npm - @nomos-arc/arc - Versions diffs - 0.1.0 - Mend

@nomos-arc/arc 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (160) hide show

package/.claude/settings.local.json +10 -0
package/.nomos-config.json +5 -0
package/CLAUDE.md +108 -0
package/LICENSE +190 -0
package/README.md +569 -0
package/dist/cli.js +21120 -0
package/docs/auth/googel_plan.yaml +1093 -0
package/docs/auth/google_task.md +235 -0
package/docs/auth/hardened_blueprint.yaml +1658 -0
package/docs/auth/red_team_report.yaml +336 -0
package/docs/auth/session_state.yaml +162 -0
package/docs/certificate/cer_enhance_plan.md +605 -0
package/docs/certificate/certificate_report.md +338 -0
package/docs/dev_overview.md +419 -0
package/docs/feature_assessment.md +156 -0
package/docs/how_it_works.md +78 -0
package/docs/infrastructure/map.md +867 -0
package/docs/init/master_plan.md +3581 -0
package/docs/init/red_team_report.md +215 -0
package/docs/init/report_phase_1a.md +304 -0
package/docs/integrity-gate/enhance_drift.md +703 -0
package/docs/integrity-gate/overview.md +108 -0
package/docs/management/manger-task.md +99 -0
package/docs/management/scafffold.md +76 -0
package/docs/map/ATOMIC_BLUEPRINT.md +1349 -0
package/docs/map/RED_TEAM_REPORT.md +159 -0
package/docs/map/map_task.md +147 -0
package/docs/map/semantic_graph_task.md +792 -0
package/docs/map/semantic_master_plan.md +705 -0
package/docs/phase7/TEAM_RED.md +249 -0
package/docs/phase7/plan.md +1682 -0
package/docs/phase7/task.md +275 -0
package/docs/prompts/USAGE.md +312 -0
package/docs/prompts/architect.md +165 -0
package/docs/prompts/executer.md +190 -0
package/docs/prompts/hardener.md +190 -0
package/docs/prompts/red_team.md +146 -0
package/docs/verification/goveranance-overview.md +396 -0
package/docs/verification/governance-overview.md +245 -0
package/docs/verification/verification-arc-ar.md +560 -0
package/docs/verification/verification-architecture.md +560 -0
package/docs/very_next.md +52 -0
package/docs/whitepaper.md +89 -0
package/overview.md +1469 -0
package/package.json +63 -0
package/src/adapters/__tests__/git.test.ts +296 -0
package/src/adapters/__tests__/stdio.test.ts +70 -0
package/src/adapters/git.ts +226 -0
package/src/adapters/pty.ts +159 -0
package/src/adapters/stdio.ts +113 -0
package/src/cli.ts +83 -0
package/src/commands/apply.ts +47 -0
package/src/commands/auth.ts +301 -0
package/src/commands/certificate.ts +89 -0
package/src/commands/discard.ts +24 -0
package/src/commands/drift.ts +116 -0
package/src/commands/index.ts +78 -0
package/src/commands/init.ts +121 -0
package/src/commands/list.ts +75 -0
package/src/commands/map.ts +55 -0
package/src/commands/plan.ts +30 -0
package/src/commands/review.ts +58 -0
package/src/commands/run.ts +63 -0
package/src/commands/search.ts +147 -0
package/src/commands/show.ts +63 -0
package/src/commands/status.ts +59 -0
package/src/core/__tests__/budget.test.ts +213 -0
package/src/core/__tests__/certificate.test.ts +385 -0
package/src/core/__tests__/config.test.ts +191 -0
package/src/core/__tests__/preflight.test.ts +24 -0
package/src/core/__tests__/prompt.test.ts +358 -0
package/src/core/__tests__/review.test.ts +161 -0
package/src/core/__tests__/state.test.ts +362 -0
package/src/core/auth/__tests__/manager.test.ts +166 -0
package/src/core/auth/__tests__/server.test.ts +220 -0
package/src/core/auth/gcp-projects.ts +160 -0
package/src/core/auth/manager.ts +114 -0
package/src/core/auth/server.ts +141 -0
package/src/core/budget.ts +119 -0
package/src/core/certificate.ts +502 -0
package/src/core/config.ts +212 -0
package/src/core/errors.ts +54 -0
package/src/core/factory.ts +49 -0
package/src/core/graph/__tests__/builder.test.ts +272 -0
package/src/core/graph/__tests__/contract-writer.test.ts +175 -0
