@harness-engineering/cli 1.12.0 → 1.13.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agents/skills/claude-code/add-harness-component/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/align-documentation/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/check-mechanical-constraints/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/cleanup-dead-code/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/detect-doc-drift/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/enforce-architecture/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-accessibility/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-api-design/SKILL.md +304 -0
- package/dist/agents/skills/claude-code/harness-api-design/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-architecture-advisor/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-auth/SKILL.md +279 -0
- package/dist/agents/skills/claude-code/harness-auth/skill.yaml +81 -0
- package/dist/agents/skills/claude-code/harness-autopilot/SKILL.md +57 -9
- package/dist/agents/skills/claude-code/harness-autopilot/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-brainstorming/SKILL.md +1 -1
- package/dist/agents/skills/claude-code/harness-brainstorming/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-caching/SKILL.md +309 -0
- package/dist/agents/skills/claude-code/harness-caching/skill.yaml +73 -0
- package/dist/agents/skills/claude-code/harness-chaos/SKILL.md +295 -0
- package/dist/agents/skills/claude-code/harness-chaos/skill.yaml +72 -0
- package/dist/agents/skills/claude-code/harness-code-review/SKILL.md +19 -2
- package/dist/agents/skills/claude-code/harness-code-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-codebase-cleanup/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-compliance/SKILL.md +303 -0
- package/dist/agents/skills/claude-code/harness-compliance/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-containerization/SKILL.md +284 -0
- package/dist/agents/skills/claude-code/harness-containerization/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-data-pipeline/SKILL.md +274 -0
- package/dist/agents/skills/claude-code/harness-data-pipeline/skill.yaml +81 -0
- package/dist/agents/skills/claude-code/harness-data-validation/SKILL.md +343 -0
- package/dist/agents/skills/claude-code/harness-data-validation/skill.yaml +75 -0
- package/dist/agents/skills/claude-code/harness-database/SKILL.md +258 -0
- package/dist/agents/skills/claude-code/harness-database/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-debugging/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-dependency-health/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-deployment/SKILL.md +255 -0
- package/dist/agents/skills/claude-code/harness-deployment/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-design/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-mobile/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-system/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-web/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-diagnostics/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-docs-pipeline/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-dx/SKILL.md +276 -0
- package/dist/agents/skills/claude-code/harness-dx/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-e2e/SKILL.md +245 -0
- package/dist/agents/skills/claude-code/harness-e2e/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-event-driven/SKILL.md +280 -0
- package/dist/agents/skills/claude-code/harness-event-driven/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-execution/SKILL.md +39 -12
- package/dist/agents/skills/claude-code/harness-execution/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-feature-flags/SKILL.md +287 -0
- package/dist/agents/skills/claude-code/harness-feature-flags/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-git-workflow/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-hotspot-detector/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n-process/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n-workflow/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-impact-analysis/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-incident-response/SKILL.md +223 -0
- package/dist/agents/skills/claude-code/harness-incident-response/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-infrastructure-as-code/SKILL.md +279 -0
- package/dist/agents/skills/claude-code/harness-infrastructure-as-code/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-integration-test/SKILL.md +271 -0
- package/dist/agents/skills/claude-code/harness-integration-test/skill.yaml +73 -0
- package/dist/agents/skills/claude-code/harness-integrity/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-knowledge-mapper/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-load-testing/SKILL.md +274 -0
- package/dist/agents/skills/claude-code/harness-load-testing/skill.yaml +79 -0
- package/dist/agents/skills/claude-code/harness-ml-ops/SKILL.md +341 -0
- package/dist/agents/skills/claude-code/harness-ml-ops/skill.yaml +79 -0
- package/dist/agents/skills/claude-code/harness-mobile-patterns/SKILL.md +326 -0
- package/dist/agents/skills/claude-code/harness-mobile-patterns/skill.yaml +82 -0
- package/dist/agents/skills/claude-code/harness-mutation-test/SKILL.md +251 -0
- package/dist/agents/skills/claude-code/harness-mutation-test/skill.yaml +70 -0
- package/dist/agents/skills/claude-code/harness-observability/SKILL.md +283 -0
- package/dist/agents/skills/claude-code/harness-observability/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-onboarding/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-parallel-agents/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-perf/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-perf-tdd/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-planning/SKILL.md +28 -11
- package/dist/agents/skills/claude-code/harness-planning/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-pre-commit-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-product-spec/SKILL.md +285 -0
- package/dist/agents/skills/claude-code/harness-product-spec/skill.yaml +72 -0
- package/dist/agents/skills/claude-code/harness-property-test/SKILL.md +281 -0
- package/dist/agents/skills/claude-code/harness-property-test/skill.yaml +71 -0
- package/dist/agents/skills/claude-code/harness-refactoring/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-release-readiness/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-resilience/SKILL.md +255 -0
- package/dist/agents/skills/claude-code/harness-resilience/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-roadmap/SKILL.md +34 -0
- package/dist/agents/skills/claude-code/harness-roadmap/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-secrets/SKILL.md +293 -0
- package/dist/agents/skills/claude-code/harness-secrets/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-security-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-security-scan/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-skill-authoring/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-soundness-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-sql-review/SKILL.md +315 -0
