@aihq/harness 1.0.1 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -20,9 +20,9 @@ command surface. On top of that setup it runs a governance loop for external
20
20
  agent skills — vet → approve → pack → marketplace → evidence — anchored in a
21
21
  committed approval lock (`aih-skills.lock.json`).
22
22
 
23
- > Implements the architectural blueprint *"Enterprise DevSecOps AI Bootstrapping:
24
- > Cryptographic Trust, Local Performance Optimization, and Unified Observability"*
25
- > as a tested CLI.
23
+ See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the shipped architecture and
24
+ current trust boundaries, and [docs/CONTROL_MATRIX.md](docs/CONTROL_MATRIX.md) for
25
+ the claim -> implementation -> test proof map.
26
26
 
27
27
  > **Provided as open-source software under Apache-2.0 on an "AS IS" basis.** No warranty,
28
28
  > support obligation, SLA, indemnity, consulting, or professional advice is provided. `aih`
@@ -40,19 +40,23 @@ and security fixes land on the latest and the previous minor. The full policy:
40
40
 
41
41
  ## Design posture
42
42
 
43
- - **Dry-run by default.** `aih <cmd>` computes and prints a plan; nothing is
44
- written until you add `--apply`. Add `--verify` to run read-only checks.
43
+ - **Dry-run by default for managed project changes.** `aih <cmd>` computes and
44
+ prints a plan; repo/workstation mutations wait for `--apply`. Named output
45
+ files (`--sarif`, `--support-out`, report outputs), browser launch flags
46
+ (`--open`, `--refresh`, `--demo`), the local run ledger, and `AIH_APPLY=1`
47
+ are explicit opt-ins rather than silent writes. Add `--verify` to run
48
+ read-only checks.
45
49
  - **Gated writes.** `--apply` refuses a dirty git worktree unless you add
46
50
  `--force`. Commands resolve a governance posture (`--posture vibe|team|enterprise`,
47
51
  default `vibe`): the skill-install gate refuses unapproved skills at
48
52
  `team`/`enterprise` and stays advisory at `vibe`; pack installs are fail-closed
49
53
  at every posture. Once a repo is initialised, every run is recorded in the
50
54
  local [run ledger](#run-ledger).
51
- - **Never mutates a remote system.** Every unit of work is a local `write`, a
52
- local `exec` (icacls/chmod/junction…), a read-only `probe`, or a `doc` (the
53
- exact commands for cloud setup SSO, gateways, Langfuse, MDM emitted for a
54
- human, never executed). There is no code path that provisions cloud infra, so
55
- an automated run cannot "fake" it.
55
+ - **No remote mutation except explicit signing flows.** Normal work is local:
56
+ `write`, `remove`, `exec`, `envblock`, `digest`, read-only `probe`, or `doc`
57
+ instructions for humans to run. The exceptions are opt-in provenance paths:
58
+ GitHub attestations can write to GitHub's attestation store, and keyless
59
+ cosign signing can append to Rekor.
56
60
  - **Idempotent & non-destructive.** Shell-profile edits live in marked managed
57
61
  blocks; JSON configs are deep-merged (your keys survive); every overwrite is
58
62
  backed up to `*.aih.bak` and rolls back as a transaction on failure.
@@ -71,6 +75,7 @@ Verify the install's origin — every release is published with build provenance
71
75
 
72
76
  ```bash
73
77
  npm audit signatures
78
+ aih verify-release # also checks GitHub release sums + cosign bundle
74
79
  ```
75
80
 
76
81
  <details><summary>From source (contributors)</summary>
@@ -131,12 +136,19 @@ One honest line per command — the long-form behavior detail for every command
131
136
  | [`aih skill`](docs/commands.md#aih-skill) | Govern the skill lifecycle — vet → approve → inventory → quarantine → remove — anchored in `aih-skills.lock.json`. |
132
137
  | [`aih pack`](docs/commands.md#aih-pack) | Curate committed sets of approved skills (`aih-packs.json`); every ref is cross-checked against the lock, fail-closed. |
133
138
  | [`aih marketplace`](docs/commands.md#aih-marketplace) | Build, validate, and publish a reproducible, verifiable distribution artifact from the approval lock — never a registry. |
134
- | [`aih policy`](docs/commands.md#aih-policy) | Validate the committed org policy or a policy-bundle envelope as a read-only CI gate. |
135
- | [`aih evidence`](docs/commands.md#aih-evidence) | Package the audit trail aih already emits (locks, cards, vet evidence, run logs) into one deterministic evidence bundle. |
136
- | [`aih bundle`](docs/commands.md#aih-bundle) | Build a deterministic fleet bundle (contract + policy + config) with checksums; `aih verify-bundle` re-checks any copy. |
139
+ | [`aih policy`](docs/commands.md#aih-policy) | Validate the committed org policy or verify the active policy against a pinned hash/bundle. |
140
+ | [`aih evidence`](docs/commands.md#aih-evidence) | Package the audit trail aih already emits into one deterministic evidence bundle with a harness provenance block. |
141
+ | [`aih bundle`](docs/commands.md#aih-bundle) | Build a deterministic fleet bundle with checksums; `aih verify-bundle --require-signature` turns missing/unverifiable signatures into failures. |
142
+ | [`aih verify-release`](docs/commands.md#aih-verify-release) | Verify a published aih release: npm signatures, GitHub release cosign bundle, and tarball hash. |
137
143
  | [`aih secrets`](docs/commands.md#aih-secrets) | Scan for plaintext `.env*`/`secrets/` and write agent deny rules; `--verify` is the secret-scan CI gate. |
138
144
  | [`aih guardrails`](docs/commands.md#aih-guardrails) | Generate `.gitleaks.toml`, `.pre-commit-config.yaml`, and a CI license gate that blocks AGPL/strong-copyleft. |
139
145
 
