@nimiplatform/nimi-coding 0.1.0

package/cli/lib/high-risk-review.mjs

@@ -0,0 +1,263 @@
+import path from "node:path";
+
+import {
+  HIGH_RISK_EXECUTION_RESULT_CONTRACT_REF,
+  HIGH_RISK_REVIEW_PAYLOAD_CONTRACT_VERSION,
+} from "../constants.mjs";
+import { inspectDoctorState } from "./doctor.mjs";
+import { readTextIfFile } from "./fs-helpers.mjs";
+import {
+  localize,
+  styleCommand,
+  styleHeading,
+  styleLabel,
+  styleStatus,
+} from "./ui.mjs";
+import { isPlainObject } from "./value-helpers.mjs";
+
+function translateReviewReason(reason) {
+  const translations = new Map([
+    ["imported ingest payload must declare contractVersion nimicoding.high-risk-ingest.v1", "导入的 ingest payload 必须声明 contractVersion nimicoding.high-risk-ingest.v1"],
+    ["imported ingest payload must declare skill.id high_risk_execution", "导入的 ingest payload 必须声明 skill.id 为 high_risk_execution"],
+    ["imported ingest payload must remain localOnly true", "导入的 ingest payload 必须保持 localOnly 为 true"],
+    ["review-high-risk-execution requires an ingest payload with ok true", "review-high-risk-execution 需要一个 ok 为 true 的 ingest payload"],
+    ["imported ingest payload must include validations", "导入的 ingest payload 必须包含 validations"],
+    ["review-high-risk-execution requires all ingest validations to be mechanically ok", "review-high-risk-execution 需要所有 ingest 校验均机械通过"],
+    ["Bootstrap or handoff validation is failing; repair doctor errors before projecting review-ready artifacts", "bootstrap 或 handoff 校验失败；请先修复 doctor 报错，再投影 review-ready 产物"],
+    ["High-risk review projection requires the canonical tree under `.nimi/spec`", "high-risk review 投影需要 `.nimi/spec` 下的 canonical tree"],
+    ["Candidate artifacts are ready for manager-owned semantic review", "候选产物已准备好供 manager 执行语义审查"],
+  ]);
+  return translations.get(reason) ?? reason;
+}
+
+async function loadImportedIngestPayload(projectRoot, fromPath) {
+  const absolutePath = path.resolve(projectRoot, fromPath);
+  const rawText = await readTextIfFile(absolutePath);
+
+  if (rawText === null) {
+    return {
+      ok: false,
+      error: `${localize(
+        `nimicoding review-high-risk-execution refused: cannot read imported ingest JSON at ${absolutePath}.`,
+        `nimicoding review-high-risk-execution 已拒绝：无法读取 ${absolutePath} 处的导入 ingest JSON。`,
+      )}\n`,
+    };
+  }
+
+  let parsed;
+  try {
+    parsed = JSON.parse(rawText);
+  } catch {
+    return {
+      ok: false,
+      error: `${localize(
+        `nimicoding review-high-risk-execution refused: imported ingest JSON at ${absolutePath} is invalid JSON.`,
+        `nimicoding review-high-risk-execution 已拒绝：${absolutePath} 处的导入 ingest JSON 不是合法 JSON。`,
+      )}\n`,
+    };
+  }
+
+  if (!isPlainObject(parsed)) {
+    return {
+      ok: false,
+      error: `${localize(
+        "nimicoding review-high-risk-execution refused: imported ingest JSON must be an object.",
+        "nimicoding review-high-risk-execution 已拒绝：导入的 ingest JSON 必须是对象。",
+      )}\n`,
+    };
+  }
+
+  return {
+    ok: true,
+    path: absolutePath,