- package/dist/agents/skills/claude-code/harness-sql-review/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-state-management/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-tdd/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-test-advisor/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-test-data/SKILL.md +268 -0
- package/dist/agents/skills/claude-code/harness-test-data/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-ux-copy/SKILL.md +271 -0
- package/dist/agents/skills/claude-code/harness-ux-copy/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-verification/SKILL.md +42 -0
- package/dist/agents/skills/claude-code/harness-verification/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-verify/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-visual-regression/SKILL.md +257 -0
- package/dist/agents/skills/claude-code/harness-visual-regression/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/initialize-harness-project/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/validate-context-engineering/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/add-harness-component/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/align-documentation/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/check-mechanical-constraints/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/cleanup-dead-code/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/detect-doc-drift/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/enforce-architecture/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-accessibility/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-api-design/SKILL.md +304 -0
- package/dist/agents/skills/gemini-cli/harness-api-design/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-architecture-advisor/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-auth/SKILL.md +279 -0
- package/dist/agents/skills/gemini-cli/harness-auth/skill.yaml +81 -0
- package/dist/agents/skills/gemini-cli/harness-autopilot/SKILL.md +57 -9
- package/dist/agents/skills/gemini-cli/harness-autopilot/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-brainstorming/SKILL.md +1 -1
- package/dist/agents/skills/gemini-cli/harness-brainstorming/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-caching/SKILL.md +309 -0
- package/dist/agents/skills/gemini-cli/harness-caching/skill.yaml +73 -0
- package/dist/agents/skills/gemini-cli/harness-chaos/SKILL.md +295 -0
- package/dist/agents/skills/gemini-cli/harness-chaos/skill.yaml +72 -0
- package/dist/agents/skills/gemini-cli/harness-code-review/SKILL.md +19 -2
- package/dist/agents/skills/gemini-cli/harness-code-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-codebase-cleanup/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-compliance/SKILL.md +303 -0
- package/dist/agents/skills/gemini-cli/harness-compliance/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-containerization/SKILL.md +284 -0
- package/dist/agents/skills/gemini-cli/harness-containerization/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-data-pipeline/SKILL.md +274 -0
- package/dist/agents/skills/gemini-cli/harness-data-pipeline/skill.yaml +81 -0
- package/dist/agents/skills/gemini-cli/harness-data-validation/SKILL.md +343 -0
- package/dist/agents/skills/gemini-cli/harness-data-validation/skill.yaml +75 -0
- package/dist/agents/skills/gemini-cli/harness-database/SKILL.md +258 -0
- package/dist/agents/skills/gemini-cli/harness-database/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-debugging/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-dependency-health/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-deployment/SKILL.md +255 -0
- package/dist/agents/skills/gemini-cli/harness-deployment/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-design/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-mobile/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-system/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-web/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-diagnostics/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-docs-pipeline/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-dx/SKILL.md +276 -0
- package/dist/agents/skills/gemini-cli/harness-dx/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-e2e/SKILL.md +245 -0
- package/dist/agents/skills/gemini-cli/harness-e2e/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-event-driven/SKILL.md +280 -0
- package/dist/agents/skills/gemini-cli/harness-event-driven/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-execution/SKILL.md +39 -12
- package/dist/agents/skills/gemini-cli/harness-execution/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-feature-flags/SKILL.md +287 -0
- package/dist/agents/skills/gemini-cli/harness-feature-flags/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-git-workflow/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-hotspot-detector/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n-process/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n-workflow/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-impact-analysis/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-incident-response/SKILL.md +223 -0
- package/dist/agents/skills/gemini-cli/harness-incident-response/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-infrastructure-as-code/SKILL.md +279 -0
- package/dist/agents/skills/gemini-cli/harness-infrastructure-as-code/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-integration-test/SKILL.md +271 -0
- package/dist/agents/skills/gemini-cli/harness-integration-test/skill.yaml +73 -0
- package/dist/agents/skills/gemini-cli/harness-integrity/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-knowledge-mapper/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-load-testing/SKILL.md +274 -0
- package/dist/agents/skills/gemini-cli/harness-load-testing/skill.yaml +79 -0
- package/dist/agents/skills/gemini-cli/harness-ml-ops/SKILL.md +341 -0
- package/dist/agents/skills/gemini-cli/harness-ml-ops/skill.yaml +79 -0
- package/dist/agents/skills/gemini-cli/harness-mobile-patterns/SKILL.md +326 -0
- package/dist/agents/skills/gemini-cli/harness-mobile-patterns/skill.yaml +82 -0
- package/dist/agents/skills/gemini-cli/harness-mutation-test/SKILL.md +251 -0
- package/dist/agents/skills/gemini-cli/harness-mutation-test/skill.yaml +70 -0
- package/dist/agents/skills/gemini-cli/harness-observability/SKILL.md +283 -0
- package/dist/agents/skills/gemini-cli/harness-observability/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-onboarding/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-parallel-agents/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-perf/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-perf-tdd/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-planning/SKILL.md +28 -11
- package/dist/agents/skills/gemini-cli/harness-planning/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-pre-commit-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-product-spec/SKILL.md +285 -0
- package/dist/agents/skills/gemini-cli/harness-product-spec/skill.yaml +72 -0
- package/dist/agents/skills/gemini-cli/harness-property-test/SKILL.md +281 -0
- package/dist/agents/skills/gemini-cli/harness-property-test/skill.yaml +71 -0