146
+ ### Trust configuration notes
147
+
148
+ `trust.internalScopes` is intentionally inert until an org configures internal package scopes in
149
+ policy. Without that scope list, dependency-confusion checks still report general package risk but do
150
+ not guess which names are private to your organization.
151
+
140
152
  ### Analytics & operations
141
153
 
142
154
  | Command | What it does |
@@ -155,13 +167,14 @@ One honest line per command — the long-form behavior detail for every command
155
167
  | [`aih doctor`](docs/commands.md#aih-doctor) | Verify the workstation/repo configuration fail-closed; workspace mode validates each child repo. |
156
168
  | [`aih status`](docs/commands.md#aih-status) | Show a read-only inventory of what the harness has configured. |
157
169
 
158
- Shared flags: `--apply`, `--force`, `--verify`, `--json`, `--posture <vibe|team|enterprise>`, `--support-out <dir>`, `--no-log`, `--context-dir <dir>`, `--root <dir>`, `--cli <list>`, `--all-tools`, `--detect`, `--yes` (the read-only `doctor`/`status`/`verify-bundle` take the relevant subset).
170
+ Shared flags: `--apply`, `--force`, `--verify`, `--json`, `--posture <vibe|team|enterprise>`, `--support-out <dir>`, `--no-log`, `--context-dir <dir>`, `--root <dir>`, `--cli <list>`, `--all-tools`, `--detect`, `--yes` (the read-only `doctor`/`status`/`verify-bundle`/`verify-release` take the relevant subset).
159
171
  Settings also read from `AIH_*` env vars (`AIH_APPLY`, `AIH_CONTEXT_DIR`, `AIH_LOG`, …).
160
172
 
161
173
  ### Plugins
162
174
 
163
175
  At startup `aih` probes for exactly one optional peer package: **`@aihq/enterprise`** — the literal
164
- name, never env- or config-selectable, so nothing can point the probe at other code. When installed,
176
+ name, never env- or config-selectable, so nothing can point the probe at other code. The package name
177
+ is a reserved extension point; the open-source harness does not require it to be published. When installed,
165
178
  its `aihCommands` export (a `CommandSpec[]`) registers as native subcommands through the identical
166
179
  path as the built-ins: shared flags, posture resolution, the dirty-worktree gate, and the run ledger
167
180
  all apply unchanged. Not installed → zero output, fully local. `AIH_NO_PLUGINS=1` disables the
@@ -317,12 +330,13 @@ the `SETUP.md` context markers: [docs/commands.md](docs/commands.md#support-tick
317
330
  ### Run ledger
318
331
 
319
332
  Every `aih` invocation appends one structured row to **`.aih/runs/YYYY-MM.jsonl`** (UTC, month-sharded,
320
- append-only) — a "what happened" diagnostics trail: run id, capability, redacted argv, status (`success` /
321
- `failed` / `partial` / `error`), exit code, mode (apply/verify/json/sarif), platform, write tally, and
322
- verification + support counts. It's distinct from `.aih/history.jsonl` (the per-commit metrics behind
323
- `aih report` trends). Logging is **on only after the repo is initialised** (a committed `.aih-config.json`
324
- marker exists) and never fails a command; opt out with **`--no-log`** or **`AIH_LOG=0`**. Like all of
325
- `.aih/`, the ledger is gitignored local diagnostics — never committed.
333
+ append-only) — a "what happened" diagnostics trail: schema version, run id, capability, redacted argv,
334
+ status (`success` / `failed` / `partial` / `error`), exit code, mode (apply/verify/json/sarif), platform,
335
+ host hash, repo remote hash, write tally, and verification + support counts. It's distinct from
336
+ `.aih/history.jsonl` (the per-commit metrics behind `aih report` trends). Logging is **on only after the
337
+ repo is initialised** (a committed `.aih-config.json` marker exists) and never fails a command; opt out
338
+ with **`--no-log`** or **`AIH_LOG=0`**. Like all of `.aih/`, the ledger is gitignored local diagnostics
339
+ — never committed. For tamper-evident sharing, package it with `aih evidence build`.
326
340
 
327
341
  ### Examples
328
342
 
@@ -349,7 +363,9 @@ aih usage --rollup ../repo-a,../repo-b
349
363
  - **Supply chain** — every release publishes via npm **Trusted Publishing** with build
350
364
  **provenance** and ships an **SPDX SBOM**, a **SHA256 checksum**, its keyless **cosign
351
365
  signature bundle** (`SHA256SUMS.txt.sigstore.json`), and the Sigstore **build-provenance
352
- bundle** on the GitHub Release. Verify an install with `npm audit signatures`.
366
+ bundle** on the GitHub Release. This is SLSA v1 provenance material, but the project does
367
+ not claim a SLSA level. Verify an install with `npm audit signatures` and
368
+ `aih verify-release [version]`.
353
369
  - **Support** — [SUPPORT.md](SUPPORT.md) · **Security** — [SECURITY.md](SECURITY.md)
354
370
  (private reporting) · **Contributing** — [CONTRIBUTING.md](CONTRIBUTING.md).
355
371