@harness-engineering/cli 1.13.0 → 1.13.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agents/skills/claude-code/add-harness-component/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/align-documentation/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/check-mechanical-constraints/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/cleanup-dead-code/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/detect-doc-drift/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/enforce-architecture/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-accessibility/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-api-design/SKILL.md +304 -0
- package/dist/agents/skills/claude-code/harness-api-design/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-architecture-advisor/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-auth/SKILL.md +279 -0
- package/dist/agents/skills/claude-code/harness-auth/skill.yaml +81 -0
- package/dist/agents/skills/claude-code/harness-autopilot/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-brainstorming/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-caching/SKILL.md +309 -0
- package/dist/agents/skills/claude-code/harness-caching/skill.yaml +73 -0
- package/dist/agents/skills/claude-code/harness-chaos/SKILL.md +295 -0
- package/dist/agents/skills/claude-code/harness-chaos/skill.yaml +72 -0
- package/dist/agents/skills/claude-code/harness-code-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-codebase-cleanup/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-compliance/SKILL.md +303 -0
- package/dist/agents/skills/claude-code/harness-compliance/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-containerization/SKILL.md +284 -0
- package/dist/agents/skills/claude-code/harness-containerization/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-data-pipeline/SKILL.md +274 -0
- package/dist/agents/skills/claude-code/harness-data-pipeline/skill.yaml +81 -0
- package/dist/agents/skills/claude-code/harness-data-validation/SKILL.md +343 -0
- package/dist/agents/skills/claude-code/harness-data-validation/skill.yaml +75 -0
- package/dist/agents/skills/claude-code/harness-database/SKILL.md +258 -0
- package/dist/agents/skills/claude-code/harness-database/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-debugging/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-dependency-health/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-deployment/SKILL.md +255 -0
- package/dist/agents/skills/claude-code/harness-deployment/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-design/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-mobile/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-system/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-web/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-diagnostics/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-docs-pipeline/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-dx/SKILL.md +276 -0
- package/dist/agents/skills/claude-code/harness-dx/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-e2e/SKILL.md +245 -0
- package/dist/agents/skills/claude-code/harness-e2e/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-event-driven/SKILL.md +280 -0
- package/dist/agents/skills/claude-code/harness-event-driven/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-execution/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-feature-flags/SKILL.md +287 -0
- package/dist/agents/skills/claude-code/harness-feature-flags/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-git-workflow/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-hotspot-detector/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n-process/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n-workflow/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-impact-analysis/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-incident-response/SKILL.md +223 -0
- package/dist/agents/skills/claude-code/harness-incident-response/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-infrastructure-as-code/SKILL.md +279 -0
- package/dist/agents/skills/claude-code/harness-infrastructure-as-code/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-integration-test/SKILL.md +271 -0
- package/dist/agents/skills/claude-code/harness-integration-test/skill.yaml +73 -0
- package/dist/agents/skills/claude-code/harness-integrity/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-knowledge-mapper/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-load-testing/SKILL.md +274 -0
- package/dist/agents/skills/claude-code/harness-load-testing/skill.yaml +79 -0
- package/dist/agents/skills/claude-code/harness-ml-ops/SKILL.md +341 -0
- package/dist/agents/skills/claude-code/harness-ml-ops/skill.yaml +79 -0
- package/dist/agents/skills/claude-code/harness-mobile-patterns/SKILL.md +326 -0
- package/dist/agents/skills/claude-code/harness-mobile-patterns/skill.yaml +82 -0