- package/dist/agents/skills/gemini-cli/harness-refactoring/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-release-readiness/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-resilience/SKILL.md +255 -0
- package/dist/agents/skills/gemini-cli/harness-resilience/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-roadmap/SKILL.md +34 -0
- package/dist/agents/skills/gemini-cli/harness-roadmap/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-secrets/SKILL.md +293 -0
- package/dist/agents/skills/gemini-cli/harness-secrets/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-security-review/SKILL.md +240 -0
- package/dist/agents/skills/gemini-cli/harness-security-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-security-scan/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-skill-authoring/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-soundness-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-sql-review/SKILL.md +315 -0
- package/dist/agents/skills/gemini-cli/harness-sql-review/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-state-management/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-tdd/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-test-advisor/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-test-data/SKILL.md +268 -0
- package/dist/agents/skills/gemini-cli/harness-test-data/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-ux-copy/SKILL.md +271 -0
- package/dist/agents/skills/gemini-cli/harness-ux-copy/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-verification/SKILL.md +42 -0
- package/dist/agents/skills/gemini-cli/harness-verification/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-verify/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-visual-regression/SKILL.md +257 -0
- package/dist/agents/skills/gemini-cli/harness-visual-regression/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/initialize-harness-project/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/validate-context-engineering/skill.yaml +1 -0
- package/dist/{agents-md-KIS2RSMG.js → agents-md-XU3BHE22.js} +1 -1
- package/dist/{architecture-AJAUDRQQ.js → architecture-2R5Z4ZAF.js} +2 -2
- package/dist/bin/harness-mcp.js +14 -13
- package/dist/bin/harness.js +22 -21
- package/dist/{check-phase-gate-K7QCSYRJ.js → check-phase-gate-2OFZ7OWW.js} +3 -2
- package/dist/{chunk-TJVVU3HB.js → chunk-4ZMOCPYO.js} +1 -1
- package/dist/{chunk-EAURF4LH.js → chunk-65FRIL4D.js} +2 -2
- package/dist/{chunk-L2KLU56K.js → chunk-AOZRDOIP.js} +2 -2
- package/dist/{chunk-JLXOEO5C.js → chunk-DZS7CJKL.js} +4 -4
- package/dist/{chunk-FLOEMHDF.js → chunk-IM32EEDM.js} +9 -9
- package/dist/{chunk-2YPZKGAG.js → chunk-IMFVFNJE.js} +1 -1
- package/dist/{chunk-HD4IBGLA.js → chunk-N5G5QMS3.js} +24 -1
- package/dist/{chunk-CTTFXXKJ.js → chunk-ND6PNADU.js} +23 -9
- package/dist/{chunk-747VBPA4.js → chunk-NERR4TAO.js} +783 -444
- package/dist/{chunk-YXOG2277.js → chunk-NOPU4RZ4.js} +2 -2
- package/dist/{chunk-AE2OWWDH.js → chunk-PQ5YK4AY.js} +870 -504
- package/dist/{chunk-OIGVQF5V.js → chunk-QY4T6YAZ.js} +3 -3
- package/dist/{chunk-B5SBNH4S.js → chunk-SSKDAOX5.js} +93 -30
- package/dist/{chunk-2SWJ4VO7.js → chunk-TKJZKICB.js} +6 -6
- package/dist/{chunk-GNGELAXY.js → chunk-TS3XWPW5.js} +1 -1
- package/dist/chunk-UAX4I5ZE.js +217 -0
- package/dist/{chunk-VRFZWGMS.js → chunk-XYLGHKG6.js} +5 -1
- package/dist/{chunk-6N4R6FVX.js → chunk-YBJ262QL.js} +1 -1
- package/dist/{chunk-ZU2UBYBY.js → chunk-Z77YQRQT.js} +11 -207
- package/dist/{ci-workflow-NBL4OT4A.js → ci-workflow-EHV65NQB.js} +1 -1
- package/dist/{create-skill-WPXHSLX2.js → create-skill-XSWHMSM5.js} +2 -2
- package/dist/{dist-IJ4J4C5G.js → dist-2B363XUH.js} +25 -1
- package/dist/{dist-M6BQODWC.js → dist-HXHWB7SV.js} +2 -2
- package/dist/{docs-CPTMH3VY.js → docs-FZOPM4GK.js} +4 -2
- package/dist/{engine-BUWPAAGD.js → engine-OL4T6NZS.js} +1 -1
- package/dist/{entropy-Z4FYVQ7L.js → entropy-LVHJMFGH.js} +2 -2
- package/dist/{feedback-TT6WF5YX.js → feedback-IHLVLMRD.js} +1 -1
- package/dist/{generate-agent-definitions-J5HANRNR.js → generate-agent-definitions-64S3CLEZ.js} +3 -3
- package/dist/{glob-helper-5OHBUQAI.js → glob-helper-R5FXNUPS.js} +1 -1
- package/dist/{graph-loader-KO4GJ5N2.js → graph-loader-GJZ4FN4Y.js} +1 -1
- package/dist/index.d.ts +60 -33
- package/dist/index.js +23 -21
- package/dist/{loader-PCU5YWRH.js → loader-DPYFB6R6.js} +1 -1
- package/dist/{mcp-YM6QLHLZ.js → mcp-JQUI7BVZ.js} +14 -13
- package/dist/{performance-YJVXOKIB.js → performance-ZTVSUANN.js} +2 -2
- package/dist/{review-pipeline-KGMIMLIE.js → review-pipeline-76JHKGSV.js} +1 -1
- package/dist/{runtime-F6R27LD6.js → runtime-X7U6SC7K.js} +1 -1
- package/dist/{security-MX5VVXBC.js → security-FWQZF2IZ.js} +1 -1
- package/dist/skill-executor-XZLYZYAK.js +8 -0
- package/dist/{validate-EFNMSFKD.js → validate-GCHZJIL7.js} +2 -2
- package/dist/{validate-cross-check-LJX65SBS.js → validate-cross-check-STFHYMAZ.js} +1 -1
- package/package.json +4 -4
- package/dist/skill-executor-RG45LUO5.js +0 -8
|
@@ -0,0 +1,279 @@
|
|
|
1
|
+
# Harness Auth
|
|
2
|
+
|
|
3
|
+
> OAuth2, JWT, RBAC/ABAC, session management, and MFA pattern analysis. Detects authentication and authorization mechanisms, evaluates security posture against OWASP guidelines, and recommends improvements for token lifecycle, permission models, and multi-factor authentication.
|
|
4
|
+
|
|
5
|
+
## When to Use
|
|
6
|
+
|
|
7
|
+
- When implementing or modifying authentication flows (login, registration, password reset, OAuth2)
|
|
8
|
+
- On PRs that change authorization logic, middleware guards, or permission models
|
|
9
|
+
- To audit existing auth implementation for security vulnerabilities and best practice compliance
|
|
10
|
+
- NOT for network-level security or infrastructure hardening (use harness-security-review)
|
|
11
|
+
- NOT for compliance framework audits (use harness-compliance for SOC2/HIPAA/GDPR)
|
|
12
|
+
- NOT for secrets management or credential rotation (use harness-secrets)
|
|
13
|
+
|
|
14
|
+
## Process
|
|
15
|
+
|
|
16
|
+
### Phase 1: DETECT -- Identify Auth Mechanisms and Providers
|
|
17
|
+
|
|
18
|
+
1. **Discover authentication providers.** Scan the codebase for auth framework usage:
|
|
19
|
+
- Passport.js: `passport.use()`, strategy configurations, `passport.authenticate()` calls
|
|
20
|
+
- NextAuth.js / Auth.js: `next-auth` config, provider definitions, callback handlers
|
|
21
|
+
- Auth0: `@auth0/nextjs-auth0`, `auth0-js`, management API client initialization
|
|
22
|
+
- Firebase Auth: `firebase/auth`, `signInWithPopup`, `onAuthStateChanged` usage
|
|
23
|
+
- Custom: JWT signing/verification, bcrypt hashing, session store initialization
|
|
24
|
+
- Spring Security: `@EnableWebSecurity`, `SecurityFilterChain`, `UserDetailsService`
|
|
25
|
+
- ASP.NET Identity: `AddAuthentication()`, `[Authorize]` attributes, `ClaimsPrincipal`
|
|
26
|
+
|
|
27
|
+
2. **Map token flows.** Trace the authentication lifecycle:
|
|
28
|
+
- Token issuance: Where and how are JWTs or session tokens created?
|
|
29
|
+
- Token storage: Cookie (httpOnly, secure, sameSite?), localStorage, sessionStorage, or in-memory?
|
|
30
|
+
- Token refresh: Is there a refresh token flow? What is the access token lifetime?
|
|
31
|
+
- Token revocation: Can tokens be invalidated before expiry? Is there a blocklist?
