@aihq/harness 1.0.1 → 1.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -20,9 +20,8 @@ command surface. On top of that setup it runs a governance loop for external
20
20
  agent skills — vet → approve → pack → marketplace → evidence — anchored in a
21
21
  committed approval lock (`aih-skills.lock.json`).
22
22
 
23
- > Implements the architectural blueprint *"Enterprise DevSecOps AI Bootstrapping:
24
- > Cryptographic Trust, Local Performance Optimization, and Unified Observability"*
25
- > as a tested CLI.
23
+ See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the shipped architecture and
24
+ current trust boundaries.
26
25
 
27
26
  > **Provided as open-source software under Apache-2.0 on an "AS IS" basis.** No warranty,
28
27
  > support obligation, SLA, indemnity, consulting, or professional advice is provided. `aih`
@@ -40,19 +39,23 @@ and security fixes land on the latest and the previous minor. The full policy:
40
39
 
41
40
  ## Design posture
42
41
 
43
- - **Dry-run by default.** `aih <cmd>` computes and prints a plan; nothing is
44
- written until you add `--apply`. Add `--verify` to run read-only checks.
42
+ - **Dry-run by default for managed project changes.** `aih <cmd>` computes and
43
+ prints a plan; repo/workstation mutations wait for `--apply`. Named output
44
+ files (`--sarif`, `--support-out`, report outputs), browser launch flags
45
+ (`--open`, `--refresh`, `--demo`), the local run ledger, and `AIH_APPLY=1`
46
+ are explicit opt-ins rather than silent writes. Add `--verify` to run
47
+ read-only checks.
45
48
  - **Gated writes.** `--apply` refuses a dirty git worktree unless you add
46
49
  `--force`. Commands resolve a governance posture (`--posture vibe|team|enterprise`,
47
50
  default `vibe`): the skill-install gate refuses unapproved skills at
48
51
  `team`/`enterprise` and stays advisory at `vibe`; pack installs are fail-closed
49
52
  at every posture. Once a repo is initialised, every run is recorded in the
50
53
  local [run ledger](#run-ledger).
51
- - **Never mutates a remote system.** Every unit of work is a local `write`, a
52
- local `exec` (icacls/chmod/junction…), a read-only `probe`, or a `doc` (the
53
- exact commands for cloud setup SSO, gateways, Langfuse, MDM emitted for a
54
- human, never executed). There is no code path that provisions cloud infra, so
55
- an automated run cannot "fake" it.
54
+ - **No remote mutation except explicit signing flows.** Normal work is local:
55
+ `write`, `remove`, `exec`, `envblock`, `digest`, read-only `probe`, or `doc`
56
+ instructions for humans to run. The exceptions are opt-in provenance paths:
57
+ GitHub attestations can write to GitHub's attestation store, and keyless
58
+ cosign signing can append to Rekor.
56
59
  - **Idempotent & non-destructive.** Shell-profile edits live in marked managed
57
60
  blocks; JSON configs are deep-merged (your keys survive); every overwrite is
58
61
  backed up to `*.aih.bak` and rolls back as a transaction on failure.
@@ -71,6 +74,7 @@ Verify the install's origin — every release is published with build provenance
71
74
 
72
75
  ```bash
73
76
  npm audit signatures
77
+ aih verify-release # also checks GitHub release sums + cosign bundle
74
78
  ```
75
79
 
76
80
  <details><summary>From source (contributors)</summary>
@@ -134,9 +138,16 @@ One honest line per command — the long-form behavior detail for every command
134
138
  | [`aih policy`](docs/commands.md#aih-policy) | Validate the committed org policy — or a policy-bundle envelope — as a read-only CI gate. |
135
139
  | [`aih evidence`](docs/commands.md#aih-evidence) | Package the audit trail aih already emits (locks, cards, vet evidence, run logs) into one deterministic evidence bundle. |
136
140
  | [`aih bundle`](docs/commands.md#aih-bundle) | Build a deterministic fleet bundle (contract + policy + config) with checksums; `aih verify-bundle` re-checks any copy. |
141
+ | [`aih verify-release`](docs/commands.md#aih-verify-release) | Verify a published aih release: npm signatures, GitHub release cosign bundle, and tarball hash. |
137
142
  | [`aih secrets`](docs/commands.md#aih-secrets) | Scan for plaintext `.env*`/`secrets/` and write agent deny rules; `--verify` is the secret-scan CI gate. |
138
143
  | [`aih guardrails`](docs/commands.md#aih-guardrails) | Generate `.gitleaks.toml`, `.pre-commit-config.yaml`, and a CI license gate that blocks AGPL/strong-copyleft. |
139
144
 
145
+ ### Trust configuration notes
146
+
147
+ `trust.internalScopes` is intentionally inert until an org configures internal package scopes in
148
+ policy. Without that scope list, dependency-confusion checks still report general package risk but do
149
+ not guess which names are private to your organization.
150
+
140
151
  ### Analytics & operations
141
152
 
