@claude-flow/cli 3.12.0 → 3.12.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/helpers/auto-memory-hook.mjs +34 -4
- package/.claude/helpers/hook-handler.cjs +17 -13
- package/.claude/helpers/intelligence.cjs +16 -2
- package/README.md +7 -4
- package/dist/src/commands/daemon.d.ts.map +1 -1
- package/dist/src/commands/daemon.js +76 -7
- package/dist/src/commands/daemon.js.map +1 -1
- package/dist/src/commands/init.d.ts.map +1 -1
- package/dist/src/commands/init.js +24 -3
- package/dist/src/commands/init.js.map +1 -1
- package/dist/src/commands/security.d.ts.map +1 -1
- package/dist/src/commands/security.js +70 -12
- package/dist/src/commands/security.js.map +1 -1
- package/dist/tsconfig.tsbuildinfo +1 -1
- package/package.json +3 -2
- package/plugins/ruflo-metaharness/.claude-flow/data/pending-insights.jsonl +1 -0
- package/plugins/ruflo-metaharness/.claude-flow/neural/stats.json +6 -0
- package/plugins/ruflo-metaharness/.claude-plugin/plugin.json +32 -0
- package/plugins/ruflo-metaharness/README.md +64 -0
- package/plugins/ruflo-metaharness/agents/metaharness-architect.md +58 -0
- package/plugins/ruflo-metaharness/commands/ruflo-metaharness.md +46 -0
- package/plugins/ruflo-metaharness/scripts/_harness.mjs +261 -0
- package/plugins/ruflo-metaharness/scripts/_similarity.mjs +161 -0
- package/plugins/ruflo-metaharness/scripts/_spike-similarity.mjs +223 -0
- package/plugins/ruflo-metaharness/scripts/audit-list.mjs +158 -0
- package/plugins/ruflo-metaharness/scripts/audit-trend.mjs +272 -0
- package/plugins/ruflo-metaharness/scripts/bench-parse-mcp-scan.mjs +146 -0
- package/plugins/ruflo-metaharness/scripts/bench-recordpair-overhead.mjs +186 -0
- package/plugins/ruflo-metaharness/scripts/bench-similarity.mjs +177 -0
- package/plugins/ruflo-metaharness/scripts/drift-from-history.mjs +363 -0
- package/plugins/ruflo-metaharness/scripts/genome.mjs +80 -0
- package/plugins/ruflo-metaharness/scripts/mcp-scan.mjs +111 -0
- package/plugins/ruflo-metaharness/scripts/mint.mjs +119 -0
- package/plugins/ruflo-metaharness/scripts/oia-audit.mjs +228 -0
- package/plugins/ruflo-metaharness/scripts/router-parallel-analyze.mjs +250 -0
- package/plugins/ruflo-metaharness/scripts/score.mjs +92 -0
- package/plugins/ruflo-metaharness/scripts/similarity.mjs +158 -0
- package/plugins/ruflo-metaharness/scripts/smoke.sh +2268 -0
- package/plugins/ruflo-metaharness/scripts/test-graceful-degradation.mjs +141 -0
- package/plugins/ruflo-metaharness/scripts/test-mcp-tools.mjs +437 -0
- package/plugins/ruflo-metaharness/scripts/test-parallel-pipeline.mjs +204 -0
- package/plugins/ruflo-metaharness/scripts/test-pipeline-roundtrip.mjs +586 -0
- package/plugins/ruflo-metaharness/scripts/test-similarity.mjs +334 -0
- package/plugins/ruflo-metaharness/scripts/test-with-openrouter.mjs +229 -0
- package/plugins/ruflo-metaharness/scripts/threat-model.mjs +59 -0
- package/plugins/ruflo-metaharness/skills/harness-drift-from-history/SKILL.md +65 -0
- package/plugins/ruflo-metaharness/skills/harness-genome/SKILL.md +54 -0
- package/plugins/ruflo-metaharness/skills/harness-mcp-scan/SKILL.md +47 -0
- package/plugins/ruflo-metaharness/skills/harness-mint/SKILL.md +72 -0
- package/plugins/ruflo-metaharness/skills/harness-oia-audit/SKILL.md +79 -0
- package/plugins/ruflo-metaharness/skills/harness-score/SKILL.md +66 -0
- package/plugins/ruflo-metaharness/skills/harness-similarity/SKILL.md +67 -0
- package/plugins/ruflo-metaharness/skills/harness-threat-model/SKILL.md +39 -0
|
@@ -0,0 +1,65 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-drift-from-history
|
|
3
|
+
description: One-command drift detection. Composes audit-list + oia-audit + audit-trend into a single primitive — finds the most recent audit in `metaharness-audit` namespace, runs a fresh audit against the current repo, diffs them via ADR-152 §3.1 similarity, and alerts when structural distance crosses `--threshold`. Iter 53 of ADR-150 deep integration.
