);
+            }
+            Err(error) if error.kind() == std::io::ErrorKind::NotFound => {
+                hash.update(b"missing");
+            }
+            Err(error) => return Err(NaomeError::from(error)),
+        }
+        hash.update(b"\0");
+    }
+    Ok(format!("fnv64:{:016x}", hash.finish()))
+}
+
+struct Fnv64(u64);
+
+impl Fnv64 {
+    fn new() -> Self {
+        Self(0xcbf29ce484222325)
+    }
+
+    fn update(&mut self, bytes: &[u8]) {
+        for byte in bytes {
+            self.0 ^= u64::from(*byte);
+            self.0 = self.0.wrapping_mul(0x100000001b3);
+        }
+    }
+
+    fn finish(self) -> u64 {
+        self.0
+    }
+}

package/crates/naome-core/src/task_state/mod.rs

@@ -8,6 +8,7 @@ mod completion;
 mod deleted_paths;
 mod diff;
 mod evidence;
+mod evidence_fingerprint;
 mod git_io;
 mod git_parse;
 mod git_refs;
@@ -32,6 +33,7 @@ mod util;
 
 pub use api::validate_task_state;
 pub use completed_refresh::completed_task_harness_refresh_diff;
+pub use evidence_fingerprint::task_evidence_fingerprint;
 pub(crate) use proof_model::{canonical_proof_check_ids, canonical_proofs};
 pub use status::{
     task_proof_plan, task_status_exit_code, task_status_report, task_transition_readiness,

package/crates/naome-core/src/task_state/status/control/repair.rs

@@ -42,8 +42,8 @@ fn check_repairs(commands: &[TaskRecommendedCommand]) -> Vec<RepairPlanItem> {
             check_ids: vec![command.check_id.clone()],
             commands: vec![command.command.clone()],
             cwd: Some(command.cwd.clone()),
-            safe_to_execute: true,
-            requires_user_approval: false,
+            safe_to_execute: command.safe_to_execute,
+            requires_user_approval: !command.safe_to_execute,
         })
         .collect()
 }

package/crates/naome-core/src/task_state/status/model.rs

@@ -127,8 +127,10 @@ pub struct TaskRecommendedCommand {
     pub command: String,
     pub cwd: String,
     pub reason: String,
+    pub proof_reason: String,
     pub selection_reason: String,
     pub impacted_paths: Vec<String>,
+    pub safe_to_execute: bool,
 }
 
 pub(super) fn finding(

package/crates/naome-core/src/task_state/status/proof.rs

@@ -1,20 +1,37 @@
 use std::collections::{BTreeMap, BTreeSet};
+use std::path::Path;
 
 use serde_json::Value;
 
+use crate::models::NaomeError;
+use crate::task_state::evidence_fingerprint::task_evidence_fingerprint;
 use crate::task_state::util::string_array;
 
 use super::model::{finding, TaskProofStatus, TaskRecommendedCommand, TaskStatusFinding};
 use super::proof_read::{ProofRecord, VerificationCheck};
 
+const AUTONOMOUS_SAFE_CHECKS: &[&str] = &[
+    "git diff --check",
+    "node .naome/bin/check-harness-health.js",
+    "node .naome/bin/check-task-state.js",
+    "node .naome/bin/naome.js quality check --changed",
+    "node .naome/bin/naome.js semantic check --changed",
+    "node .naome/bin/naome.js arch validate --changed-only",
+    "npm run check:task-state",
+    "npm run test:task-state",
+    "npm run test:decision-engine",
+];
+
 pub(super) fn proof_status(
+    root: &Path,
     active_task: Option<&Value>,
     proofs: &[ProofRecord],
     current_task_paths: &[String],
-) -> TaskProofStatus {
+) -> Result<TaskProofStatus, NaomeError> {
     let required_checks = active_task
         .and_then(|task| string_array(task.get("requiredCheckIds")))
         .unwrap_or_default();
+    let current_fingerprint = task_evidence_fingerprint(root, current_task_paths)?;
     let mut passed_checks = Vec::new();
     let mut missing_checks = Vec::new();
     let mut stale_checks = Vec::new();
@@ -28,7 +45,7 @@ pub(super) fn proof_status(
             missing_checks.push(check_id.clone());
         } else if successful
             .iter()
-            .any(|proof| evidence_covers(&proof.evidence_paths, current_task_paths))
+            .any(|proof| proof_is_fresh(proof, current_task_paths, &current_fingerprint))
         {
             passed_checks.push(check_id.clone());
         } else {
@@ -36,12 +53,12 @@ pub(super) fn proof_status(
         }
     }
 
