@aihq/harness 1.0.1 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +38 -22
- package/dist/{chunk-WZTIDZFM.js → chunk-ZMIHFGKR.js} +352 -221
- package/dist/cli.js +1 -1
- package/dist/index.d.ts +17 -6
- package/dist/index.js +1 -1
- package/package.json +3 -2
package/README.md
CHANGED
|
@@ -20,9 +20,9 @@ command surface. On top of that setup it runs a governance loop for external
|
|
|
20
20
|
agent skills — vet → approve → pack → marketplace → evidence — anchored in a
|
|
21
21
|
committed approval lock (`aih-skills.lock.json`).
|
|
22
22
|
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
23
|
+
See [docs/ARCHITECTURE.md](docs/ARCHITECTURE.md) for the shipped architecture and
|
|
24
|
+
current trust boundaries, and [docs/CONTROL_MATRIX.md](docs/CONTROL_MATRIX.md) for
|
|
25
|
+
the claim -> implementation -> test proof map.
|
|
26
26
|
|
|
27
27
|
> **Provided as open-source software under Apache-2.0 on an "AS IS" basis.** No warranty,
|
|
28
28
|
> support obligation, SLA, indemnity, consulting, or professional advice is provided. `aih`
|
|
@@ -40,19 +40,23 @@ and security fixes land on the latest and the previous minor. The full policy:
|
|
|
40
40
|
|
|
41
41
|
## Design posture
|
|
42
42
|
|
|
43
|
-
- **Dry-run by default.** `aih <cmd>` computes and
|
|
44
|
-
|
|
43
|
+
- **Dry-run by default for managed project changes.** `aih <cmd>` computes and
|
|
44
|
+
prints a plan; repo/workstation mutations wait for `--apply`. Named output
|
|
45
|
+
files (`--sarif`, `--support-out`, report outputs), browser launch flags
|
|
46
|
+
(`--open`, `--refresh`, `--demo`), the local run ledger, and `AIH_APPLY=1`
|
|
47
|
+
are explicit opt-ins rather than silent writes. Add `--verify` to run
|
|
48
|
+
read-only checks.
|
|
45
49
|
- **Gated writes.** `--apply` refuses a dirty git worktree unless you add
|
|
46
50
|
`--force`. Commands resolve a governance posture (`--posture vibe|team|enterprise`,
|
|
47
51
|
default `vibe`): the skill-install gate refuses unapproved skills at
|
|
48
52
|
`team`/`enterprise` and stays advisory at `vibe`; pack installs are fail-closed
|
|
49
53
|
at every posture. Once a repo is initialised, every run is recorded in the
|
|
50
54
|
local [run ledger](#run-ledger).
|
|
51
|
-
- **
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
55
|
+
- **No remote mutation except explicit signing flows.** Normal work is local:
|
|
56
|
+
`write`, `remove`, `exec`, `envblock`, `digest`, read-only `probe`, or `doc`
|
|
57
|
+
instructions for humans to run. The exceptions are opt-in provenance paths:
|
|
58
|
+
GitHub attestations can write to GitHub's attestation store, and keyless
|
|
59
|
+
cosign signing can append to Rekor.
|
|
56
60
|
- **Idempotent & non-destructive.** Shell-profile edits live in marked managed
|
|
57
61
|
blocks; JSON configs are deep-merged (your keys survive); every overwrite is
|
|
58
62
|
backed up to `*.aih.bak` and rolls back as a transaction on failure.