|
|
4
|
+
argument-hint: "[--path .] [--baseline-since 7d] [--threshold 0.95] [--dry-run] [--format json|table]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
The natural ops question after running `oia-audit` weekly is "did anything drift?" Before this skill, the answer required a three-step sequence:
|
|
9
|
+
|
|
10
|
+
```bash
|
|
11
|
+
npx ruflo metaharness audit-list --format json # → pick a key by hand
|
|
12
|
+
npx ruflo metaharness oia-audit --format json > /tmp/curr.json
|
|
13
|
+
npx ruflo metaharness audit-trend \
|
|
14
|
+
--baseline-key <picked-key> --current /tmp/curr.json \
|
|
15
|
+
--alert-on-distance-below 0.95
|
|
16
|
+
```
|
|
17
|
+
|
|
18
|
+
This skill collapses it into one command:
|
|
19
|
+
|
|
20
|
+
```bash
|
|
21
|
+
npx ruflo metaharness drift-from-history --threshold 0.95
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
## What it does
|
|
25
|
+
|
|
26
|
+
1. Lists records from `metaharness-audit` namespace via audit-list.mjs
|
|
27
|
+
2. Picks the most recent record by `startedAt` (or `--baseline-since 7d` skips anything newer than 7 days)
|
|
28
|
+
3. Runs a fresh `oia-audit` against the current path
|
|
29
|
+
4. Diffs the two via audit-trend, applying `--alert-on-distance-below ${threshold}`
|
|
30
|
+
5. Returns the structured drift report
|
|
31
|
+
|
|
32
|
+
## Architectural constraint inheritance (ADR-150)
|
|
33
|
+
|
|
34
|
+
| Constraint | How drift-from-history satisfies it |
|
|
35
|
+
|---|---|
|
|
36
|
+
| Removable | Pure subprocess composition over existing scripts — no new `@metaharness/*` import |
|
|
37
|
+
| Optional | If oia-audit reports `degraded:true`, this skill exits 3 with a degraded payload |
|
|
38
|
+
| Graceful | Empty audit history → exit 2 with hint to seed it; never crashes |
|
|
39
|
+
| CI-gate | Smoke step 17z16 anchors the dispatcher entry + subcommand listing |
|
|
40
|
+
|
|
41
|
+
## Exit codes
|
|
42
|
+
|
|
43
|
+
- 0 — similarity ≥ threshold (or threshold not crossed)
|
|
44
|
+
- 1 — drift detected: similarity < threshold (alert fired)
|
|
45
|
+
- 2 — config error (no history, audit-list failed)
|
|
46
|
+
- 3 — upstream metaharness absent (degraded payload returned)
|
|
47
|
+
|
|
48
|
+
## Example
|
|
49
|
+
|
|
50
|
+
```bash
|
|
51
|
+
$ npx ruflo metaharness drift-from-history --threshold 0.95
|
|
52
|
+
# drift-from-history
|
|
53
|
+
|
|
54
|
+
Baseline: audit-2026-06-16T22-58-47-840Z
|
|
55
|
+
Current: 2026-06-16T23:05:02.231Z
|
|
56
|
+
|
|
57
|
+
Structural similarity: 1 (near-identical)
|
|
58
|
+
Distance: 0
|
|
59
|
+
|
|
60
|
+
✓ similarity ≥ 0.95 — OK
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
## Implementation
|
|
64
|
+
|
|
65
|
+
[`scripts/drift-from-history.mjs`](../../scripts/drift-from-history.mjs)
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-genome
|
|
3
|
+
description: 7-section repo readiness report from `metaharness genome <path>`. Returns repo_type / agent_topology / risk_score / mcp_surface / test_confidence / publish_readiness. Pure-read; degrades gracefully (ADR-150).
|
|
4
|
+
argument-hint: "[--path .] [--alert-on-risk-above 0.5] [--format table|json]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
Companion to `harness-score`. Where score is a 5-dimension numeric
|
|
9
|
+
scorecard, genome is a 7-section categorical/numeric report covering
|
|
10
|
+
repo type, agent topology recommendations, risk score (0-1), MCP
|
|
11
|
+
surface area, test confidence (0-1), and publish readiness (0-1).