|
|
32
|
+
- Token propagation: How are tokens passed between services (Authorization header, cookie, custom header)?
|
|
33
|
+
|
|
34
|
+
3. **Identify authorization models.** Determine how permissions are enforced:
|
|
35
|
+
- RBAC: Role definitions, role-to-permission mappings, role assignment to users
|
|
36
|
+
- ABAC: Attribute-based policies, policy evaluation engine, context attributes
|
|
37
|
+
- ACL: Per-resource access control lists, ownership checks
|
|
38
|
+
- Middleware guards: Express middleware, NestJS guards, Spring interceptors, ASP.NET policies
|
|
39
|
+
- Route-level: Declarative route protection, public vs protected route definitions
|
|
40
|
+
|
|
41
|
+
4. **Check for MFA implementation.** Look for multi-factor authentication:
|
|
42
|
+
- TOTP: `otplib`, `speakeasy`, Google Authenticator integration
|
|
43
|
+
- SMS/Email OTP: Twilio, SendGrid verification flows
|
|
44
|
+
- WebAuthn/FIDO2: `@simplewebauthn/server`, hardware key registration
|
|
45
|
+
- Recovery codes: Generation, storage, and redemption logic
|
|
46
|
+
|
|
47
|
+
5. **Inventory session management.** If sessions are used:
|
|
48
|
+
- Session store: Redis, database, in-memory, or cookie-based
|
|
49
|
+
- Session lifecycle: creation, renewal, expiry, and destruction
|
|
50
|
+
- Concurrent session handling: single-session enforcement, session listing
|
|
51
|
+
|
|
52
|
+
---
|
|
53
|
+
|
|
54
|
+
### Phase 2: ANALYZE -- Evaluate Security Posture
|
|
55
|
+
|
|
56
|
+
1. **Check JWT implementation against OWASP guidelines.** Verify:
|
|
57
|
+
- Algorithm is explicitly set (no `alg: none` vulnerability)
|
|
58
|
+
- Secret/key is sufficiently strong (RS256/ES256 preferred over HS256 for distributed systems)
|
|
59
|
+
- Token lifetime is appropriate (access: 15-60 min, refresh: 7-30 days)
|
|
60
|
+
- Claims include `iss`, `aud`, `exp`, `iat`, and `sub` at minimum
|
|
61
|
+
- Tokens are validated on every request, not just on login
|
|
62
|
+
- JWTs are not stored in localStorage (XSS vulnerability)
|
|
63
|
+
|
|
64
|
+
2. **Evaluate OAuth2/OIDC flows.** If OAuth2 is used:
|
|
65
|
+
- Is PKCE used for public clients (SPAs, mobile apps)?
|
|
66
|
+
- Are redirect URIs strictly validated (no open redirect)?
|
|
67
|
+
- Is the state parameter used to prevent CSRF?
|
|
68
|
+
- Are scopes minimized to the principle of least privilege?
|
|
69
|
+
- Is token exchange happening server-side (not exposing client secret)?
|
|
70
|
+
|
|
71
|
+
3. **Assess password handling.** If password authentication exists:
|
|
72
|
+
- Hashing algorithm: bcrypt, scrypt, or argon2 (not MD5, SHA-1, or SHA-256 without salt)
|
|
73
|
+
- Salt: unique per user, generated with cryptographic RNG
|
|
74
|
+
- Password policy: minimum length, complexity requirements, breach database check
|
|
75
|
+
- Rate limiting on login attempts (brute force protection)
|
|
76
|
+
- Account lockout or CAPTCHA after failed attempts
|
|
77
|
+
|
|
78
|
+
4. **Review authorization enforcement.** For each protected resource:
|
|
79
|
+
- Is authorization checked at the API layer (not just the UI)?
|
|
80
|
+
- Are there IDOR (Insecure Direct Object Reference) vulnerabilities?
|
|
81
|
+
- Is the permission check granular enough (not just "is authenticated")?
|
|
82
|
+
- Are admin routes protected by role checks, not just authentication?
|
|
83
|
+
- Is horizontal privilege escalation prevented (user A cannot access user B's data)?
|
|
84
|
+
|
|
85
|
+
5. **Check session security.** If sessions are used:
|
|
86
|
+
- Session ID entropy: cryptographically random, sufficient length
|
|
87
|
+
- Cookie flags: `httpOnly`, `secure`, `sameSite=Strict` or `sameSite=Lax`
|
|
88
|
+
- Session fixation prevention: regenerate ID on login
|
|
89
|
+
- Session timeout: absolute and idle timeout configured
|
|
90
|
+
- CSRF protection: token-based or SameSite cookie
|
|
91
|
+
|
|
92
|
+
---
|
|
93
|
+
|
|
94
|
+
### Phase 3: DESIGN -- Recommend Improvements
|
|
95
|
+
|
|
96
|
+
1. **Token lifecycle improvements.** Based on analysis findings:
|
|
97
|
+
- Recommend specific token lifetimes with rationale
|
|
98
|
+
- Design refresh token rotation (one-time-use refresh tokens with family tracking)
|
|
99
|
+
- Propose token revocation strategy (blocklist in Redis with TTL matching token expiry)
|
|
100
|
+
- If using JWTs in cookies: recommend cookie configuration (httpOnly, secure, sameSite, path, domain)
|
|
101
|
+
|
|
102
|
+
2. **Permission model design.** Based on the application's needs:
|
|
103
|
+
- For simple apps: RBAC with predefined roles (admin, editor, viewer)
|
|
104
|
+
- For multi-tenant apps: RBAC with tenant-scoped roles
|
|
105
|
+
- For complex resource access: ABAC with policy engine (CASL, Casbin, Open Policy Agent)
|
|
106
|
+
- Generate permission matrix: roles/attributes x resources x actions
|
|
107
|
+
|
|
108
|
+
3. **MFA implementation plan.** If MFA is missing or incomplete:
|
|
109
|
+
- Recommend TOTP as baseline (widely supported, no SMS dependency)
|
|
110
|
+
- Design enrollment flow: QR code generation, backup codes, verification step
|
|
111
|
+
- Design authentication flow: primary factor -> MFA challenge -> session creation
|
|
112
|
+
- Recommend WebAuthn as optional upgrade path for phishing resistance
|
|
113
|
+
|
|
114
|
+
4. **Security hardening recommendations.** Prioritized by risk:
|
|
115
|
+
- P0: Fix any authentication bypass, broken access control, or token vulnerability
|
|
116
|
+
- P1: Add missing CSRF protection, fix insecure token storage, add rate limiting