|
|
@@ -71,6 +75,7 @@ Verify the install's origin — every release is published with build provenance
|
|
|
71
75
|
|
|
72
76
|
```bash
|
|
73
77
|
npm audit signatures
|
|
78
|
+
aih verify-release # also checks GitHub release sums + cosign bundle
|
|
74
79
|
```
|
|
75
80
|
|
|
76
81
|
<details><summary>From source (contributors)</summary>
|
|
@@ -131,12 +136,19 @@ One honest line per command — the long-form behavior detail for every command
|
|
|
131
136
|
| [`aih skill`](docs/commands.md#aih-skill) | Govern the skill lifecycle — vet → approve → inventory → quarantine → remove — anchored in `aih-skills.lock.json`. |
|
|
132
137
|
| [`aih pack`](docs/commands.md#aih-pack) | Curate committed sets of approved skills (`aih-packs.json`); every ref is cross-checked against the lock, fail-closed. |
|
|
133
138
|
| [`aih marketplace`](docs/commands.md#aih-marketplace) | Build, validate, and publish a reproducible, verifiable distribution artifact from the approval lock — never a registry. |
|
|
134
|
-
| [`aih policy`](docs/commands.md#aih-policy) | Validate the committed org policy
|
|
135
|
-
| [`aih evidence`](docs/commands.md#aih-evidence) | Package the audit trail aih already emits
|
|
136
|
-
| [`aih bundle`](docs/commands.md#aih-bundle) | Build a deterministic fleet bundle
|
|
139
|
+
| [`aih policy`](docs/commands.md#aih-policy) | Validate the committed org policy or verify the active policy against a pinned hash/bundle. |
|
|
140
|
+
| [`aih evidence`](docs/commands.md#aih-evidence) | Package the audit trail aih already emits into one deterministic evidence bundle with a harness provenance block. |
|
|
141
|
+
| [`aih bundle`](docs/commands.md#aih-bundle) | Build a deterministic fleet bundle with checksums; `aih verify-bundle --require-signature` turns missing/unverifiable signatures into failures. |
|
|
142
|
+
| [`aih verify-release`](docs/commands.md#aih-verify-release) | Verify a published aih release: npm signatures, GitHub release cosign bundle, and tarball hash. |
|
|
137
143
|
| [`aih secrets`](docs/commands.md#aih-secrets) | Scan for plaintext `.env*`/`secrets/` and write agent deny rules; `--verify` is the secret-scan CI gate. |
|
|
138
144
|
| [`aih guardrails`](docs/commands.md#aih-guardrails) | Generate `.gitleaks.toml`, `.pre-commit-config.yaml`, and a CI license gate that blocks AGPL/strong-copyleft. |
|
|
139
145
|
|
|
146
|
+
### Trust configuration notes
|
|
147
|
+
|
|
148
|
+
`trust.internalScopes` is intentionally inert until an org configures internal package scopes in
|
|
149
|
+
policy. Without that scope list, dependency-confusion checks still report general package risk but do
|
|
150
|
+
not guess which names are private to your organization.
|
|
151
|
+
|
|
140
152
|
### Analytics & operations
|
|
141
153
|
|
|
142
154
|
| Command | What it does |
|
|
@@ -155,13 +167,14 @@ One honest line per command — the long-form behavior detail for every command
|
|
|
155
167
|
| [`aih doctor`](docs/commands.md#aih-doctor) | Verify the workstation/repo configuration fail-closed; workspace mode validates each child repo. |
|
|
156
168
|
| [`aih status`](docs/commands.md#aih-status) | Show a read-only inventory of what the harness has configured. |
|
|
157
169
|
|
|
158
|
-
Shared flags: `--apply`, `--force`, `--verify`, `--json`, `--posture <vibe|team|enterprise>`, `--support-out <dir>`, `--no-log`, `--context-dir <dir>`, `--root <dir>`, `--cli <list>`, `--all-tools`, `--detect`, `--yes` (the read-only `doctor`/`status`/`verify-bundle` take the relevant subset).
|
|
170
|
+
Shared flags: `--apply`, `--force`, `--verify`, `--json`, `--posture <vibe|team|enterprise>`, `--support-out <dir>`, `--no-log`, `--context-dir <dir>`, `--root <dir>`, `--cli <list>`, `--all-tools`, `--detect`, `--yes` (the read-only `doctor`/`status`/`verify-bundle`/`verify-release` take the relevant subset).