|
|
12
|
+
|
|
13
|
+
## Algorithm
|
|
14
|
+
|
|
15
|
+
Implementation: [`scripts/genome.mjs`](../../scripts/genome.mjs).
|
|
16
|
+
|
|
17
|
+
1. Shell out to `npx metaharness genome <path> --json` (60s hard timeout).
|
|
18
|
+
2. Parse the shape: `{ repo_type, agent_topology[], risk_score,
|
|
19
|
+
mcp_surface, test_confidence, publish_readiness }`.
|
|
20
|
+
3. If `--alert-on-risk-above N`: exit 1 when `risk_score > N`.
|
|
21
|
+
4. Output JSON (default) or markdown.
|
|
22
|
+
|
|
23
|
+
## Phase-0 baseline (ruflo, measured 2026-06-16)
|
|
24
|
+
|
|
25
|
+
```
|
|
26
|
+
{
|
|
27
|
+
"repo_type": "node_mcp_ci",
|
|
28
|
+
"agent_topology": ["maintainer", "tester", "security", "release"],
|
|
29
|
+
"risk_score": 0.27,
|
|
30
|
+
"mcp_surface": "remote",
|
|
31
|
+
"test_confidence": 0.8,
|
|
32
|
+
"publish_readiness": 0.9
|
|
33
|
+
}
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
Ruflo's `risk_score: 0.27` is low (good). `publish_readiness: 0.9` is
|
|
37
|
+
high. The `mcp_surface: "remote"` reflects that ruflo's MCP servers are
|
|
38
|
+
hosted, not bundled.
|
|
39
|
+
|
|
40
|
+
## When to use
|
|
41
|
+
|
|
42
|
+
- Pre-mint review: "before scaffolding a custom harness from this repo,
|
|
43
|
+
should we?" — genome answers it categorically.
|
|
44
|
+
- Drift detection: capture genome snapshots over time, diff via
|
|
45
|
+
cost-diff-style tooling to spot when `agent_topology` recommendations
|
|
46
|
+
drift away from a deliberate architecture choice.
|
|
47
|
+
- CI gate: `--alert-on-risk-above 0.5` fails the build when the repo's
|
|
48
|
+
risk profile crosses a threshold.
|
|
49
|
+
|
|
50
|
+
## Pairs with
|
|
51
|
+
|
|
52
|
+
- `harness-score` — numeric readiness
|
|
53
|
+
- `harness-mcp-scan` — static MCP security findings
|
|
54
|
+
- `harness-threat-model` — enterprise-review-grade threat model
|
|
@@ -0,0 +1,47 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-mcp-scan
|
|
3
|
+
description: Static security scan of a harness's declared MCP surface via `harness mcp-scan <path>`. Reads `.mcp/servers.json` + `.harness/claims.json`. Pure-read, no dispatch. Exits 1 on findings at or above `--fail-on` severity.
|
|
4
|
+
argument-hint: "[--path .] [--fail-on low|medium|high] [--format table|json]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
Calls `harness mcp-scan` to enumerate every declared MCP server + tool
|
|
9
|
+
and flag policy / permission / dependency issues. Never executes any
|
|
10
|
+
tool; pure static analysis.
|
|
11
|
+
|
|
12
|
+
## Algorithm
|
|
13
|
+
|
|
14
|
+
Implementation: [`scripts/mcp-scan.mjs`](../../scripts/mcp-scan.mjs).
|
|
15
|
+
|
|
16
|
+
1. Shell `npx -p metaharness@latest harness mcp-scan <path> --json`.
|
|
17
|
+
2. Parse `findings[]` with `{ severity, id, server, tool, message }`.
|
|
18
|
+
3. `--fail-on <severity>`: exit 1 when any finding is at or above that
|
|
19
|
+
level. Default `high`.
|
|
20
|
+
4. Output JSON (default) or markdown table.
|
|
21
|
+
|
|
22
|
+
## Severity rank
|
|
23
|
+
|
|
24
|
+
| Severity | Rank |
|
|
25
|
+
|---|---:|
|
|
26
|
+
| low | 1 |
|
|
27
|
+
| medium | 2 |
|
|
28
|
+
| high | 3 |
|
|
29
|
+
|
|
30
|
+
`--fail-on high` (default) only fails on HIGH; `--fail-on medium` also
|
|
31
|
+
fails on MEDIUM; `--fail-on low` fails on any finding.