|
|
117
|
+
- P2: Implement MFA, add session management improvements, enhance logging
|
|
118
|
+
- P3: Add breach notification flow, implement progressive security (step-up auth)
|
|
119
|
+
|
|
120
|
+
5. **Generate implementation guidance.** Produce:
|
|
121
|
+
- Middleware/guard code templates for the project's framework
|
|
122
|
+
- Migration plan for moving from insecure to secure token storage
|
|
123
|
+
- Database schema for RBAC tables (users, roles, permissions, user_roles)
|
|
124
|
+
- Configuration templates for OAuth2 providers
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
### Phase 4: VALIDATE -- Verify Against OWASP and Common Vulnerabilities
|
|
129
|
+
|
|
130
|
+
1. **OWASP Authentication Verification.** Check against OWASP ASVS (Application Security Verification Standard) Level 2:
|
|
131
|
+
- V2.1: Password security (hashing, policy, breach check)
|
|
132
|
+
- V2.2: General authenticator security (MFA, recovery codes)
|
|
133
|
+
- V2.5: Credential recovery (secure reset flow, no secret questions)
|
|
134
|
+
- V2.7: Out-of-band verification (email/SMS verification security)
|
|
135
|
+
- V2.8: Single or multi-factor authentication (session binding)
|
|
136
|
+
|
|
137
|
+
2. **OWASP Authorization Verification.** Check against OWASP ASVS:
|
|
138
|
+
- V4.1: Access control design (deny by default, least privilege)
|
|
139
|
+
- V4.2: Operation-level access control (every API endpoint protected)
|
|
140
|
+
- V4.3: Data-level access control (row-level security, tenant isolation)
|
|
141
|
+
|
|
142
|
+
3. **Test coverage verification.** Check that auth logic is tested:
|
|
143
|
+
- Authentication tests: valid login, invalid credentials, expired tokens, refresh flow
|
|
144
|
+
- Authorization tests: permitted access, denied access, privilege escalation attempt
|
|
145
|
+
- Edge cases: expired session, concurrent sessions, token replay, CSRF
|
|
146
|
+
- Integration tests: full OAuth2 flow with mocked provider
|
|
147
|
+
|
|
148
|
+
4. **Verify logging and monitoring.** Confirm security events are logged:
|
|
149
|
+
- Successful and failed login attempts with timestamps and IP addresses
|
|
150
|
+
- Password changes and account recovery events
|
|
151
|
+
- Permission changes and role assignments
|
|
152
|
+
- Token refresh and revocation events
|
|
153
|
+
- Log format must not include passwords, tokens, or session IDs
|
|
154
|
+
|
|
155
|
+
5. **Produce the auth audit report.** Output a structured summary:
|
|
156
|
+
- Authentication mechanism inventory
|
|
157
|
+
- OWASP ASVS compliance status by section
|
|
158
|
+
- Prioritized findings with severity and remediation
|
|
159
|
+
- Permission model diagram or matrix
|
|
160
|
+
- Recommended implementation timeline
|
|
161
|
+
|
|
162
|
+
---
|
|
163
|
+
|
|
164
|
+
## Harness Integration
|
|
165
|
+
|
|
166
|
+
- **`harness skill run harness-auth`** -- Primary CLI entry point. Runs all four phases.
|
|
167
|
+
- **`harness validate`** -- Run after implementing auth changes to verify project integrity.
|
|
168
|
+
- **`harness check-deps`** -- Verify auth library dependencies are properly declared and up to date.
|
|
169
|
+
- **`emit_interaction`** -- Used at permission model design (checkpoint:decision) when choosing between RBAC and ABAC, and before recommending OAuth2 provider changes.
|
|
170
|
+
- **`Glob`** -- Discover auth middleware, guard files, policy definitions, and session configurations.
|
|
171
|
+
- **`Grep`** -- Search for JWT signing, password hashing, token validation, and authorization checks.
|
|
172
|
+
- **`Write`** -- Generate permission matrices, migration plans, and middleware templates.
|
|
173
|
+
- **`Edit`** -- Update existing auth middleware, guards, and token configurations.
|
|
174
|
+
|
|
175
|
+
## Success Criteria
|
|
176
|
+
|
|
177
|
+
- All authentication providers and token flows are mapped with specific file locations
|
|
178
|
+
- JWT implementation is checked against all OWASP ASVS V2 requirements
|
|
179
|
+
- Authorization model is documented with a permission matrix covering all roles and resources
|
|
180
|
+
- Every finding includes a severity level, specific file location, and concrete remediation step
|
|
181
|
+
- Token storage recommendations specify exact cookie flags or storage mechanism
|
|
182
|
+
- Security event logging is verified to capture auth events without leaking sensitive data
|
|
183
|
+
|
|
184
|
+
## Examples
|
|
185
|
+
|
|
186
|
+
### Example: Next.js Application with NextAuth.js and Prisma
|
|
187
|
+
|
|
188
|
+
```
|
|
189
|
+
Phase 1: DETECT
|
|
190
|
+
Provider: NextAuth.js v4 in src/app/api/auth/[...nextauth]/route.ts
|
|
191
|
+
Strategies: Google OAuth2, GitHub OAuth2, email/password (credentials provider)
|
|
192
|
+
Token flow: JWT mode, access token in httpOnly cookie, 30-day expiry
|
|
193
|
+
Authorization: Custom middleware in src/middleware.ts checking session.user.role
|
|
194
|
+
Roles: admin, member (stored in User table via Prisma)
|
|
195
|
+
MFA: Not implemented
|
|
196
|
+
Session store: JWT-based (no server-side session)
|
|
197
|
+
|
|
198
|
+
Phase 2: ANALYZE
|
|
199
|
+
Findings:
|
|
200
|
+
[HIGH] JWT expiry 30 days is excessive — recommend 1 hour with refresh token
|
|
201
|
+
[HIGH] Credentials provider uses bcrypt cost factor 8 — recommend 12
|
|
202
|
+
[MEDIUM] No PKCE on OAuth2 flows (NextAuth handles this but verify config)
|
|
203
|
+
[MEDIUM] No rate limiting on /api/auth/callback/credentials
|
|
204
|
+