- package/dist/agents/skills/claude-code/harness-mutation-test/SKILL.md +251 -0
- package/dist/agents/skills/claude-code/harness-mutation-test/skill.yaml +70 -0
- package/dist/agents/skills/claude-code/harness-observability/SKILL.md +283 -0
- package/dist/agents/skills/claude-code/harness-observability/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-onboarding/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-parallel-agents/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-perf/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-perf-tdd/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-planning/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-pre-commit-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-product-spec/SKILL.md +285 -0
- package/dist/agents/skills/claude-code/harness-product-spec/skill.yaml +72 -0
- package/dist/agents/skills/claude-code/harness-property-test/SKILL.md +281 -0
- package/dist/agents/skills/claude-code/harness-property-test/skill.yaml +71 -0
- package/dist/agents/skills/claude-code/harness-refactoring/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-release-readiness/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-resilience/SKILL.md +255 -0
- package/dist/agents/skills/claude-code/harness-resilience/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-roadmap/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-secrets/SKILL.md +293 -0
- package/dist/agents/skills/claude-code/harness-secrets/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-security-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-security-scan/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-skill-authoring/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-soundness-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-sql-review/SKILL.md +315 -0
- package/dist/agents/skills/claude-code/harness-sql-review/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-state-management/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-tdd/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-test-advisor/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-test-data/SKILL.md +268 -0
- package/dist/agents/skills/claude-code/harness-test-data/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-ux-copy/SKILL.md +271 -0
- package/dist/agents/skills/claude-code/harness-ux-copy/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-verification/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-verify/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-visual-regression/SKILL.md +257 -0
- package/dist/agents/skills/claude-code/harness-visual-regression/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/initialize-harness-project/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/validate-context-engineering/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/add-harness-component/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/align-documentation/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/check-mechanical-constraints/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/cleanup-dead-code/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/detect-doc-drift/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/enforce-architecture/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-accessibility/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-api-design/SKILL.md +304 -0
- package/dist/agents/skills/gemini-cli/harness-api-design/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-architecture-advisor/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-auth/SKILL.md +279 -0
- package/dist/agents/skills/gemini-cli/harness-auth/skill.yaml +81 -0
- package/dist/agents/skills/gemini-cli/harness-autopilot/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-brainstorming/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-caching/SKILL.md +309 -0
- package/dist/agents/skills/gemini-cli/harness-caching/skill.yaml +73 -0
- package/dist/agents/skills/gemini-cli/harness-chaos/SKILL.md +295 -0
- package/dist/agents/skills/gemini-cli/harness-chaos/skill.yaml +72 -0
- package/dist/agents/skills/gemini-cli/harness-code-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-codebase-cleanup/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-compliance/SKILL.md +303 -0
- package/dist/agents/skills/gemini-cli/harness-compliance/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-containerization/SKILL.md +284 -0
- package/dist/agents/skills/gemini-cli/harness-containerization/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-data-pipeline/SKILL.md +274 -0
- package/dist/agents/skills/gemini-cli/harness-data-pipeline/skill.yaml +81 -0
- package/dist/agents/skills/gemini-cli/harness-data-validation/SKILL.md +343 -0
- package/dist/agents/skills/gemini-cli/harness-data-validation/skill.yaml +75 -0