package/src/core/graph/__tests__/enricher.test.ts +299 -0
package/src/core/graph/__tests__/parser.test.ts +200 -0
package/src/core/graph/__tests__/pipeline.test.ts +202 -0
package/src/core/graph/__tests__/renderer.test.ts +128 -0
package/src/core/graph/__tests__/resolver.test.ts +185 -0
package/src/core/graph/__tests__/scanner.test.ts +231 -0
package/src/core/graph/__tests__/show.test.ts +134 -0
package/src/core/graph/builder.ts +303 -0
package/src/core/graph/constraints.ts +94 -0
package/src/core/graph/contract-writer.ts +93 -0
package/src/core/graph/drift/__tests__/classifier.test.ts +215 -0
package/src/core/graph/drift/__tests__/comparator.test.ts +335 -0
package/src/core/graph/drift/__tests__/drift.test.ts +453 -0
package/src/core/graph/drift/__tests__/reporter.test.ts +203 -0
package/src/core/graph/drift/classifier.ts +165 -0
package/src/core/graph/drift/comparator.ts +205 -0
package/src/core/graph/drift/reporter.ts +77 -0
package/src/core/graph/enricher.ts +251 -0
package/src/core/graph/grammar-paths.ts +30 -0
package/src/core/graph/html-template.ts +493 -0
package/src/core/graph/map-schema.ts +137 -0
package/src/core/graph/parser.ts +336 -0
package/src/core/graph/pipeline.ts +209 -0
package/src/core/graph/renderer.ts +92 -0
package/src/core/graph/resolver.ts +195 -0
package/src/core/graph/scanner.ts +145 -0
package/src/core/logger.ts +46 -0
package/src/core/orchestrator.ts +792 -0
package/src/core/plan-file-manager.ts +66 -0
package/src/core/preflight.ts +64 -0
package/src/core/prompt.ts +173 -0
package/src/core/review.ts +95 -0
package/src/core/state.ts +294 -0
package/src/core/worktree-coordinator.ts +77 -0
package/src/search/__tests__/chunk-extractor.test.ts +339 -0
package/src/search/__tests__/embedder-auth.test.ts +124 -0
package/src/search/__tests__/embedder.test.ts +267 -0
package/src/search/__tests__/graph-enricher.test.ts +178 -0
package/src/search/__tests__/indexer.test.ts +518 -0
package/src/search/__tests__/integration.test.ts +649 -0
package/src/search/__tests__/query-engine.test.ts +334 -0
package/src/search/__tests__/similarity.test.ts +78 -0
package/src/search/__tests__/vector-store.test.ts +281 -0
package/src/search/chunk-extractor.ts +167 -0
package/src/search/embedder.ts +209 -0
package/src/search/graph-enricher.ts +95 -0
package/src/search/indexer.ts +483 -0
package/src/search/lexical-searcher.ts +190 -0
package/src/search/query-engine.ts +225 -0
package/src/search/vector-store.ts +311 -0
package/src/types/index.ts +572 -0
package/src/utils/__tests__/ansi.test.ts +54 -0
package/src/utils/__tests__/frontmatter.test.ts +79 -0
package/src/utils/__tests__/sanitize.test.ts +229 -0
package/src/utils/ansi.ts +19 -0
package/src/utils/context.ts +44 -0
package/src/utils/frontmatter.ts +27 -0
package/src/utils/sanitize.ts +78 -0
package/test/e2e/lifecycle.test.ts +330 -0
package/test/fixtures/mock-planner-hang.ts +5 -0
package/test/fixtures/mock-planner.ts +26 -0
package/test/fixtures/mock-reviewer-bad.ts +8 -0
package/test/fixtures/mock-reviewer-retry.ts +34 -0
package/test/fixtures/mock-reviewer.ts +18 -0
package/test/fixtures/sample-project/src/circular-a.ts +6 -0
package/test/fixtures/sample-project/src/circular-b.ts +6 -0
package/test/fixtures/sample-project/src/config.ts +15 -0
package/test/fixtures/sample-project/src/main.ts +19 -0
package/test/fixtures/sample-project/src/services/product-service.ts +20 -0
package/test/fixtures/sample-project/src/services/user-service.ts +18 -0
package/test/fixtures/sample-project/src/types.ts +14 -0
package/test/fixtures/sample-project/src/utils/index.ts +14 -0
package/test/fixtures/sample-project/src/utils/validate.ts +12 -0
package/tsconfig.json +20 -0
package/vitest.config.ts +12 -0

package/src/core/__tests__/review.test.ts ADDED Viewed

@@ -0,0 +1,161 @@