[LOW] Role check only in middleware — no API-level authorization guards
|
|
205
|
+
[LOW] No audit logging for login events
|
|
206
|
+
|
|
207
|
+
Phase 3: DESIGN
|
|
208
|
+
Recommendations:
|
|
209
|
+
1. Switch to database sessions with 1-hour access, 7-day refresh
|
|
210
|
+
2. Increase bcrypt rounds to 12 in credentials provider
|
|
211
|
+
3. Add rate-limiter-flexible middleware on auth endpoints (5 attempts/15min)
|
|
212
|
+
4. Create src/lib/guards/requireRole.ts middleware for API routes
|
|
213
|
+
5. Add TOTP MFA via otplib with QR enrollment flow
|
|
214
|
+
6. Add auth event logging to audit table via Prisma middleware
|
|
215
|
+
|
|
216
|
+
Phase 4: VALIDATE
|
|
217
|
+
OWASP ASVS V2 status:
|
|
218
|
+
V2.1 Password Security: PARTIAL (hashing OK, cost factor low, no breach check)
|
|
219
|
+
V2.2 Authenticator Security: FAIL (no MFA)
|
|
220
|
+
V2.5 Credential Recovery: PASS (email-based reset via NextAuth)
|
|
221
|
+
V4.1 Access Control Design: PARTIAL (roles exist, enforcement incomplete)
|
|
222
|
+
Test coverage: 60% — missing tests for role escalation and token expiry
|
|
223
|
+
```
|
|
224
|
+
|
|
225
|
+
### Example: NestJS API with Passport.js, JWT, and CASL
|
|
226
|
+
|
|
227
|
+
```
|
|
228
|
+
Phase 1: DETECT
|
|
229
|
+
Provider: Passport.js with passport-jwt and passport-local strategies
|
|
230
|
+
Token flow:
|
|
231
|
+
- Access token: RS256 JWT, 15-min expiry, in Authorization header
|
|
232
|
+
- Refresh token: opaque, 30-day expiry, in httpOnly cookie
|
|
233
|
+
- Token refresh endpoint: POST /auth/refresh
|
|
234
|
+
Authorization: CASL abilities defined in src/casl/ability.factory.ts
|
|
235
|
+
Roles: super-admin, org-admin, member, viewer (stored in PostgreSQL)
|
|
236
|
+
MFA: TOTP via speakeasy, WebAuthn via @simplewebauthn/server
|
|
237
|
+
Session: Stateless JWT (no server-side session)
|
|
238
|
+
|
|
239
|
+
Phase 2: ANALYZE
|
|
240
|
+
Findings:
|
|
241
|
+
[HIGH] Refresh token not rotated on use — token replay possible
|
|
242
|
+
[MEDIUM] CASL abilities not checked on 3 admin endpoints (src/admin/admin.controller.ts)
|
|
243
|
+
[MEDIUM] No token blocklist — revoked tokens valid until expiry
|
|
244
|
+
[LOW] WebAuthn registration does not verify attestation
|
|
245
|
+
[LOW] Login failure logging does not include client IP
|
|
246
|
+
|
|
247
|
+
Phase 3: DESIGN
|
|
248
|
+
Recommendations:
|
|
249
|
+
1. Implement refresh token rotation with family tracking in Redis
|
|
250
|
+
- On refresh: invalidate old token, issue new pair
|
|
251
|
+
- On reuse of old token: revoke entire token family (detect theft)
|
|
252
|
+
2. Add @CheckPolicies() decorator to admin.controller.ts endpoints
|
|
253
|
+
3. Add Redis-backed token blocklist with TTL = access token lifetime
|
|
254
|
+
4. Add attestation verification for WebAuthn with expected origin check
|
|
255
|
+
5. Enhance auth logging with IP, user-agent, and geolocation
|
|
256
|
+
|
|
257
|
+
Phase 4: VALIDATE
|
|
258
|
+
OWASP ASVS V2 status:
|
|
259
|
+
V2.1 Password Security: PASS
|
|
260
|
+
V2.2 Authenticator Security: PASS (TOTP + WebAuthn)
|
|
261
|
+
V2.8 Multi-Factor: PASS
|
|
262
|
+
V4.1 Access Control: PARTIAL (CASL defined, 3 endpoints uncovered)
|
|
263
|
+
V4.3 Data-Level: PASS (CASL policies include tenant isolation)
|
|
264
|
+
Test coverage: 85% — missing tests for token family revocation
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
## Gates
|
|
268
|
+
|
|
269
|
+
- **No authentication bypass findings left unresolved.** Any finding that allows unauthenticated access to a protected resource is a P0 blocker. The auth audit cannot be marked complete while bypass vulnerabilities exist.
|
|
270
|
+
- **No tokens stored in localStorage.** JWTs or session tokens in localStorage are accessible via XSS. This is a blocking finding. Tokens must be stored in httpOnly cookies or secure server-side sessions.
|
|
271
|
+
- **No plaintext or weakly hashed passwords.** MD5, SHA-1, or unsalted SHA-256 for password storage is a blocking finding. Passwords must use bcrypt (cost 12+), scrypt, or argon2id.
|
|
272
|
+
- **No authorization checks skipped at the API layer.** UI-only authorization is not authorization. Every API endpoint that serves user-specific or role-restricted data must enforce permissions server-side.
|
|
273
|
+
|
|
274
|
+
## Escalation
|
|
275
|
+
|
|
276
|
+
- **When the auth architecture requires a fundamental redesign:** Report: "The current auth implementation has [N] high-severity findings that require architectural changes (e.g., switching from localStorage tokens to httpOnly cookies). This is not a patch — recommend a dedicated auth migration sprint with a rollback plan."
|
|
277
|
+
- **When third-party auth provider documentation is insufficient:** Report: "The [provider] SDK does not document [specific behavior]. Recommend testing the behavior empirically in a sandbox environment and documenting the findings in the project's auth architecture doc."
|
|
278
|
+
- **When MFA adoption requires UX changes beyond the auth layer:** Report: "Implementing MFA requires changes to [login flow, account settings, recovery flow]. Coordinate with the frontend team to design the enrollment and challenge UX before implementing the backend."
|
|
279
|
+
- **When the permission model is too simple for current requirements:** Report: "The current RBAC model with [N] roles cannot express [specific access pattern]. Recommend evaluating ABAC with [CASL/Casbin/OPA] to support attribute-based policies. This is a significant migration — plan for 2-3 sprints."