|
|
159
171
|
Settings also read from `AIH_*` env vars (`AIH_APPLY`, `AIH_CONTEXT_DIR`, `AIH_LOG`, …).
|
|
160
172
|
|
|
161
173
|
### Plugins
|
|
162
174
|
|
|
163
175
|
At startup `aih` probes for exactly one optional peer package: **`@aihq/enterprise`** — the literal
|
|
164
|
-
name, never env- or config-selectable, so nothing can point the probe at other code.
|
|
176
|
+
name, never env- or config-selectable, so nothing can point the probe at other code. The package name
|
|
177
|
+
is a reserved extension point; the open-source harness does not require it to be published. When installed,
|
|
165
178
|
its `aihCommands` export (a `CommandSpec[]`) registers as native subcommands through the identical
|
|
166
179
|
path as the built-ins: shared flags, posture resolution, the dirty-worktree gate, and the run ledger
|
|
167
180
|
all apply unchanged. Not installed → zero output, fully local. `AIH_NO_PLUGINS=1` disables the
|
|
@@ -317,12 +330,13 @@ the `SETUP.md` context markers: [docs/commands.md](docs/commands.md#support-tick
|
|
|
317
330
|
### Run ledger
|
|
318
331
|
|
|
319
332
|
Every `aih` invocation appends one structured row to **`.aih/runs/YYYY-MM.jsonl`** (UTC, month-sharded,
|
|
320
|
-
append-only) — a "what happened" diagnostics trail: run id, capability, redacted argv,
|
|
321
|
-
`failed` / `partial` / `error`), exit code, mode (apply/verify/json/sarif), platform,
|
|
322
|
-
verification + support counts. It's distinct from
|
|
323
|
-
`aih report` trends). Logging is **on only after the
|
|
324
|
-
marker exists) and never fails a command; opt out
|
|
325
|
-
`.aih/`, the ledger is gitignored local diagnostics
|
|
333
|
+
append-only) — a "what happened" diagnostics trail: schema version, run id, capability, redacted argv,
|
|
334
|
+
status (`success` / `failed` / `partial` / `error`), exit code, mode (apply/verify/json/sarif), platform,
|
|
335
|
+
host hash, repo remote hash, write tally, and verification + support counts. It's distinct from
|
|
336
|
+
`.aih/history.jsonl` (the per-commit metrics behind `aih report` trends). Logging is **on only after the
|
|
337
|
+
repo is initialised** (a committed `.aih-config.json` marker exists) and never fails a command; opt out
|
|
338
|
+
with **`--no-log`** or **`AIH_LOG=0`**. Like all of `.aih/`, the ledger is gitignored local diagnostics
|
|
339
|
+
— never committed. For tamper-evident sharing, package it with `aih evidence build`.
|
|
326
340
|
|
|
327
341
|
### Examples
|
|
328
342
|
|
|
@@ -349,7 +363,9 @@ aih usage --rollup ../repo-a,../repo-b
|
|
|
349
363
|
- **Supply chain** — every release publishes via npm **Trusted Publishing** with build
|
|
350
364
|
**provenance** and ships an **SPDX SBOM**, a **SHA256 checksum**, its keyless **cosign
|
|
351
365
|
signature bundle** (`SHA256SUMS.txt.sigstore.json`), and the Sigstore **build-provenance
|
|
352
|
-
bundle** on the GitHub Release.
|
|
366
|
+
bundle** on the GitHub Release. This is SLSA v1 provenance material, but the project does
|
|
367
|
+
not claim a SLSA level. Verify an install with `npm audit signatures` and
|
|
368
|
+
`aih verify-release [version]`.
|
|
353
369
|
- **Support** — [SUPPORT.md](SUPPORT.md) · **Security** — [SECURITY.md](SECURITY.md)
|
|
354
370
|
(private reporting) · **Contributing** — [CONTRIBUTING.md](CONTRIBUTING.md).
|
|
355
371
|
|