+import { describe, it, expect } from 'vitest';
+import { extractJson, validateReviewSchema, semanticValidation, parseReviewOutput } from '../review.js';
+import type { ReviewResult } from '../../types/index.js';
+// ── Helpers ───────────────────────────────────────────────────────────────────
+const VALID_REVIEW_OBJ = {
+  score: 0.85,
+  summary: 'Good implementation with minor issues',
+  issues: [
+    {
+      severity: 'medium' as const,
+      category: 'performance' as const,
+      description: 'N+1 query pattern',
+      suggestion: 'Use batch loading',
+    },
+  ],
+};
+const VALID_REVIEW_JSON = JSON.stringify(VALID_REVIEW_OBJ);
+// ── extractJson ───────────────────────────────────────────────────────────────
+describe('extractJson', () => {
+  it('parses clean JSON directly', () => {
+    const result = extractJson(VALID_REVIEW_JSON);
+    expect(result).toMatchObject(VALID_REVIEW_OBJ);
+  });
+  it('extracts JSON wrapped in markdown fences', () => {
+    const raw = `Here is my review:\n\`\`\`json\n${VALID_REVIEW_JSON}\n\`\`\``;
+    const result = extractJson(raw);
+    expect(result).toMatchObject(VALID_REVIEW_OBJ);
+  });
+  it('extracts JSON with preamble text using brace-depth extraction', () => {
+    const raw = `Here is my review:\n${VALID_REVIEW_JSON}`;
+    const result = extractJson(raw);
+    expect(result).toMatchObject(VALID_REVIEW_OBJ);
+  });
+  it('returns null for completely invalid output', () => {
+    const result = extractJson('This is not JSON at all.');
+    expect(result).toBeNull();
+  });
+});
+// ── validateReviewSchema ──────────────────────────────────────────────────────
+describe('validateReviewSchema', () => {
+  it('returns a valid ReviewResult when object matches schema', () => {
+    const result = validateReviewSchema(VALID_REVIEW_OBJ, 'supervised');
+    expect(result).not.toBeNull();
+    expect(result!.score).toBe(0.85);
+  });
+  // RT2-4.2 fix: mode must be threaded through, never hardcoded
+  it('sets mode to the provided value (dry-run), not a hardcoded value', () => {
+    const result = validateReviewSchema(VALID_REVIEW_OBJ, 'dry-run');
+    expect(result!.mode).toBe('dry-run');
+  });
+  it('returns null when summary is too short', () => {
+    const result = validateReviewSchema({ ...VALID_REVIEW_OBJ, summary: 'Short' }, 'supervised');
+    expect(result).toBeNull();
+  });
+  it('returns null when score exceeds 2.0 (schema max)', () => {
+    const result = validateReviewSchema({ ...VALID_REVIEW_OBJ, score: 3.0 }, 'supervised');
+    expect(result).toBeNull();
+  });
+});
+// ── semanticValidation ────────────────────────────────────────────────────────
+describe('semanticValidation', () => {
+  it('clamps score > 1.0 to 1.0', () => {
+    const review: ReviewResult = { ...VALID_REVIEW_OBJ, score: 1.5, mode: 'supervised' };
+    const { valid } = semanticValidation(review);
+    expect(valid).toBe(true);
+    expect(review.score).toBe(1.0);
+  });
+  it('rejects low score (< 0.5) with no supporting issues', () => {
+    const review: ReviewResult = {
+      score: 0.3,
+      summary: 'Terrible implementation overall',
+      issues: [],
+      mode: 'supervised',
+    };
+    const { valid, reason } = semanticValidation(review);
+    expect(valid).toBe(false);
+    expect(reason).toContain('Low score');
+  });
+  it('rejects score >= 0.9 when a high-severity issue exists', () => {
+    const review: ReviewResult = {
+      score: 0.95,
+      summary: 'Mostly excellent but has a critical flaw',
+      issues: [
+        {
+          severity: 'high' as const,
+          category: 'security' as const,
+          description: 'SQL injection risk',
+          suggestion: 'Use parameterized queries',
+        },
+      ],