+    payload: parsed,
+  };
+}
+
+function validateImportedIngestPayload(payload) {
+  if (payload.contractVersion !== "nimicoding.high-risk-ingest.v1") {
+    return {
+      ok: false,
+      reason: "imported ingest payload must declare contractVersion nimicoding.high-risk-ingest.v1",
+    };
+  }
+
+  if (payload.skill?.id !== "high_risk_execution") {
+    return {
+      ok: false,
+      reason: "imported ingest payload must declare skill.id high_risk_execution",
+    };
+  }
+
+  if (payload.localOnly !== true) {
+    return {
+      ok: false,
+      reason: "imported ingest payload must remain localOnly true",
+    };
+  }
+
+  if (payload.ok !== true) {
+    return {
+      ok: false,
+      reason: "review-high-risk-execution requires an ingest payload with ok true",
+    };
+  }
+
+  const validations = payload.validations;
+  if (!isPlainObject(validations)) {
+    return {
+      ok: false,
+      reason: "imported ingest payload must include validations",
+    };
+  }
+
+  const requiredValidationKeys = [
+    "executionPacket",
+    "orchestrationState",
+    "prompt",
+    "workerOutput",
+    "evidence",
+  ];
+  for (const key of requiredValidationKeys) {
+    if (!(key in validations)) {
+      return {
+        ok: false,
+        reason: `imported ingest payload validations are missing ${key}`,
+      };
+    }
+  }
+
+  if (
+    validations.executionPacket?.ok !== true
+    || validations.orchestrationState?.ok !== true
+    || validations.prompt?.ok !== true
+    || validations.workerOutput?.ok !== true
+    || !Array.isArray(validations.evidence)
+    || validations.evidence.some((entry) => !entry || entry.ok !== true)
+  ) {
+    return {
+      ok: false,
+      reason: "review-high-risk-execution requires all ingest validations to be mechanically ok",
+    };
+  }
+
+  return { ok: true };
+}
+
+function evaluateHighRiskReviewReadiness(doctorResult) {
+  if (!doctorResult.ok || !doctorResult.handoffReadiness.ok) {
+    return {
+      ok: false,
+      reason: "Bootstrap or handoff validation is failing; repair doctor errors before projecting review-ready artifacts",
+    };
+  }
+
+  if (doctorResult.lifecycleState?.treeState !== "canonical_tree_ready" || doctorResult.canonicalTree?.requiredFilesValid !== true) {
+    return {
+      ok: false,
+      reason: "High-risk review projection requires canonical_tree_ready with declared canonical files present",
+    };
+  }
+
+  return {
+    ok: true,
+    reason: "Candidate artifacts are ready for manager-owned semantic review",
+  };
+}
+
+export async function buildHighRiskReviewPayload(projectRoot, fromPath, options = {}) {
+  const imported = await loadImportedIngestPayload(projectRoot, fromPath);
+  if (!imported.ok) {
+    return {
+      ok: false,
+      exitCode: 2,
+      inputError: true,
+      error: imported.error,
+    };
+  }
+
+  const inputValidation = validateImportedIngestPayload(imported.payload);
+  if (!inputValidation.ok) {
+    return {
+      ok: false,
+      exitCode: 2,
+      inputError: true,
+      error: `${localize(