|
|
32
|
+
|
|
33
|
+
## CI integration
|
|
34
|
+
|
|
35
|
+
```yaml
|
|
36
|
+
- name: MCP static scan
|
|
37
|
+
run: node plugins/ruflo-metaharness/scripts/mcp-scan.mjs --fail-on high
|
|
38
|
+
```
|
|
39
|
+
|
|
40
|
+
The exit code is the only thing CI watches; the JSON output goes to
|
|
41
|
+
artifacts for human review.
|
|
42
|
+
|
|
43
|
+
## Graceful degradation
|
|
44
|
+
|
|
45
|
+
When `harness` binary is unavailable (no network, blocked registry),
|
|
46
|
+
emits structured `{ degraded: true, reason: 'metaharness-not-available' }`
|
|
47
|
+
and exits 0. Ruflo continues — ADR-150 architectural constraint.
|
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-mint
|
|
3
|
+
description: Scaffold a custom AI agent harness via `metaharness new <name> --template <id> --host <id>`. Defaults to DRY-RUN (no writes) unless --confirm is passed. Refuses to write to the calling repo root or anywhere inside it. Honors ADR-150 architectural constraint + ruflo's "destructive-action confirmation" pattern.
|
|
4
|
+
argument-hint: "--name <id> --template <vertical:coding|minimal|…> [--host claude-code|codex|…] [--target /abs/path] [--confirm] [--format table|json]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
The one write-capable skill in the plugin. Every other skill is
|
|
9
|
+
pure-read. This one calls `metaharness new`, which writes a new
|
|
10
|
+
directory tree.
|
|
11
|
+
|
|
12
|
+
## Safety (load-bearing)
|
|
13
|
+
|
|
14
|
+
1. **Dry-run by default.** Without `--confirm`, the script prints what
|
|
15
|
+
it would do and exits 0 without touching disk.
|
|
16
|
+
2. **Refuses project root.** If `--target` resolves to the current
|
|
17
|
+
working directory OR any path inside it, the script errors out with
|
|
18
|
+
exit 2. Target must be an absolute path OUTSIDE the calling repo
|
|
19
|
+
(default is a fresh `/tmp/ruflo-mint-<ts>-<name>/` dir).
|
|
20
|
+
3. **Refuses existing target.** Won't overwrite — must scaffold into a
|
|
21
|
+
non-existent dir.
|
|
22
|
+
4. **Subprocess + 60s timeout.** No library import, no in-process
|
|
23
|
+
execution. The mint stays sandboxed from ruflo's runtime.
|
|
24
|
+
|
|
25
|
+
## Algorithm
|
|
26
|
+
|
|
27
|
+
Implementation: [`scripts/mint.mjs`](../../scripts/mint.mjs).
|
|
28
|
+
|
|
29
|
+
1. Validate `--name`, `--template`. Default `--host` to `claude-code`.
|
|
30
|
+
2. Resolve `--target` (default: temp dir).
|
|
31
|
+
3. Run safety checks (no project-root writes; target must not exist).
|
|
32
|
+
4. Without `--confirm`: emit dry-run plan, exit 0.
|
|
33
|
+
5. With `--confirm`: shell `npx metaharness new <name> --template <id>
|
|
34
|
+
--host <id> --target <abs> --yes`.
|
|
35
|
+
|
|
36
|
+
## Templates
|
|
37
|
+
|
|
38
|
+
`minimal`, `vertical:coding`, `vertical:devops`, `vertical:support`,
|
|
39
|
+
`vertical:legal`, `vertical:research`, `vertical:trading`, `vertical:health`,
|
|
40
|
+
`vertical:education`, `vertical:sales`, `vertical:business`,
|
|
41
|
+
`vertical:crm`, `vertical:marketing`, `vertical:advertising`,
|
|
42
|
+
`vertical:ai`, `vertical:agentics`, `vertical:ruview`, `vertical:gaming`,
|
|
43
|
+
`vertical:repo-maintainer`, `vertical:exotic`.
|
|
44
|
+
|
|
45
|
+
## Hosts
|
|
46
|
+
|
|
47
|
+
`claude-code`, `codex`, `pi-dev`, `hermes`, `openclaw`, `rvm`,
|
|
48
|
+
`copilot`, `opencode`, `github-actions`.