+      mode: 'supervised',
+    };
+    const { valid, reason } = semanticValidation(review);
+    expect(valid).toBe(false);
+    expect(reason).toContain('High severity');
+  });
+  it('accepts a valid review without clamping', () => {
+    const review: ReviewResult = { ...VALID_REVIEW_OBJ, mode: 'supervised' };
+    const { valid } = semanticValidation(review);
+    expect(valid).toBe(true);
+    expect(review.score).toBe(0.85);
+  });
+});
+// ── parseReviewOutput ─────────────────────────────────────────────────────────
+describe('parseReviewOutput', () => {
+  it('returns a parsed ReviewResult for valid JSON', () => {
+    const { result, error } = parseReviewOutput(VALID_REVIEW_JSON, 'supervised');
+    expect(result).not.toBeNull();
+    expect(error).toBeUndefined();
+  });
+  // RT2-4.2 fix: mode is threaded through — not hardcoded to 'auto'
+  it('sets result.mode to the provided mode (supervised)', () => {
+    const { result } = parseReviewOutput(VALID_REVIEW_JSON, 'supervised');
+    expect(result!.mode).toBe('supervised');
+  });
+  it('returns null with stage-1 error for completely unparseable output', () => {
+    const { result, error } = parseReviewOutput('not json at all', 'supervised');
+    expect(result).toBeNull();
+    expect(error).toContain('Stage 1');
+  });
+  it('returns null with stage-2 error when JSON fails schema validation', () => {
+    const bad = JSON.stringify({ score: 0.8, summary: 'Too short', issues: [] });
+    const { result, error } = parseReviewOutput(bad, 'supervised');
+    expect(result).toBeNull();
+    expect(error).toContain('Stage 2');
+  });
+  it('returns null with stage-3 error when semantic validation fails', () => {
+    const semanticFail = JSON.stringify({
+      score: 0.3,
+      summary: 'Very poor implementation here',
+      issues: [],
+    });
+    const { result, error } = parseReviewOutput(semanticFail, 'supervised');
+    expect(result).toBeNull();
+    expect(error).toContain('Stage 3');
+  });
+});

package/src/core/__tests__/state.test.ts ADDED Viewed

@@ -0,0 +1,362 @@
+import { describe, it, expect, beforeEach, afterEach } from 'vitest';
+import * as fs from 'fs';
+import * as path from 'path';
+import * as os from 'os';
+import { createLogger } from '../logger.js';
+import { StateManager } from '../state.js';
+import { NomosError } from '../errors.js';
+import type { TaskState, HistoryEntry, ReviewResult } from '../../types/index.js';
+// ── Helpers ──────────────────────────────────────────────────────────────────
+const logger = createLogger('silent');   // suppressed console output in tests
+function makeTmpDir(): string {
+  return fs.mkdtempSync(path.join(os.tmpdir(), 'nomos-state-test-'));
+}
+function makeInitialState(taskId: string): TaskState {
+  const now = new Date().toISOString();
+  return {
+    schema_version: 1,
+    task_id: taskId,
+    current_version: 1,
+    meta: {
+      status: 'init',
+      created_at: now,
+      updated_at: now,
+    },
+    orchestration: {
+      planner_bin: 'claude',
+      reviewer_bin: 'codex',
+    },
+    shadow_branch: {
+      branch: `nomos/${taskId}`,
+      worktree: `/tmp/nomos-worktrees/${taskId}`,
+      base_commit: 'abc123',
+      status: 'active',
+    },
+    context: {
+      files: [],
+      rules: [],
+      rules_hash: 'sha256:0000',
+    },
+    budget: {
+      tokens_used: 0,
+      estimated_cost_usd: 0,
+    },
+    history: [],
+  };
+}
+function makeHistoryEntry(version: number = 1): HistoryEntry {
+  const now = new Date().toISOString();
+  return {
+    version,
+    step: 'planning',
+    mode: 'supervised',
+    binary: 'claude',
+    started_at: now,
+    completed_at: now,
+    raw_output: 'some output',
+    output_hash: 'sha256:abcdef',