+        `nimicoding review-high-risk-execution refused: ${inputValidation.reason}.`,
+        `nimicoding review-high-risk-execution 已拒绝：${translateReviewReason(inputValidation.reason)}。`,
+      )}\n`,
+    };
+  }
+
+  const doctorResult = await inspectDoctorState(projectRoot);
+  const readiness = evaluateHighRiskReviewReadiness(doctorResult);
+  const artifactPath = path.join(
+    projectRoot,
+    ".nimi",
+    "local",
+    "handoff-results",
+    "high_risk_execution.review.json",
+  );
+
+  return {
+    contractVersion: HIGH_RISK_REVIEW_PAYLOAD_CONTRACT_VERSION,
+    ok: readiness.ok,
+    exitCode: readiness.ok ? 0 : 1,
+    projectRoot,
+    sourceIngestRef: imported.path,
+    localOnly: true,
+    artifactPath,
+    skill: {
+      id: "high_risk_execution",
+      resultContractRef: HIGH_RISK_EXECUTION_RESULT_CONTRACT_REF,
+    },
+    verifiedAt: imported.payload.verifiedAt,
+    reviewStatus: readiness.ok ? "ready_for_manager_review" : "blocked",
+    managerReviewOwner: doctorResult.delegatedContracts.semanticReviewOwner,
+    summary: imported.payload.summary,
+    attachmentRefs: {
+      packet_ref: imported.payload.summary.packet_ref,
+      orchestration_state_ref: imported.payload.summary.orchestration_state_ref,
+      prompt_ref: imported.payload.summary.prompt_ref,
+      worker_output_ref: imported.payload.summary.worker_output_ref,
+      evidence_refs: imported.payload.summary.evidence_refs,
+    },
+    ingestValidations: imported.payload.validations,
+    readiness,
+    doctor: {
+      ok: doctorResult.ok,
+      handoffReadiness: doctorResult.handoffReadiness,
+      delegatedContracts: doctorResult.delegatedContracts,
+    },
+    nextAction: readiness.ok
+      ? options.writeLocal
+        ? `Write the high-risk review artifact to ${artifactPath}.`
+        : "Review the review-ready payload or write it locally with `--write-local`."
+      : readiness.reason,
+  };
+}
+
+export function formatHighRiskReviewPayload(payload) {
+  const nextAction = payload.readiness.ok
+    ? payload.nextAction.startsWith("Write the high-risk review artifact to ")
+      ? localize(payload.nextAction, `将 high-risk review 产物写入 ${payload.artifactPath}。`)
+      : localize(
+        payload.nextAction,
+        `检查 review-ready payload，或使用 ${styleCommand("--write-local")} 将其写入本地。`,
+      )
+    : translateReviewReason(payload.nextAction);
+  const lines = [
+    styleHeading(`nimicoding review-high-risk-execution: ${payload.projectRoot}`),
+    "",
+    styleLabel(localize("Result:", "结果：")),
+    `  - review_status: ${payload.reviewStatus}`,
+    `  - manager_review_owner: ${payload.managerReviewOwner ?? localize("unknown", "未知")}`,
+    `  - ready: ${styleStatus(payload.readiness.ok ? "ready" : "needs_attention")}`,
+    `  - local_only: ${payload.localOnly ? "true" : "false"}`,
+    "",
+    styleLabel(localize("Next:", "下一步：")),
+    `  - ${nextAction}`,
+  ];
+
+  return `${lines.join("\n")}\n`;
+}

package/cli/lib/internal/contracts-loaders.mjs

@@ -0,0 +1,132 @@
+import path from "node:path";
+
+import {
+  AUDIT_SWEEP_RESULT_CONTRACT_REF,