142
153
  | Command | What it does |
@@ -155,13 +166,14 @@ One honest line per command — the long-form behavior detail for every command
155
166
  | [`aih doctor`](docs/commands.md#aih-doctor) | Verify the workstation/repo configuration fail-closed; workspace mode validates each child repo. |
156
167
  | [`aih status`](docs/commands.md#aih-status) | Show a read-only inventory of what the harness has configured. |
157
168
 
158
- Shared flags: `--apply`, `--force`, `--verify`, `--json`, `--posture <vibe|team|enterprise>`, `--support-out <dir>`, `--no-log`, `--context-dir <dir>`, `--root <dir>`, `--cli <list>`, `--all-tools`, `--detect`, `--yes` (the read-only `doctor`/`status`/`verify-bundle` take the relevant subset).
169
+ Shared flags: `--apply`, `--force`, `--verify`, `--json`, `--posture <vibe|team|enterprise>`, `--support-out <dir>`, `--no-log`, `--context-dir <dir>`, `--root <dir>`, `--cli <list>`, `--all-tools`, `--detect`, `--yes` (the read-only `doctor`/`status`/`verify-bundle`/`verify-release` take the relevant subset).
159
170
  Settings also read from `AIH_*` env vars (`AIH_APPLY`, `AIH_CONTEXT_DIR`, `AIH_LOG`, …).
160
171
 
161
172
  ### Plugins
162
173
 
163
174
  At startup `aih` probes for exactly one optional peer package: **`@aihq/enterprise`** — the literal
164
- name, never env- or config-selectable, so nothing can point the probe at other code. When installed,
175
+ name, never env- or config-selectable, so nothing can point the probe at other code. The package name
176
+ is a reserved extension point; the open-source harness does not require it to be published. When installed,
165
177
  its `aihCommands` export (a `CommandSpec[]`) registers as native subcommands through the identical
166
178
  path as the built-ins: shared flags, posture resolution, the dirty-worktree gate, and the run ledger
167
179
  all apply unchanged. Not installed → zero output, fully local. `AIH_NO_PLUGINS=1` disables the
@@ -317,12 +329,13 @@ the `SETUP.md` context markers: [docs/commands.md](docs/commands.md#support-tick
317
329
  ### Run ledger
318
330
 
319
331
  Every `aih` invocation appends one structured row to **`.aih/runs/YYYY-MM.jsonl`** (UTC, month-sharded,
320
- append-only) — a "what happened" diagnostics trail: run id, capability, redacted argv, status (`success` /
321
- `failed` / `partial` / `error`), exit code, mode (apply/verify/json/sarif), platform, write tally, and
322
- verification + support counts. It's distinct from `.aih/history.jsonl` (the per-commit metrics behind
323
- `aih report` trends). Logging is **on only after the repo is initialised** (a committed `.aih-config.json`
324
- marker exists) and never fails a command; opt out with **`--no-log`** or **`AIH_LOG=0`**. Like all of
325
- `.aih/`, the ledger is gitignored local diagnostics — never committed.
332
+ append-only) — a "what happened" diagnostics trail: schema version, run id, capability, redacted argv,
333
+ status (`success` / `failed` / `partial` / `error`), exit code, mode (apply/verify/json/sarif), platform,
334
+ host hash, repo remote hash, write tally, and verification + support counts. It's distinct from
335
+ `.aih/history.jsonl` (the per-commit metrics behind `aih report` trends). Logging is **on only after the
336
+ repo is initialised** (a committed `.aih-config.json` marker exists) and never fails a command; opt out
337
+ with **`--no-log`** or **`AIH_LOG=0`**. Like all of `.aih/`, the ledger is gitignored local diagnostics
338
+ — never committed. For tamper-evident sharing, package it with `aih evidence build`.
326
339
 
327
340
  ### Examples
328
341
 
@@ -349,7 +362,9 @@ aih usage --rollup ../repo-a,../repo-b
349
362
  - **Supply chain** — every release publishes via npm **Trusted Publishing** with build
350
363
  **provenance** and ships an **SPDX SBOM**, a **SHA256 checksum**, its keyless **cosign
351
364
  signature bundle** (`SHA256SUMS.txt.sigstore.json`), and the Sigstore **build-provenance
352
- bundle** on the GitHub Release. Verify an install with `npm audit signatures`.
365
+ bundle** on the GitHub Release. This is SLSA v1 provenance material, but the project does
366
+ not claim a SLSA level. Verify an install with `npm audit signatures` and
367
+ `aih verify-release [version]`.
353
368
  - **Support** — [SUPPORT.md](SUPPORT.md) · **Security** — [SECURITY.md](SECURITY.md)
354
369
  (private reporting) · **Contributing** — [CONTRIBUTING.md](CONTRIBUTING.md).
355
370