+    input_tokens: 100,
+    output_tokens: 200,
+    tokens_used: 300,
+    tokens_source: 'metered',
+    rules_snapshot: [],
+    review: null,
+  };
+}
+// ── Tests ────────────────────────────────────────────────────────────────────
+describe('StateManager — create & read', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('creates and reads a task state round-trip', async () => {
+    const state = makeInitialState('task-001');
+    await sm.create('task-001', state);
+    const loaded = await sm.read('task-001');
+    expect(loaded.task_id).toBe('task-001');
+    expect(loaded.meta.status).toBe('init');
+    expect(loaded.schema_version).toBe(1);
+  });
+  it('throws task_exists when creating a duplicate task', async () => {
+    const state = makeInitialState('dup-task');
+    await sm.create('dup-task', state);
+    await expect(sm.create('dup-task', state)).rejects.toMatchObject({
+      code: 'task_exists',
+    });
+  });
+  it('throws task_not_found when reading a non-existent task', async () => {
+    await expect(sm.read('ghost-task')).rejects.toMatchObject({
+      code: 'task_not_found',
+    });
+  });
+});
+describe('StateManager — atomic write', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('atomic write: original file is intact if tmp exists but rename never happened', async () => {
+    const state = makeInitialState('atomic-task');
+    await sm.create('atomic-task', state);
+    // Simulate a crash: leave a .tmp file behind without renaming
+    const filePath = path.join(stateDir, 'atomic-task.json');
+    const tmpPath = `${filePath}.tmp`;
+    fs.writeFileSync(tmpPath, '{"broken":true}', 'utf-8');
+    // Original must still be intact
+    const loaded = await sm.read('atomic-task');
+    expect(loaded.task_id).toBe('atomic-task');
+    expect(fs.existsSync(tmpPath)).toBe(true);  // tmp still there (we didn't clean it)
+  });
+});
+describe('StateManager — stale lock', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('write succeeds when a stale lock file exists (mtime backdated 60s)', async () => {
+    const state = makeInitialState('stale-task');
+    await sm.create('stale-task', state);
+    const filePath = path.join(stateDir, 'stale-task.json');
+    const lockPath = `${filePath}.lock`;
+    // Manually create a lock directory and backdate its mtime by 60s
+    fs.mkdirSync(lockPath, { recursive: true });
+    const sixtySecondsAgo = new Date(Date.now() - 60_000);
+    fs.utimesSync(lockPath, sixtySecondsAgo, sixtySecondsAgo);
+    // Write should succeed — proper-lockfile sees the lock as stale and breaks it
+    state.meta.status = 'planning';
+    await expect(sm.write('stale-task', state)).resolves.toBeUndefined();
+    const loaded = await sm.read('stale-task');
+    expect(loaded.meta.status).toBe('planning');
+  });
+});
+describe('StateManager — transitions', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('valid transition: init → planning → pending_review', async () => {
+    await sm.create('fsm-task', makeInitialState('fsm-task'));
+    let state = await sm.transition('fsm-task', 'planning');
+    expect(state.meta.status).toBe('planning');
+    state = await sm.transition('fsm-task', 'pending_review');
+    expect(state.meta.status).toBe('pending_review');
+  });
+  it('invalid transition: merged → planning throws invalid_transition', async () => {
+    const initial = makeInitialState('merged-task');
+    initial.meta.status = 'merged';
+    await sm.create('merged-task', initial);
+    await expect(sm.transition('merged-task', 'planning')).rejects.toMatchObject({
+      code: 'invalid_transition',
+    });
+  });
+  it('transition with version_increment bumps current_version', async () => {