+  ACCEPTANCE_SCHEMA_REF,
+  BLUEPRINT_REFERENCE_REF,
+  COMMAND_GATING_MATRIX_REF,
+  DOC_SPEC_AUDIT_RESULT_CONTRACT_REF,
+  EXTERNAL_HOST_COMPATIBILITY_CONTRACT_REF,
+  EXECUTION_PACKET_SCHEMA_REF,
+  HIGH_RISK_ADMISSION_CONTRACT_REF,
+  HIGH_RISK_EXECUTION_RESULT_CONTRACT_REF,
+  ORCHESTRATION_STATE_SCHEMA_REF,
+  PROMPT_SCHEMA_REF,
+  SPEC_GENERATION_AUDIT_CONTRACT_REF,
+  SPEC_GENERATION_INPUTS_CONTRACT_REF,
+  SPEC_GENERATION_INPUTS_REF,
+  SPEC_RECONSTRUCTION_RESULT_CONTRACT_REF,
+  SPEC_TREE_MODEL_REF,
+  WORKER_OUTPUT_SCHEMA_REF,
+} from "../../constants.mjs";
+import { readTextIfFile } from "../fs-helpers.mjs";
+import {
+  parseBlueprintReference,
+  parseCommandGatingMatrix,
+  parseAuditSweepContract,
+  parseDocSpecAuditContract,
+  parseExternalHostCompatibilityContract,
+  parseHighRiskAdmissionContract,
+  parseHighRiskExecutionContract,
+  parseHighRiskSchemaContract,
+  parseSpecGenerationAuditContract,
+  parseSpecGenerationInputsConfig,
+  parseSpecGenerationInputsContract,
+  parseSpecReconstructionContract,
+  parseSpecTreeModel,
+} from "./contracts-parse.mjs";
+
+async function loadParsedYaml(projectRoot, relativePath, parse) {
+  const text = await readTextIfFile(path.join(projectRoot, relativePath));
+  return {
+    path: relativePath,
+    text,
+    ...parse(text),
+  };
+}
+
+export function loadSpecReconstructionContract(projectRoot) {
+  return loadParsedYaml(
+    projectRoot,
+    SPEC_RECONSTRUCTION_RESULT_CONTRACT_REF,
+    parseSpecReconstructionContract,
+  );
+}
+
+export function loadSpecTreeModelContract(projectRoot) {
+  return loadParsedYaml(projectRoot, SPEC_TREE_MODEL_REF, parseSpecTreeModel);
+}
+
+export function loadSpecGenerationInputsContract(projectRoot) {
+  return loadParsedYaml(
+    projectRoot,
+    SPEC_GENERATION_INPUTS_CONTRACT_REF,
+    parseSpecGenerationInputsContract,
+  );
+}
+
+export function loadSpecGenerationAuditContract(projectRoot) {
+  return loadParsedYaml(
+    projectRoot,
+    SPEC_GENERATION_AUDIT_CONTRACT_REF,
+    parseSpecGenerationAuditContract,
+  );
+}
+
+export function loadSpecGenerationInputsConfig(projectRoot) {
+  return loadParsedYaml(projectRoot, SPEC_GENERATION_INPUTS_REF, parseSpecGenerationInputsConfig);
+}
+
+export function loadCommandGatingMatrix(projectRoot) {
+  return loadParsedYaml(projectRoot, COMMAND_GATING_MATRIX_REF, parseCommandGatingMatrix);
+}
+
+export function loadBlueprintReference(projectRoot) {
+  return loadParsedYaml(projectRoot, BLUEPRINT_REFERENCE_REF, parseBlueprintReference);
+}
+
+export function loadDocSpecAuditContract(projectRoot) {
+  return loadParsedYaml(projectRoot, DOC_SPEC_AUDIT_RESULT_CONTRACT_REF, parseDocSpecAuditContract);
+}
+
+export function loadAuditSweepContract(projectRoot) {
+  return loadParsedYaml(projectRoot, AUDIT_SWEEP_RESULT_CONTRACT_REF, parseAuditSweepContract);
+}
+
+export function loadHighRiskExecutionContract(projectRoot) {
+  return loadParsedYaml(projectRoot, HIGH_RISK_EXECUTION_RESULT_CONTRACT_REF, parseHighRiskExecutionContract);
+}
+
+export function loadHighRiskAdmissionContract(projectRoot) {