|
|
@@ -0,0 +1,81 @@
|
|
|
1
|
+
name: harness-auth
|
|
2
|
+
version: "1.0.0"
|
|
3
|
+
description: OAuth2, JWT, RBAC/ABAC, session management, and MFA patterns
|
|
4
|
+
cognitive_mode: advisory-guide
|
|
5
|
+
triggers:
|
|
6
|
+
- manual
|
|
7
|
+
- on_new_feature
|
|
8
|
+
- on_pr
|
|
9
|
+
platforms:
|
|
10
|
+
- claude-code
|
|
11
|
+
- gemini-cli
|
|
12
|
+
tools:
|
|
13
|
+
- Bash
|
|
14
|
+
- Read
|
|
15
|
+
- Write
|
|
16
|
+
- Edit
|
|
17
|
+
- Glob
|
|
18
|
+
- Grep
|
|
19
|
+
- emit_interaction
|
|
20
|
+
cli:
|
|
21
|
+
command: harness skill run harness-auth
|
|
22
|
+
args:
|
|
23
|
+
- name: path
|
|
24
|
+
description: Project root path
|
|
25
|
+
required: false
|
|
26
|
+
- name: focus
|
|
27
|
+
description: "Auth area to focus on: authn, authz, session, mfa, or all. Defaults to all."
|
|
28
|
+
required: false
|
|
29
|
+
- name: framework
|
|
30
|
+
description: "Auth framework in use: passport, next-auth, auth0, firebase-auth, or custom. Auto-detected when omitted."
|
|
31
|
+
required: false
|
|
32
|
+
mcp:
|
|
33
|
+
tool: run_skill
|
|
34
|
+
input:
|
|
35
|
+
skill: harness-auth
|
|
36
|
+
path: string
|
|
37
|
+
type: rigid
|
|
38
|
+
tier: 3
|
|
39
|
+
internal: false
|
|
40
|
+
keywords:
|
|
41
|
+
- auth
|
|
42
|
+
- authentication
|
|
43
|
+
- authorization
|
|
44
|
+
- OAuth2
|
|
45
|
+
- JWT
|
|
46
|
+
- RBAC
|
|
47
|
+
- ABAC
|
|
48
|
+
- session
|
|
49
|
+
- MFA
|
|
50
|
+
- OIDC
|
|
51
|
+
- SSO
|
|
52
|
+
- SAML
|
|
53
|
+
- passport
|
|
54
|
+
- token
|
|
55
|
+
- refresh token
|
|
56
|
+
- PKCE
|
|
57
|
+
stack_signals:
|
|
58
|
+
- "src/**/auth/**"
|
|
59
|
+
- "src/**/middleware/auth*"
|
|
60
|
+
- "src/**/*passport*"
|
|
61
|
+
- "src/**/*jwt*"
|
|
62
|
+
- "src/**/*session*"
|
|
63
|
+
- "src/**/guards/**"
|
|
64
|
+
- "src/**/policies/**"
|
|
65
|
+
phases:
|
|
66
|
+
- name: detect
|
|
67
|
+
description: Identify authentication and authorization mechanisms, providers, and token flows
|
|
68
|
+
required: true
|
|
69
|
+
- name: analyze
|
|
70
|
+
description: Evaluate security posture, token lifecycle, permission models, and session handling
|
|
71
|
+
required: true
|
|
72
|
+
- name: design
|
|
73
|
+
description: Recommend improvements for auth flows, RBAC/ABAC models, and MFA integration
|
|
74
|
+
required: true
|
|
75
|
+
- name: validate
|
|
76
|
+
description: Verify auth implementation against OWASP guidelines and common vulnerability patterns
|
|
77
|
+
required: true
|
|
78
|
+
state:
|
|
79
|
+
persistent: false
|
|
80
|
+
files: []
|
|
81
|
+
depends_on: []
|
|
@@ -102,20 +102,26 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
102
102
|
path: "<project-root>",
|
|
103
103
|
intent: "Autopilot phase execution for <spec name>",
|
|
104
104
|
skill: "harness-autopilot",
|
|
105
|
+
session: "<session-slug>",
|
|
105
106
|
include: ["state", "learnings", "handoff", "validation"]
|
|
106
107
|
})
|
|
107
108
|
```
|
|
108
109
|
|
|
109
|
-
This loads learnings
|
|
110
|
+
This loads session-scoped learnings, handoff, state, and validation results in a single call. The `session` parameter ensures all reads come from the session directory (`.harness/sessions/<slug>/`), isolating this workstream from others. Note any relevant learnings or known dead ends for the current phase from the returned `learnings` array.
|
|
110
111
|
|
|
111
|
-
6. **Load
|
|
112
|
+
6. **Load session summary for cold start.** If resuming (existing `autopilot-state.json` found):
|
|
113
|
+
- Call `loadSessionSummary()` for the session slug to get quick orientation context (~200 tokens).
|
|
114
|
+
- The summary provides the last skill, phase, status, and next step — enough to understand where the autopilot left off without re-reading the full state machine.
|
|
115
|
+
- If no summary exists (first run), skip — the full INIT handles context loading.
|
|
116
|
+
|
|
117
|
+
7. **Load roadmap context.** If `docs/roadmap.md` exists, read it to understand:
|
|
112
118
|
- Current project priorities (which features are `in-progress`)
|
|
113
119
|
- Blockers that may affect the upcoming phases
|
|
114
120
|
- Overall project status and milestone progress
|
|
115
121
|
|
|
116
122
|
This provides the autopilot with project-level context beyond the individual spec being executed. If the roadmap does not exist, skip this step — the autopilot operates normally without it.
|
|
117
123
|
|
|
118
|
-
|
|
124
|
+
8. **Transition to ASSESS.**
|
|
119
125
|
|
|
120
126
|
---
|
|
121
127
|
|
|
@@ -155,9 +161,11 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
155
161
|
|
|
156
162
|
Spec: {specPath}
|
|
157
163
|
Session directory: {sessionDir}
|
|
164
|
+
Session slug: {sessionSlug}
|
|
158
165
|
Phase description: {phase description from spec}
|
|
159
|
-
|
|
160
|
-
|
|
166
|
+
|
|
167
|
+
On startup, call gather_context({ session: "{sessionSlug}" }) to load
|
|
168
|
+
session-scoped learnings, state, and validation context.
|
|
161
169
|
|
|
162
170
|
Follow the harness-planning skill process exactly. Write the plan to
|
|
163
171
|
docs/plans/{date}-{phase-name}-plan.md. Write {sessionDir}/handoff.json when done.