+    await sm.create('ver-task', makeInitialState('ver-task'));
+    const state = await sm.transition('ver-task', 'planning', { version_increment: true });
+    expect(state.current_version).toBe(2);
+  });
+  it('transition with history_entry appends to history array', async () => {
+    await sm.create('hist-task', makeInitialState('hist-task'));
+    const entry = makeHistoryEntry();
+    const state = await sm.transition('hist-task', 'planning', { history_entry: entry });
+    expect(state.history).toHaveLength(1);
+    expect(state.history[0]!.step).toBe('planning');
+    expect(state.history[0]!.tokens_source).toBe('metered');
+  });
+  it('transition with review_result attaches to last history entry', async () => {
+    await sm.create('rev-task', makeInitialState('rev-task'));
+    // First add a history entry
+    await sm.transition('rev-task', 'planning', { history_entry: makeHistoryEntry() });
+    // Now add review result (simulate reviewing → refinement)
+    await sm.transition('rev-task', 'pending_review');
+    await sm.transition('rev-task', 'reviewing');
+    const review: ReviewResult = {
+      score: 0.85,
+      mode: 'supervised',
+      issues: [],
+      summary: 'Looks good overall, minor issues found.',
+    };
+    const state = await sm.transition('rev-task', 'refinement', { review_result: review });
+    expect(state.history[0]!.review).toMatchObject({ score: 0.85 });
+  });
+  it('transition with approval_reason sets meta.approval_reason', async () => {
+    await sm.create('appr-task', makeInitialState('appr-task'));
+    await sm.transition('appr-task', 'planning');
+    await sm.transition('appr-task', 'pending_review');
+    await sm.transition('appr-task', 'reviewing');
+    const state = await sm.transition('appr-task', 'approved', {
+      approval_reason: 'score_threshold',
+    });
+    expect(state.meta.approval_reason).toBe('score_threshold');
+  });
+  it('valid recovery transitions: stalled → planning, failed → planning, merge_conflict → approved', async () => {
+    // stalled → planning
+    const s1 = makeInitialState('stalled-task');
+    s1.meta.status = 'stalled';
+    await sm.create('stalled-task', s1);
+    const r1 = await sm.transition('stalled-task', 'planning');
+    expect(r1.meta.status).toBe('planning');
+    // failed → planning
+    const s2 = makeInitialState('failed-task');
+    s2.meta.status = 'failed';
+    await sm.create('failed-task', s2);
+    const r2 = await sm.transition('failed-task', 'planning');
+    expect(r2.meta.status).toBe('planning');
+    // merge_conflict → approved
+    const s3 = makeInitialState('conflict-task');
+    s3.meta.status = 'merge_conflict';
+    await sm.create('conflict-task', s3);
+    const r3 = await sm.transition('conflict-task', 'approved');
+    expect(r3.meta.status).toBe('approved');
+  });
+});
+describe('StateManager — cleanupTempFiles', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('removes .json.tmp files', () => {
+    const tmpFile = path.join(stateDir, 'orphan.json.tmp');
+    fs.writeFileSync(tmpFile, '{}', 'utf-8');
+    expect(fs.existsSync(tmpFile)).toBe(true);
+    sm.cleanupTempFiles(stateDir);
+    expect(fs.existsSync(tmpFile)).toBe(false);
+  });
+  it('does NOT remove .lock files (proper-lockfile owns those)', () => {
+    const lockDir = path.join(stateDir, 'some-task.json.lock');
+    fs.mkdirSync(lockDir);
+    sm.cleanupTempFiles(stateDir);
+    expect(fs.existsSync(lockDir)).toBe(true);
+  });
+});
+describe('StateManager — schema migration', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('reads state file missing schema_version and sets it to 1', async () => {
+    // Write raw JSON without schema_version (simulates pre-v1 state)
+    const now = new Date().toISOString();