- package/dist/agents/skills/gemini-cli/harness-database/SKILL.md +258 -0
- package/dist/agents/skills/gemini-cli/harness-database/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-debugging/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-dependency-health/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-deployment/SKILL.md +255 -0
- package/dist/agents/skills/gemini-cli/harness-deployment/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-design/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-mobile/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-system/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-web/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-diagnostics/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-docs-pipeline/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-dx/SKILL.md +276 -0
- package/dist/agents/skills/gemini-cli/harness-dx/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-e2e/SKILL.md +245 -0
- package/dist/agents/skills/gemini-cli/harness-e2e/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-event-driven/SKILL.md +280 -0
- package/dist/agents/skills/gemini-cli/harness-event-driven/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-execution/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-feature-flags/SKILL.md +287 -0
- package/dist/agents/skills/gemini-cli/harness-feature-flags/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-git-workflow/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-hotspot-detector/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n-process/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n-workflow/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-impact-analysis/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-incident-response/SKILL.md +223 -0
- package/dist/agents/skills/gemini-cli/harness-incident-response/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-infrastructure-as-code/SKILL.md +279 -0
- package/dist/agents/skills/gemini-cli/harness-infrastructure-as-code/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-integration-test/SKILL.md +271 -0
- package/dist/agents/skills/gemini-cli/harness-integration-test/skill.yaml +73 -0
- package/dist/agents/skills/gemini-cli/harness-integrity/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-knowledge-mapper/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-load-testing/SKILL.md +274 -0
- package/dist/agents/skills/gemini-cli/harness-load-testing/skill.yaml +79 -0
- package/dist/agents/skills/gemini-cli/harness-ml-ops/SKILL.md +341 -0
- package/dist/agents/skills/gemini-cli/harness-ml-ops/skill.yaml +79 -0
- package/dist/agents/skills/gemini-cli/harness-mobile-patterns/SKILL.md +326 -0
- package/dist/agents/skills/gemini-cli/harness-mobile-patterns/skill.yaml +82 -0
- package/dist/agents/skills/gemini-cli/harness-mutation-test/SKILL.md +251 -0
- package/dist/agents/skills/gemini-cli/harness-mutation-test/skill.yaml +70 -0
- package/dist/agents/skills/gemini-cli/harness-observability/SKILL.md +283 -0
- package/dist/agents/skills/gemini-cli/harness-observability/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-onboarding/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-parallel-agents/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-perf/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-perf-tdd/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-planning/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-pre-commit-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-product-spec/SKILL.md +285 -0
- package/dist/agents/skills/gemini-cli/harness-product-spec/skill.yaml +72 -0
- package/dist/agents/skills/gemini-cli/harness-property-test/SKILL.md +281 -0
- package/dist/agents/skills/gemini-cli/harness-property-test/skill.yaml +71 -0
- package/dist/agents/skills/gemini-cli/harness-refactoring/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-release-readiness/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-resilience/SKILL.md +255 -0
- package/dist/agents/skills/gemini-cli/harness-resilience/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-roadmap/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-secrets/SKILL.md +293 -0
- package/dist/agents/skills/gemini-cli/harness-secrets/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-security-review/SKILL.md +240 -0
- package/dist/agents/skills/gemini-cli/harness-security-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-security-scan/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-skill-authoring/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-soundness-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-sql-review/SKILL.md +315 -0
- package/dist/agents/skills/gemini-cli/harness-sql-review/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-state-management/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-tdd/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-test-advisor/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-test-data/SKILL.md +268 -0