+  return loadParsedYaml(projectRoot, HIGH_RISK_ADMISSION_CONTRACT_REF, parseHighRiskAdmissionContract);
+}
+
+export function loadExternalHostCompatibilityContract(projectRoot) {
+  return loadParsedYaml(
+    projectRoot,
+    EXTERNAL_HOST_COMPATIBILITY_CONTRACT_REF,
+    parseExternalHostCompatibilityContract,
+  );
+}
+
+export async function loadHighRiskSchemaContracts(projectRoot) {
+  const contractRefs = [
+    EXECUTION_PACKET_SCHEMA_REF,
+    ORCHESTRATION_STATE_SCHEMA_REF,
+    PROMPT_SCHEMA_REF,
+    WORKER_OUTPUT_SCHEMA_REF,
+    ACCEPTANCE_SCHEMA_REF,
+  ];
+
+  const results = [];
+  for (const schemaRef of contractRefs) {
+    const text = await readTextIfFile(path.join(projectRoot, schemaRef));
+    results.push({
+      path: schemaRef,
+      text,
+      ...parseHighRiskSchemaContract(text, schemaRef),
+    });
+  }
+
+  return results;
+}

package/cli/lib/internal/contracts-parse-high-risk.mjs

@@ -0,0 +1,131 @@
+import {
+  AUDIT_SWEEP_SUMMARY_REQUIRED_FIELDS,
+  AUDIT_SWEEP_SUMMARY_STATUS,
+  DOC_SPEC_AUDIT_DEFAULT_COMPARED_PATHS,
+  DOC_SPEC_AUDIT_SUMMARY_REQUIRED_FIELDS,
+  DOC_SPEC_AUDIT_SUMMARY_STATUS,
+  EXTERNAL_HOST_COMPATIBILITY_FORBIDDEN_BEHAVIOR,
+  EXTERNAL_HOST_COMPATIBILITY_REQUIRED_BEHAVIOR,
+  EXTERNAL_HOST_COMPATIBILITY_SUPPORTED_HOST_EXAMPLES,
+  EXTERNAL_HOST_COMPATIBILITY_SUPPORTED_POSTURE,
+  HIGH_RISK_ADMISSION_DISPOSITION_ENUM,
+  HIGH_RISK_ADMISSION_RECORD_REQUIRED_FIELDS,
+  HIGH_RISK_ADMISSION_REQUIRED_TOP_LEVEL_KEYS,
+  HIGH_RISK_EXECUTION_SUMMARY_REQUIRED_FIELDS,
+  HIGH_RISK_EXECUTION_SUMMARY_STATUS,
+  HIGH_RISK_SCHEMA_SPECS,
+} from "../../constants.mjs";
+import { arraysEqual, toStringArray } from "../value-helpers.mjs";
+import { parseYamlText } from "../yaml-helpers.mjs";
+
+export function parseDocSpecAuditContract(text) {
+  const parsed = parseYamlText(text);
+  const summaryRequiredFields = toStringArray(parsed?.summary_required_fields);
+  const summaryStatusEnum = toStringArray(parsed?.summary_status_enum);
+  const defaultComparedPaths = toStringArray(parsed?.default_compared_paths);
+
+  return {
+    ok: arraysEqual(summaryRequiredFields, DOC_SPEC_AUDIT_SUMMARY_REQUIRED_FIELDS)
+      && arraysEqual(summaryStatusEnum, DOC_SPEC_AUDIT_SUMMARY_STATUS)
+      && arraysEqual(defaultComparedPaths, DOC_SPEC_AUDIT_DEFAULT_COMPARED_PATHS),
+    summaryRequiredFields,
+    summaryStatusEnum,
+    defaultComparedPaths,
+  };
+}
+
+export function parseAuditSweepContract(text) {
+  const parsed = parseYamlText(text);
+  const summaryRequiredFields = toStringArray(parsed?.summary_required_fields);
+  const summaryStatusEnum = toStringArray(parsed?.summary_status_enum);
+
+  return {
+    ok: arraysEqual(summaryRequiredFields, AUDIT_SWEEP_SUMMARY_REQUIRED_FIELDS)
+      && arraysEqual(summaryStatusEnum, AUDIT_SWEEP_SUMMARY_STATUS),
+    summaryRequiredFields,
+    summaryStatusEnum,
+  };
+}
+
+export function parseHighRiskExecutionContract(text) {
+  const parsed = parseYamlText(text);
+  const summaryRequiredFields = toStringArray(parsed?.summary_required_fields);