+    const rawState = {
+      // schema_version deliberately omitted
+      task_id: 'legacy-task',
+      current_version: 1,
+      meta: { status: 'init', created_at: now, updated_at: now },
+      orchestration: { planner_bin: 'claude', reviewer_bin: 'codex' },
+      shadow_branch: { branch: 'nomos/legacy-task', worktree: '/tmp/x', base_commit: 'abc', status: 'active' },
+      context: { files: [], rules: [], rules_hash: 'sha256:0' },
+      budget: { tokens_used: 0, estimated_cost_usd: 0 },
+      history: [],
+    };
+    fs.mkdirSync(stateDir, { recursive: true });
+    fs.writeFileSync(path.join(stateDir, 'legacy-task.json'), JSON.stringify(rawState), 'utf-8');
+    const state = await sm.read('legacy-task');
+    expect(state.schema_version).toBe(1);
+    expect(state.task_id).toBe('legacy-task');
+  });
+});
+describe('StateManager — listTasks', () => {
+  let stateDir: string;
+  let sm: StateManager;
+  beforeEach(() => {
+    stateDir = makeTmpDir();
+    sm = new StateManager(stateDir, logger);
+  });
+  afterEach(() => {
+    fs.rmSync(stateDir, { recursive: true, force: true });
+  });
+  it('lists all valid task states and skips .tmp files', async () => {
+    await sm.create('list-task-a', makeInitialState('list-task-a'));
+    await sm.create('list-task-b', makeInitialState('list-task-b'));
+    // Orphan tmp should be ignored
+    fs.writeFileSync(path.join(stateDir, 'orphan.json.tmp'), '{}', 'utf-8');
+    const tasks = await sm.listTasks();
+    expect(tasks).toHaveLength(2);
+    const ids = tasks.map((t) => t.task_id).sort();
+    expect(ids).toEqual(['list-task-a', 'list-task-b']);
+  });
+});

package/src/core/auth/__tests__/manager.test.ts ADDED Viewed

@@ -0,0 +1,166 @@
+import * as os from 'node:os';
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+import type { Logger } from 'winston';
+import { AuthManager } from '../manager.js';
+import { NomosError } from '../../errors.js';
+import type { AuthCredentials, NomosConfig } from '../../../types/index.js';
+// ─── Helpers ──────────────────────────────────────────────────────────────────
+function makeLogger(): Logger {
+  return {
+    info: vi.fn(),
+    warn: vi.fn(),
+    error: vi.fn(),
+    debug: vi.fn(),
+  } as unknown as Logger;
+}
+function makeConfig(credentialsPath: string): NomosConfig['auth'] {
+  return {
+    client_id: 'test-client-id',
+    credentials_path: credentialsPath,
+    redirect_port: 3000,
+  };
+}
+function makeCredentials(overrides: Partial<AuthCredentials> = {}): AuthCredentials {
+  return {
+    access_token: 'test-access-token',
+    refresh_token: 'test-refresh-token',
+    expiry_date: Date.now() + 3600_000,
+    token_type: 'Bearer',
+    scope: 'https://www.googleapis.com/auth/generative-language.retriever',
+    ...overrides,
+  };
+}
+// ─── Tests ────────────────────────────────────────────────────────────────────
+describe('AuthManager', () => {
+  let tmpDir: string;
+  let credentialsPath: string;
+  let manager: AuthManager;
+  beforeEach(async () => {
+    tmpDir = await fs.mkdtemp(path.join(os.tmpdir(), 'nomos-auth-test-'));
+    credentialsPath = path.join(tmpDir, '.nomos', 'credentials.json');
+    manager = new AuthManager(makeConfig(credentialsPath), makeLogger());
+  });
+  afterEach(async () => {
+    await fs.rm(tmpDir, { recursive: true, force: true });
+  });
+  // ─── saveCredentials ───────────────────────────────────────────────────────
+  describe('saveCredentials', () => {
+    it('writes JSON to the credentials path', async () => {
+      const creds = makeCredentials();
+      await manager.saveCredentials(creds);
+      const raw = await fs.readFile(credentialsPath, 'utf8');
+      const parsed = JSON.parse(raw) as AuthCredentials;