|
|
@@ -221,9 +229,11 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
221
229
|
|
|
222
230
|
Plan: {planPath}
|
|
223
231
|
Session directory: {sessionDir}
|
|
232
|
+
Session slug: {sessionSlug}
|
|
224
233
|
State: {sessionDir}/state.json
|
|
225
|
-
|
|
226
|
-
|
|
234
|
+
|
|
235
|
+
On startup, call gather_context({ session: "{sessionSlug}" }) to load
|
|
236
|
+
session-scoped learnings, state, and validation context.
|
|
227
237
|
|
|
228
238
|
Follow the harness-execution skill process exactly.
|
|
229
239
|
Update {sessionDir}/state.json after each task.
|
|
@@ -268,6 +278,10 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
268
278
|
You are running harness-verification for phase {N}: {name}.
|
|
269
279
|
|
|
270
280
|
Session directory: {sessionDir}
|
|
281
|
+
Session slug: {sessionSlug}
|
|
282
|
+
|
|
283
|
+
On startup, call gather_context({ session: "{sessionSlug}" }) to load
|
|
284
|
+
session-scoped learnings, state, and validation context.
|
|
271
285
|
|
|
272
286
|
Follow the harness-verification skill process exactly.
|
|
273
287
|
Report pass/fail with findings.
|
|
@@ -296,6 +310,10 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
296
310
|
You are running harness-code-review for phase {N}: {name}.
|
|
297
311
|
|
|
298
312
|
Session directory: {sessionDir}
|
|
313
|
+
Session slug: {sessionSlug}
|
|
314
|
+
|
|
315
|
+
On startup, call gather_context({ session: "{sessionSlug}" }) to load
|
|
316
|
+
session-scoped learnings, state, and validation context.
|
|
299
317
|
|
|
300
318
|
Follow the harness-code-review skill process exactly.
|
|
301
319
|
Report findings with severity (blocking / warning / note).
|
|
@@ -341,7 +359,23 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
341
359
|
|
|
342
360
|
4. **Sync roadmap.** If `docs/roadmap.md` exists, call `manage_roadmap` with action `sync` and `apply: true`. This reflects the just-completed phase in the roadmap (e.g., updating the feature from `planned` to `in-progress`). If `manage_roadmap` is unavailable, fall back to direct file manipulation using `syncRoadmap()` from core. Skip silently if no roadmap exists. Do not use `force_sync: true` — the human-always-wins rule applies.
|
|
343
361
|
|
|
344
|
-
5. **
|
|
362
|
+
5. **Write session summary.** Update the session summary to reflect the completed phase:
|
|
363
|
+
|
|
364
|
+
```json
|
|
365
|
+
writeSessionSummary(projectPath, sessionSlug, {
|
|
366
|
+
session: "<session-slug>",
|
|
367
|
+
lastActive: "<ISO timestamp>",
|
|
368
|
+
skill: "harness-autopilot",
|
|
369
|
+
phase: "<completed phase number> of <total phases>",
|
|
370
|
+
status: "Phase <N> complete. <tasks completed>/<total> tasks.",
|
|
371
|
+
spec: "<spec path>",
|
|
372
|
+
plan: "<current plan path>",
|
|
373
|
+
keyContext: "<1-2 sentences: what this phase accomplished, key decisions>",
|
|
374
|
+
nextStep: "<e.g., Continue to Phase N+1: <name>, or DONE>"
|
|
375
|
+
})
|
|
376
|
+
```
|
|
377
|
+
|
|
378
|
+
6. **Check for next phase:**
|
|
345
379
|
- If more phases remain: "Phase {N} complete. Next: Phase {N+1}: {name} (complexity: {level}). Continue? (yes / stop)"
|
|
346
380
|
- **yes** — Increment `currentPhase`, reset `retryBudget`, transition to ASSESS.
|
|
347
381
|
- **stop** — Save state and exit.
|
|
@@ -387,7 +421,21 @@ INIT → ASSESS → PLAN → APPROVE_PLAN → EXECUTE → VERIFY → REVIEW →
|
|
|
387
421
|
|
|
388
422
|
5. **Update roadmap to done.** If `docs/roadmap.md` exists and the current spec maps to a roadmap feature, call `manage_roadmap` with action `update` to set the feature status to `done`. Derive the feature name from the spec title (H1 heading) or the session's `handoff.json` `summary` field. If `manage_roadmap` is unavailable, fall back to direct file manipulation using `updateFeature()` from core. Skip silently if no roadmap exists or if the feature is not found. Do not use `force_sync: true`.
|
|
389
423
|
|
|
390
|
-
6. **
|
|
424
|
+
6. **Write final session summary.** Update the session summary to reflect completion:
|
|
425
|
+
|
|
426
|
+
```json
|
|
427
|
+
writeSessionSummary(projectPath, sessionSlug, {
|
|
428
|
+
session: "<session-slug>",
|
|
429
|
+
lastActive: "<ISO timestamp>",
|
|
430
|
+
skill: "harness-autopilot",
|
|
431
|
+
status: "DONE. <total phases> phases, <total tasks> tasks complete.",
|
|
432
|
+
spec: "<spec path>",
|
|
433
|
+
keyContext: "<1-2 sentences: overall summary of what was built>",
|
|
434
|
+
nextStep: "All phases complete. Create PR or close session."
|
|
435
|
+
})
|
|
436
|
+
```
|
|
437
|
+
|
|
438
|
+
7. **Clean up state:** Set `currentState: "DONE"` in `{sessionDir}/autopilot-state.json`. Do not delete the file — it serves as a record.
|
|
391
439
|
|
|
392
440
|
## Harness Integration
|
|
393
441
|
|
|
@@ -161,7 +161,7 @@ These keywords flow into the `handoff.json` `contextKeywords` field when the spe
|
|
|
161
161
|
- Call `manage_roadmap` with action `add`, `status: "planned"`, `milestone: "Current Work"`, and the spec path. Include a one-line summary from the spec overview.
|
|
162
162
|
- If the feature already exists in the roadmap (duplicate name), skip silently — the feature was likely added manually or by a prior brainstorming session.
|
|
163
163
|
- Log: `"Added '<feature-name>' to roadmap as planned"` (informational, not a prompt).
|
|
164
|
-
- If `manage_roadmap` is unavailable, fall back to direct file manipulation using `
|
|
164
|
+
- If `manage_roadmap` is unavailable, fall back to direct file manipulation using `parseRoadmap`/`serializeRoadmap` from core to read, modify, and write `docs/roadmap.md`.
|
|
165
165
|
- If no roadmap exists, skip this step silently.
|
|
166
166
|
|
|
167
167
|
7. **Write handoff and suggest transition.** After the human approves the spec:
|