|
|
49
|
+
|
|
50
|
+
## Example dry-run
|
|
51
|
+
|
|
52
|
+
```
|
|
53
|
+
$ node scripts/mint.mjs --name my-harness --template vertical:coding --host claude-code
|
|
54
|
+
# harness-mint (dry-run)
|
|
55
|
+
|
|
56
|
+
- action: metaharness new
|
|
57
|
+
- name: my-harness
|
|
58
|
+
- template: vertical:coding
|
|
59
|
+
- host: claude-code
|
|
60
|
+
- target: /tmp/ruflo-mint-1718560000-my-harness
|
|
61
|
+
- confirm: false
|
|
62
|
+
- willWrite: false
|
|
63
|
+
|
|
64
|
+
Re-run with `--confirm` to actually scaffold.
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
## Why dry-run by default
|
|
68
|
+
|
|
69
|
+
Ruflo's behavioral rules say "executing actions with care" — destructive
|
|
70
|
+
or repo-touching actions need confirmation. The dry-run output makes the
|
|
71
|
+
WHAT visible before the WHEN. A human sees `target`, decides, then
|
|
72
|
+
adds `--confirm` if happy.
|
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-oia-audit
|
|
3
|
+
description: Composite Phase-2 audit worker (ADR-150). Bundles harness oia-manifest + threat-model + mcp-scan into one timestamped audit record stored in the `metaharness-audit` memory namespace. Designed for cron-scheduled drift detection.
|
|
4
|
+
argument-hint: "[--path .] [--dry-run] [--alert-on-worst clean|low|medium|high] [--format table|json]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
The 13th worker (ADR-150 Phase 2) — runs three MetaHarness static
|
|
9
|
+
surfaces in one shot, computes a composite worst-severity signal, and
|
|
10
|
+
persists the audit record to memory so drift over time is visible.
|
|
11
|
+
|
|
12
|
+
## Algorithm
|
|
13
|
+
|
|
14
|
+
Implementation: [`scripts/oia-audit.mjs`](../../scripts/oia-audit.mjs).
|
|
15
|
+
|
|
16
|
+
1. Run `harness oia-manifest <path>` — Open Infrastructure Architecture
|
|
17
|
+
layer alignment (L1-L9).
|
|
18
|
+
2. Run `harness threat-model <path>` — categorized MCP-surface threat
|
|
19
|
+
report with `worst: clean|low|medium|high`.
|
|
20
|
+
3. Run `harness mcp-scan <path>` — per-server/tool policy + permissions
|
|
21
|
+
+ dep findings.
|
|
22
|
+
4. Composite worst = `max(threatModel.worst, max(mcpScan.findings.severity))`.
|
|
23
|
+
5. Persist payload to memory namespace `metaharness-audit` with key
|
|
24
|
+
`audit-<iso-timestamp>` (unless `--dry-run`).
|
|
25
|
+
6. `--alert-on-worst <severity>`: exit 1 if composite worst ≥ threshold.
|
|
26
|
+
|
|
27
|
+
## Graceful degradation
|
|
28
|
+
|
|
29
|
+
When ALL three components report `metaharness-not-available`, the script
|
|
30
|
+
emits the standard degraded payload and exits 0. When only some are
|
|
31
|
+
degraded, each individual component carries its own `degraded: true`
|
|
32
|
+
flag in the audit record — the audit still runs and persists what it
|
|
33
|
+
could gather.
|
|
34
|
+
|
|
35
|
+
## CI / cron integration
|
|
36
|
+
|
|
37
|
+
Designed for weekly cron in `.github/workflows/`:
|
|
38
|
+
|
|
39
|
+
```yaml
|
|
40
|
+
on:
|
|
41
|
+
schedule:
|
|
42
|
+
- cron: '17 4 * * 0' # Sundays at 04:17 UTC
|
|
43
|
+
jobs:
|
|
44
|
+
oia-audit:
|
|
45
|
+
runs-on: ubuntu-latest
|
|
46
|
+
steps:
|
|
47
|
+
- uses: actions/checkout@v4
|
|
48
|
+
- uses: actions/setup-node@v4
|
|
49
|
+
- run: node plugins/ruflo-metaharness/scripts/oia-audit.mjs --alert-on-worst high
|
|
50
|
+
```
|
|
51
|
+
|
|
52
|
+
`--alert-on-worst high` fails the job on any HIGH-severity finding;
|
|
53
|
+
drift below HIGH is logged but doesn't block.