-    TaskProofStatus {
+    Ok(TaskProofStatus {
         required_checks,
         passed_checks,
         missing_checks,
         stale_checks,
-    }
+    })
 }
 
 pub(super) fn add_proof_findings(
@@ -125,28 +142,61 @@ pub(super) fn recommended_commands(
         .iter()
         .filter_map(|check_id| {
             let check = verification.get(check_id)?;
+            let reason = if proof.stale_checks.contains(check_id) {
+                "stale-proof".to_string()
+            } else {
+                "missing-proof".to_string()
+            };
             Some(TaskRecommendedCommand {
                 check_id: check_id.clone(),
                 command: check.command.clone(),
                 cwd: check.cwd.clone(),
-                reason: if proof.stale_checks.contains(check_id) {
-                    "stale-proof".to_string()
-                } else {
-                    "missing-proof".to_string()
-                },
+                reason: reason.clone(),
+                proof_reason: reason,
                 selection_reason: "Required by active task proof state.".to_string(),
                 impacted_paths: current_task_paths.to_vec(),
+                safe_to_execute: is_safe_autonomous_command(
+                    &check.command,
+                    &check.cwd,
+                    current_task_paths,
+                ),
             })
         })
         .collect()
 }
 
+fn is_safe_autonomous_command(command: &str, cwd: &str, current_task_paths: &[String]) -> bool {
+    if cwd != "." || !AUTONOMOUS_SAFE_CHECKS.contains(&command) {
+        return false;
+    }
+    if command.starts_with("npm run ")
+        && current_task_paths
+            .iter()
+            .any(|path| path == "package.json" || path == "packages/naome/package.json")
+    {
+        return false;
+    }
+    true
+}
+
 fn evidence_covers(evidence_paths: &[String], current_paths: &[String]) -> bool {
     current_paths
         .iter()
         .all(|path| evidence_paths.iter().any(|evidence| evidence == path))
 }
 
+fn proof_is_fresh(
+    proof: &ProofRecord,
+    current_paths: &[String],
+    current_fingerprint: &str,
+) -> bool {
+    evidence_covers(&proof.evidence_paths, current_paths)
+        && proof
+            .evidence_fingerprint
+            .as_deref()
+            .is_none_or(|fingerprint| fingerprint == current_fingerprint)
+}
+
 fn stale_files_for_check(
     check_id: &str,
     current_task_paths: &[String],

package/crates/naome-core/src/task_state/status/proof_read.rs

@@ -15,6 +15,7 @@ pub(super) struct ProofRecord {
     pub(super) check_id: String,
     pub(super) exit_code: i64,
     pub(super) evidence_paths: Vec<String>,
+    pub(super) evidence_fingerprint: Option<String>,
 }
 
 #[derive(Debug, Clone)]
@@ -32,6 +33,10 @@ pub(super) fn read_proofs(active_task: &Value) -> Vec<ProofRecord> {
     if let Some(batches) = active_task.get("proofBatches").and_then(Value::as_array) {
         for batch in batches {
             let batch_evidence = batch_evidence(batch, &path_sets);
+            let batch_fingerprint = batch
+                .get("evidenceFingerprint")
+                .and_then(Value::as_str)
+                .map(ToString::to_string);
             let Some(batch_proofs) = batch.get("proofs").and_then(Value::as_array) else {
                 continue;
             };
@@ -47,6 +52,11 @@ pub(super) fn read_proofs(active_task: &Value) -> Vec<ProofRecord> {
                     exit_code,
                     evidence_paths: compact_evidence_paths(proof, &path_sets)
                         .unwrap_or_else(|| batch_evidence.clone()),
+                    evidence_fingerprint: proof
+                        .get("evidenceFingerprint")
+                        .and_then(Value::as_str)
+                        .map(ToString::to_string)
+                        .or_else(|| batch_fingerprint.clone()),
                 });
             }
         }
@@ -123,6 +133,10 @@ fn read_legacy_proof(proof: &Value) -> Option<ProofRecord> {
     Some(ProofRecord {
         check_id: proof.get("checkId")?.as_str()?.to_string(),
         exit_code: proof.get("exitCode")?.as_i64()?,
+        evidence_fingerprint: proof
+            .get("evidenceFingerprint")
+            .and_then(Value::as_str)
+            .map(ToString::to_string),
         evidence_paths: proof
             .get("evidence")
             .and_then(Value::as_array)