+  const summaryStatusEnum = toStringArray(parsed?.summary_status_enum);
+
+  return {
+    ok: arraysEqual(summaryRequiredFields, HIGH_RISK_EXECUTION_SUMMARY_REQUIRED_FIELDS)
+      && arraysEqual(summaryStatusEnum, HIGH_RISK_EXECUTION_SUMMARY_STATUS),
+    summaryRequiredFields,
+    summaryStatusEnum,
+  };
+}
+
+export function parseHighRiskAdmissionContract(text) {
+  const parsed = parseYamlText(text);
+  const topLevelRequiredKeys = toStringArray(parsed?.top_level_required_keys);
+  const admissionRequiredFields = toStringArray(parsed?.admission_required_fields);
+  const dispositionEnum = toStringArray(parsed?.disposition_enum);
+
+  return {
+    ok: String(parsed?.truth_contract?.id ?? "") === "canonical_high_risk_admissions_truth"
+      && arraysEqual(topLevelRequiredKeys, HIGH_RISK_ADMISSION_REQUIRED_TOP_LEVEL_KEYS)
+      && arraysEqual(admissionRequiredFields, HIGH_RISK_ADMISSION_RECORD_REQUIRED_FIELDS)
+      && arraysEqual(dispositionEnum, HIGH_RISK_ADMISSION_DISPOSITION_ENUM),
+    topLevelRequiredKeys,
+    admissionRequiredFields,
+    dispositionEnum,
+  };
+}
+
+export function parseExternalHostCompatibilityContract(text) {
+  const parsed = parseYamlText(text);
+  const supportedHostPosture = toStringArray(parsed?.supported_host_posture);
+  const supportedHostExamples = toStringArray(parsed?.supported_host_examples);
+  const requiredBehavior = toStringArray(parsed?.required_behavior);
+  const forbiddenBehavior = toStringArray(parsed?.forbidden_behavior);
+
+  return {
+    ok: String(parsed?.compatibility_contract?.id ?? "") === "external_host_boundary_compatibility"
+      && String(parsed?.compatibility_contract?.completion_profile ?? "") === "boundary_complete"
+      && arraysEqual(supportedHostPosture, EXTERNAL_HOST_COMPATIBILITY_SUPPORTED_POSTURE)
+      && arraysEqual(supportedHostExamples, EXTERNAL_HOST_COMPATIBILITY_SUPPORTED_HOST_EXAMPLES)
+      && arraysEqual(requiredBehavior, EXTERNAL_HOST_COMPATIBILITY_REQUIRED_BEHAVIOR)
+      && arraysEqual(forbiddenBehavior, EXTERNAL_HOST_COMPATIBILITY_FORBIDDEN_BEHAVIOR),
+    supportedHostPosture,
+    supportedHostExamples,
+    requiredBehavior,
+    forbiddenBehavior,
+  };
+}
+
+export function parseHighRiskSchemaContract(text, schemaRef) {
+  const parsed = parseYamlText(text);
+  const spec = HIGH_RISK_SCHEMA_SPECS[schemaRef];
+
+  if (!spec || !parsed) {
+    return {
+      ok: false,
+      id: null,
+      kind: null,
+      listFieldMatches: [],
+      rulesMatch: false,
+    };
+  }
+
+  const listFieldMatches = Object.entries(spec.listFields).map(([field, expectedValues]) => ({
+    field,
+    ok: arraysEqual(toStringArray(parsed[field]), expectedValues),
+  }));
+  const rulesMatch = arraysEqual(toStringArray(parsed.rules), spec.requiredRules);
+
+  return {
+    ok: String(parsed.id ?? "") === spec.id
+      && String(parsed.kind ?? "") === spec.kind
+      && listFieldMatches.every((entry) => entry.ok)
+      && rulesMatch,
+    id: String(parsed.id ?? ""),
+    kind: String(parsed.kind ?? ""),
+    listFieldMatches,
+    rulesMatch,
+  };
+}