|
|
54
|
+
|
|
55
|
+
## Memory namespace
|
|
56
|
+
|
|
57
|
+
Each audit run stores under `metaharness-audit:audit-<iso-ts>`. To list
|
|
58
|
+
recent audits:
|
|
59
|
+
|
|
60
|
+
```bash
|
|
61
|
+
npx @claude-flow/cli@latest memory list --namespace metaharness-audit --limit 10
|
|
62
|
+
```
|
|
63
|
+
|
|
64
|
+
To diff two audits (drift detection):
|
|
65
|
+
|
|
66
|
+
```bash
|
|
67
|
+
A=$(npx ... memory retrieve --key audit-2026-06-01... --namespace metaharness-audit)
|
|
68
|
+
B=$(npx ... memory retrieve --key audit-2026-06-15... --namespace metaharness-audit)
|
|
69
|
+
# Compare composite.worst, components.threatModel.worst, etc.
|
|
70
|
+
```
|
|
71
|
+
|
|
72
|
+
A future ADR can wire this into a dedicated `cost-diff`-style diff
|
|
73
|
+
viewer specifically for audit drift.
|
|
74
|
+
|
|
75
|
+
## Pairs with
|
|
76
|
+
|
|
77
|
+
- `harness-threat-model` — the underlying threat-model component
|
|
78
|
+
- `harness-mcp-scan` — the underlying MCP-scan component
|
|
79
|
+
- `harness-score` + `harness-genome` — readiness metrics (orthogonal to audit)
|
|
@@ -0,0 +1,66 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-score
|
|
3
|
+
description: 5-dimension harness readiness scorecard from `metaharness score <path>`. Returns harnessFit / compileConfidence / taskCoverage / toolSafety / memoryUsefulness + estCostPerRunUsd + scaffoldReady. Pure-read; subprocess invocation; degrades gracefully when MetaHarness is absent (ADR-150 architectural constraint).
|
|
4
|
+
argument-hint: "[--path .] [--alert-on-fit-below 70] [--format table|json]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
Surfaces the upstream `metaharness score` CLI as a ruflo skill. Use when
|
|
9
|
+
Claude Code needs to assess whether a repo is ready for harness adoption
|
|
10
|
+
before recommending the user run `npx ruflo init` or `harness-mint`.
|
|
11
|
+
|
|
12
|
+
## Algorithm
|
|
13
|
+
|
|
14
|
+
Implementation: [`scripts/score.mjs`](../../scripts/score.mjs).
|
|
15
|
+
|
|
16
|
+
1. Shell out to `npx metaharness score <path> --json` (single subprocess,
|
|
17
|
+
60s hard timeout).
|
|
18
|
+
2. Parse the JSON shape: `{ harnessFit, compileConfidence, taskCoverage,
|
|
19
|
+
toolSafety, memoryUsefulness, estCostPerRunUsd, recommendedMode,
|
|
20
|
+
archetype, template, scaffoldReady, hardConstraints }`.
|
|
21
|
+
3. If `--alert-on-fit-below N`: exit 1 when `harnessFit < N`.
|
|
22
|
+
4. Output JSON (default) or markdown table.
|
|
23
|
+
|
|
24
|
+
## Phase-0 baseline (ruflo's own scorecard, measured 2026-06-16)
|
|
25
|
+
|
|
26
|
+
| Dimension | Value |
|
|
27
|
+
|---|---:|
|
|
28
|
+
| harnessFit | 82/100 |
|
|
29
|
+
| compileConfidence | 100 |
|
|
30
|
+
| taskCoverage | 79 |
|
|
31
|
+
| toolSafety | 100 |
|
|
32
|
+
| memoryUsefulness | 40 |
|
|
33
|
+
| estCostPerRunUsd | $0.048 |
|
|
34
|
+
| recommendedMode | CLI + MCP |
|
|
35
|
+
| archetype | typescript-sdk-harness |
|
|
36
|
+
| template | vertical:coding |
|
|
37
|
+
| scaffoldReady | true |
|
|
38
|
+
|
|
39
|
+
Ruflo passes its own readiness check. `memoryUsefulness: 40` is the
|
|
40
|
+
weakest dimension — track this as a leading indicator for future memory
|
|
41
|
+
work in the AgentDB layer.