package/crates/naome-core/src/task_state/status/report_context.rs

@@ -27,6 +27,8 @@ pub(super) struct TaskStatusContext {
     pub(super) proof: TaskProofStatus,
     pub(super) recommended_commands: Vec<TaskRecommendedCommand>,
     pub(super) findings: Vec<TaskStatusFinding>,
+    pub(super) human_review_pending: bool,
+    pub(super) blocker_present: bool,
 }
 
 impl TaskStatusContext {
@@ -57,7 +59,7 @@ impl TaskStatusContext {
         let verification = read_verification_checks(root, &mut findings)?;
         let proofs = active_task.map(read_proofs).unwrap_or_default();
         add_unknown_proof_findings(&proofs, &verification, &mut findings);
-        let proof = proof_status(active_task, &proofs, &scope.in_scope_changed_paths);
+        let proof = proof_status(root, active_task, &proofs, &scope.in_scope_changed_paths)?;
         add_proof_findings(
             &proof,
             &scope.in_scope_changed_paths,
@@ -77,6 +79,10 @@ impl TaskStatusContext {
             proof,
             recommended_commands,
             findings,
+            human_review_pending: human_review_pending(active_task),
+            blocker_present: task_state
+                .and_then(|state| state.get("blocker"))
+                .is_some_and(|blocker| !blocker.is_null()),
         })
     }
 }
@@ -105,6 +111,22 @@ fn add_active_task_shape_finding(
     }
 }
 
+fn human_review_pending(active_task: Option<&Value>) -> bool {
+    active_task
+        .and_then(|task| task.get("humanReview"))
+        .and_then(Value::as_object)
+        .is_some_and(|review| {
+            review
+                .get("required")
+                .and_then(Value::as_bool)
+                .unwrap_or(false)
+                && !review
+                    .get("approved")
+                    .and_then(Value::as_bool)
+                    .unwrap_or(false)
+        })
+}
+
 fn task_mode(active_task: Option<&Value>) -> TaskModeStatus {
     let kind = task_text(active_task, "kind").unwrap_or_else(|| "standard".to_string());
     let declared_review_fix = active_task

package/crates/naome-core/src/task_state/status/transition.rs

@@ -12,7 +12,13 @@ pub(super) fn transition_report(
         &context.findings,
         &context.scope,
     );
-    let blocking_findings = transition_blockers(&context.state, &context.findings, &context.proof);
+    let blocking_findings = transition_blockers(
+        &context.state,
+        &context.findings,
+        &context.proof,
+        context.human_review_pending,
+        context.blocker_present,
+    );
     let required_before_transition = blocking_findings
         .iter()
         .map(|finding| finding.suggested_fix.clone())
@@ -31,6 +37,8 @@ fn transition_blockers(
     state: &str,
     findings: &[TaskStatusFinding],
     proof: &TaskProofStatus,
+    human_review_pending: bool,
+    blocker_present: bool,
 ) -> Vec<TaskStatusFinding> {
     let mut blockers = findings
         .iter()
@@ -59,6 +67,26 @@ fn transition_blockers(
             "Do not complete a blocked task state.",
         ));
     }
+    if human_review_pending {
+        blockers.push(finding(
+            "task.transition.human_review_required",
+            "error",
+            "Task requires human review approval before completion.",
+            Some(".naome/task-state.json".to_string()),
+            "Wait for explicit human review approval before completing the task.",
+            "Do not complete a task while humanReview.required is true and approved is false.",
+        ));
+    }
+    if blocker_present && !matches!(state, "blocked" | "needs_human_review") {
+        blockers.push(finding(
+            "task.transition.blocker_present",
+            "error",
+            "Task-state has a blocker object that must be resolved before completion.",
+            Some(".naome/task-state.json".to_string()),
+            "Resolve or clear the blocker through an existing safe task-state path before completing.",
+            "Do not complete a task while .naome/task-state.json blocker is still present.",
+        ));
+    }
     if !proof.stale_checks.is_empty() {
         blockers.push(finding(
             "task.transition.stale_proof",