+      expect(parsed.access_token).toBe(creds.access_token);
+      expect(parsed.refresh_token).toBe(creds.refresh_token);
+      expect(parsed.expiry_date).toBe(creds.expiry_date);
+    });
+    it('creates parent directories if they do not exist', async () => {
+      const nestedPath = path.join(tmpDir, 'a', 'b', 'c', 'credentials.json');
+      const nestedManager = new AuthManager(makeConfig(nestedPath), makeLogger());
+      await nestedManager.saveCredentials(makeCredentials());
+      const stat = await fs.stat(nestedPath);
+      expect(stat.isFile()).toBe(true);
+    });
+    it('sets file permissions to 0600', async () => {
+      await manager.saveCredentials(makeCredentials());
+      const stat = await fs.stat(credentialsPath);
+      // eslint-disable-next-line no-bitwise
+      expect(stat.mode & 0o777).toBe(0o600);
+    });
+  });
+  // ─── loadCredentials ───────────────────────────────────────────────────────
+  describe('loadCredentials', () => {
+    it('returns parsed credentials when file exists', async () => {
+      const creds = makeCredentials();
+      await manager.saveCredentials(creds);
+      const loaded = manager.loadCredentials();
+      expect(loaded).not.toBeNull();
+      expect(loaded!.access_token).toBe(creds.access_token);
+      expect(loaded!.refresh_token).toBe(creds.refresh_token);
+    });
+    it('returns null when the file does not exist', () => {
+      const result = manager.loadCredentials();
+      expect(result).toBeNull();
+    });
+    it('returns null on invalid JSON', async () => {
+      await fs.mkdir(path.dirname(credentialsPath), { recursive: true });
+      await fs.writeFile(credentialsPath, 'not valid json', 'utf8');
+      const result = manager.loadCredentials();
+      expect(result).toBeNull();
+    });
+    it('returns null when JSON is missing required fields', async () => {
+      await fs.mkdir(path.dirname(credentialsPath), { recursive: true });
+      await fs.writeFile(credentialsPath, JSON.stringify({ access_token: 'only-one-field' }), 'utf8');
+      const result = manager.loadCredentials();
+      expect(result).toBeNull();
+    });
+  });
+  // ─── isLoggedIn ────────────────────────────────────────────────────────────
+  describe('isLoggedIn', () => {
+    it('returns true when credentials file has refresh_token', async () => {
+      await manager.saveCredentials(makeCredentials({ refresh_token: 'valid-refresh-token' }));
+      expect(manager.isLoggedIn()).toBe(true);
+    });
+    it('returns false when credentials file is missing', () => {
+      expect(manager.isLoggedIn()).toBe(false);
+    });
+    it('returns false when refresh_token is empty', async () => {
+      await manager.saveCredentials(makeCredentials({ refresh_token: '' }));
+      expect(manager.isLoggedIn()).toBe(false);
+    });
+  });
+  // ─── clearCredentials ──────────────────────────────────────────────────────
+  describe('clearCredentials', () => {
+    it('deletes the credentials file', async () => {
+      await manager.saveCredentials(makeCredentials());
+      await manager.clearCredentials();
+      await expect(fs.stat(credentialsPath)).rejects.toMatchObject({ code: 'ENOENT' });
+    });
+    it('does not throw if the credentials file is missing', async () => {
+      await expect(manager.clearCredentials()).resolves.toBeUndefined();
+    });
+  });
+  // ─── getAccessToken ────────────────────────────────────────────────────────
+  describe('getAccessToken', () => {
+    it('throws auth_not_logged_in when no credentials exist', async () => {
+      await expect(manager.getAccessToken()).rejects.toSatisfy(
+        (err: unknown) =>
+          err instanceof NomosError && err.code === 'auth_not_logged_in',
+      );
+    });
+  });
+});