|
|
42
|
+
|
|
43
|
+
## CI integration
|
|
44
|
+
|
|
45
|
+
```bash
|
|
46
|
+
node plugins/ruflo-metaharness/scripts/score.mjs --alert-on-fit-below 70 --format json
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
Exit 1 fails the build. Pair with `harness-genome` for the full
|
|
50
|
+
7-section view.
|
|
51
|
+
|
|
52
|
+
## Graceful degradation (ADR-150 architectural constraint rule #3)
|
|
53
|
+
|
|
54
|
+
When `metaharness` is not installed and `npx` can't fetch it (offline,
|
|
55
|
+
no network, registry unreachable), the script emits:
|
|
56
|
+
|
|
57
|
+
```json
|
|
58
|
+
{
|
|
59
|
+
"degraded": true,
|
|
60
|
+
"reason": "metaharness-not-available",
|
|
61
|
+
"hint": "Install metaharness manually with `npm i -D metaharness` or run `npx metaharness@latest --version` to verify network access."
|
|
62
|
+
}
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
and exits 0. Ruflo continues to function — this is the architectural
|
|
66
|
+
constraint in action.
|
|
@@ -0,0 +1,67 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-similarity
|
|
3
|
+
description: ADR-152 — weighted similarity between two harness fingerprints (genome + score JSON). Returns overall score in [0,1] plus per-component breakdown (cosine over 9 numerics, categorical agreement over 4 enums, jaccard over agent_topology). Unblocks ADR-151 §3.2 Recommender, §3.3 Drift Detection, §3.5 Plugin Compat. Pure-TS, no `@metaharness/*` dep — preserves ADR-150's four architectural constraints.
|
|
4
|
+
argument-hint: "(--a a.json --b b.json | --a-key X --b-key Y) [--per-dimension] [--alert-below 0.5] [--format json|table]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
Surfaces the production similarity function from [`scripts/_similarity.mjs`](../../scripts/_similarity.mjs) as a callable skill. Use when an agent needs to:
|
|
9
|
+
|
|
10
|
+
- decide whether to fork an existing harness vs scaffold a new one
|
|
11
|
+
- rank candidate templates against a target repo's genome
|
|
12
|
+
- diff two harnesses produced by different teams to find duplicate work
|
|
13
|
+
- generate the confidence number that ADR-151 §3.2's Recommender wraps
|
|
14
|
+
|
|
15
|
+
## Algorithm (from ADR-152 §Decision)
|
|
16
|
+
|
|
17
|
+
```
|
|
18
|
+
overall = 0.60·cosine + 0.25·categorical + 0.15·jaccard
|
|
19
|
+
```
|
|
20
|
+
|
|
21
|
+
- **cosine** — over a 9-dim numerical vector of normalized scorecard + genome dims
|
|
22
|
+
- **categorical** — fraction of 4 enum fields that match (`repo_type`, `archetype`, `template`, `recommendedMode`)
|
|
23
|
+
- **jaccard** — `|A ∩ B| / |A ∪ B|` over the `agent_topology[]` array
|
|
24
|
+
|
|
25
|
+
The 3-component design is load-bearing: numerical cosine alone is too coarse (the iter-35 spike showed LEGAL vs DEVOPS at cosine=0.97 despite being unrelated verticals). Categorical + jaccard pull the composite to the correct ordering.
|
|
26
|
+
|
|
27
|
+
## Reference outputs (iter-35 spike fixtures)
|
|
28
|
+
|
|
29
|
+
| Pair | overall | cosine | categorical | jaccard |
|
|
30
|
+
|---|---:|---:|---:|---:|
|
|
31
|
+
| `LEGAL` × `LEGAL` (self) | 1.0000 | 1.0000 | 1.0000 | 1.0000 |
|
|
32
|
+
| `LEGAL` × `SUPPORT` | 0.8296 | 0.9987 | 0.7500 | 0.2857 |
|
|
33
|
+
| `LEGAL` × `DEVOPS` | 0.5840 | 0.9734 | 0.0000 | 0.0000 |
|
|
34
|
+
|
|
35
|
+
Both invariants from ADR-152 §"Smallest demonstrable spike" hold:
|
|
36
|
+
1. `similarity(X, X) === 1` exactly
|
|
37
|
+
2. `similarity(LEGAL, DEVOPS) < similarity(LEGAL, SUPPORT)` (vertical affinity)
|
|
38
|
+
|
|
39
|
+
## Architectural constraint inheritance (ADR-150)
|
|
40
|
+
|
|
41
|
+
- **Removable** — pure-TS function, zero static `@metaharness/*` imports.
|
|
42
|
+
- **Optional** — no new dep in `package.json`.
|
|
43
|
+
- **Graceful** — malformed inputs emit `{ degraded: true, reason }` with exit code 2; never throws.
|
|
44
|
+
- **CI-gate** — smoke step 17y locks the contract: module exports, spike fixtures reproduce, CLI dispatcher entry registered, MCP tool registered.
|
|
45
|
+
|
|
46
|
+
## Usage
|
|
47
|
+
|
|
48
|
+
```bash
|
|
49
|
+
# File inputs
|
|
50
|
+
npx ruflo metaharness similarity --a a.json --b b.json
|
|
51
|
+
|
|
52
|
+
# Memory inputs (records persisted by oia-audit.mjs)
|
|
53
|
+
npx ruflo metaharness similarity --a-key harness-X --b-key harness-Y
|
|
54
|
+
|
|
55
|
+
# Per-dimension breakdown (used by ADR-151 §3.2 Recommender)
|
|
56
|
+
npx ruflo metaharness similarity --a a.json --b b.json --per-dimension
|
|
57
|
+
|
|
58
|
+
# Alert when too-dissimilar (used by ADR-151 §3.3 Drift Detection)
|
|
59
|
+
npx ruflo metaharness similarity --a a.json --b b.json --alert-below 0.5
|
|
60
|
+
```
|
|
61
|
+
|
|
62
|
+
## Implementation
|
|
63
|
+
|
|
64
|
+
Production module: [`scripts/_similarity.mjs`](../../scripts/_similarity.mjs)
|
|
65
|
+
CLI skill: [`scripts/similarity.mjs`](../../scripts/similarity.mjs)
|
|
66
|
+
MCP tool: `mcp__claude-flow__metaharness_similarity` (registered in `v3/@claude-flow/cli/src/mcp-tools/metaharness-tools.ts`)
|
|
67
|
+
Spike anchor: [`scripts/_spike-similarity.mjs`](../../scripts/_spike-similarity.mjs) (regression suite — invariants locked here)
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
---
|
|
2
|
+
name: harness-threat-model
|
|
3
|
+
description: Enterprise-review-grade threat model from `harness threat-model <path>`. Categorizes MCP-surface threats; emits `worst: 'clean'|'low'|'medium'|'high'` + per-threat findings. Pure-read.
|
|
4
|
+
argument-hint: "[--path .] [--fail-on clean|low|medium|high] [--format table|json]"
|
|
5
|
+
allowed-tools: Bash
|
|
6
|
+
---
|
|
7
|
+
|
|
8
|
+
The companion to `harness-mcp-scan` for enterprise security reviews.
|
|
9
|
+
Where mcp-scan is a per-server static lint, threat-model produces a
|
|
10
|
+
categorized report suitable for sharing with an InfoSec team.
|
|
11
|
+
|
|
12
|
+
## Algorithm
|
|
13
|
+
|
|
14
|
+
Implementation: [`scripts/threat-model.mjs`](../../scripts/threat-model.mjs).
|
|
15
|
+
|
|
16
|
+
1. Shell `npx -p metaharness@latest harness threat-model <path> --json`.
|
|
17
|
+
2. Parse `{ worst, findings[] }`.
|
|
18
|
+
3. `--fail-on <severity>`: exit 1 when `worst >= fail-on`. Default `high`.
|
|
19
|
+
|
|
20
|
+
## Severity rank
|
|
21
|
+
|
|
22
|
+
| Severity | Rank |
|
|
23
|
+
|---|---:|
|
|
24
|
+
| clean | 0 |
|
|
25
|
+
| low | 1 |
|
|
26
|
+
| medium | 2 |
|
|
27
|
+
| high | 3 |
|
|
28
|
+
|
|
29
|
+
## When to use
|
|
30
|
+
|
|
31
|
+
- Pre-launch review: include the JSON output in the release-readiness
|
|
32
|
+
packet sent to security.
|
|
33
|
+
- Periodic audit: schedule via the planned `oia-audit` background
|
|
34
|
+
worker (ADR-150 Phase 2) to detect MCP-surface drift.
|
|
35
|
+
|
|
36
|
+
## Graceful degradation
|
|
37
|
+
|
|
38
|
+
Same pattern as the other skills: when `harness` is absent, emit
|
|
39
|
+
`{ degraded: true }` and exit 0. ADR-150 architectural constraint.
|