- package/dist/agents/skills/gemini-cli/harness-test-data/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-ux-copy/SKILL.md +271 -0
- package/dist/agents/skills/gemini-cli/harness-ux-copy/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-verification/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-verify/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-visual-regression/SKILL.md +257 -0
- package/dist/agents/skills/gemini-cli/harness-visual-regression/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/initialize-harness-project/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/validate-context-engineering/skill.yaml +1 -0
- package/dist/{agents-md-P2RHSUV7.js → agents-md-XU3BHE22.js} +1 -1
- package/dist/{architecture-ESOOE26S.js → architecture-2R5Z4ZAF.js} +2 -2
- package/dist/bin/harness-mcp.js +14 -13
- package/dist/bin/harness.js +22 -21
- package/dist/{check-phase-gate-S2MZKLFQ.js → check-phase-gate-2OFZ7OWW.js} +3 -2
- package/dist/{chunk-LD3DKUK5.js → chunk-4ZMOCPYO.js} +1 -1
- package/dist/{chunk-5VY23YK3.js → chunk-65FRIL4D.js} +2 -2
- package/dist/{chunk-L2KLU56K.js → chunk-AOZRDOIP.js} +2 -2
- package/dist/{chunk-MACVXDZK.js → chunk-DZS7CJKL.js} +4 -4
- package/dist/{chunk-7PZWR4LI.js → chunk-IM32EEDM.js} +9 -9
- package/dist/{chunk-2YPZKGAG.js → chunk-IMFVFNJE.js} +1 -1
- package/dist/{chunk-HD4IBGLA.js → chunk-N5G5QMS3.js} +24 -1
- package/dist/{chunk-MI5XJQDY.js → chunk-ND6PNADU.js} +23 -9
- package/dist/{chunk-7KQSUZVG.js → chunk-NERR4TAO.js} +729 -436
- package/dist/{chunk-PSNN4LWX.js → chunk-NOPU4RZ4.js} +2 -2
- package/dist/{chunk-KELT6K6M.js → chunk-PQ5YK4AY.js} +287 -258
- package/dist/{chunk-WPPDRIJL.js → chunk-QY4T6YAZ.js} +3 -3
- package/dist/{chunk-RZSUJBZZ.js → chunk-SSKDAOX5.js} +31 -28
- package/dist/{chunk-2VU4MFM3.js → chunk-TKJZKICB.js} +6 -6
- package/dist/{chunk-GNGELAXY.js → chunk-TS3XWPW5.js} +1 -1
- package/dist/chunk-UAX4I5ZE.js +217 -0
- package/dist/{chunk-VRFZWGMS.js → chunk-XYLGHKG6.js} +5 -1
- package/dist/{chunk-6N4R6FVX.js → chunk-YBJ262QL.js} +1 -1
- package/dist/{chunk-3KOLLWWE.js → chunk-Z77YQRQT.js} +11 -207
- package/dist/{ci-workflow-4NYBUG6R.js → ci-workflow-EHV65NQB.js} +1 -1
- package/dist/{create-skill-WPXHSLX2.js → create-skill-XSWHMSM5.js} +2 -2
- package/dist/{dist-WF4C7A4A.js → dist-2B363XUH.js} +1 -1
- package/dist/{dist-M6BQODWC.js → dist-HXHWB7SV.js} +2 -2
- package/dist/{docs-BPYCN2DR.js → docs-FZOPM4GK.js} +4 -2
- package/dist/{engine-LXLIWQQ3.js → engine-OL4T6NZS.js} +1 -1
- package/dist/{entropy-4VDVV5CR.js → entropy-LVHJMFGH.js} +2 -2
- package/dist/{feedback-63QB5RCA.js → feedback-IHLVLMRD.js} +1 -1
- package/dist/{generate-agent-definitions-QABOJG56.js → generate-agent-definitions-64S3CLEZ.js} +3 -3
- package/dist/{glob-helper-5OHBUQAI.js → glob-helper-R5FXNUPS.js} +1 -1
- package/dist/{graph-loader-KO4GJ5N2.js → graph-loader-GJZ4FN4Y.js} +1 -1
- package/dist/index.d.ts +35 -8
- package/dist/index.js +23 -21
- package/dist/{loader-Z2IT7QX3.js → loader-DPYFB6R6.js} +1 -1
- package/dist/{mcp-KQHEL5IF.js → mcp-JQUI7BVZ.js} +14 -13
- package/dist/{performance-26BH47O4.js → performance-ZTVSUANN.js} +2 -2
- package/dist/{review-pipeline-GHR3WFBI.js → review-pipeline-76JHKGSV.js} +1 -1
- package/dist/{runtime-PDWD7UIK.js → runtime-X7U6SC7K.js} +1 -1
- package/dist/{security-UQFUZXEN.js → security-FWQZF2IZ.js} +1 -1
- package/dist/skill-executor-XZLYZYAK.js +8 -0
- package/dist/{validate-N7QJOKFZ.js → validate-GCHZJIL7.js} +2 -2
- package/dist/{validate-cross-check-EDQ5QGTM.js → validate-cross-check-STFHYMAZ.js} +1 -1
- package/package.json +3 -3
- package/dist/skill-executor-RG45LUO5.js +0 -8
|
@@ -0,0 +1,72 @@
|
|
|
1
|
+
name: harness-chaos
|
|
2
|
+
version: "1.0.0"
|
|
3
|
+
description: Chaos engineering, fault injection, and resilience validation
|
|
4
|
+
cognitive_mode: adversarial-reviewer
|
|
5
|
+
triggers:
|
|
6
|
+
- manual
|
|
7
|
+
- on_milestone
|
|
8
|
+
platforms:
|
|
9
|
+
- claude-code
|
|
10
|
+
- gemini-cli
|
|
11
|
+
tools:
|
|
12
|
+
- Bash
|
|
13
|
+
- Read
|
|
14
|
+
- Write
|
|
15
|
+
- Edit
|
|
16
|
+
- Glob
|
|
17
|
+
- Grep
|
|
18
|
+
- emit_interaction
|
|
19
|
+
cli:
|
|
20
|
+
command: harness skill run harness-chaos
|
|
21
|
+
args:
|
|
22
|
+
- name: path
|
|
23
|
+
description: Project root path
|
|
24
|
+
required: false
|
|
25
|
+
- name: target
|
|
26
|
+
description: "Target service or component for fault injection."
|
|
27
|
+
required: false
|
|
28
|
+
- name: blast-radius
|
|
29
|
+
description: "Blast radius: single-service, namespace, or cluster. Defaults to single-service."
|
|
30
|
+
required: false
|
|
31
|
+
mcp:
|
|
32
|
+
tool: run_skill
|
|
33
|
+
input:
|
|
34
|
+
skill: harness-chaos
|
|
35
|
+
path: string
|
|
36
|
+
type: rigid
|
|
37
|
+
tier: 3
|
|
38
|
+
internal: false
|
|
39
|
+
keywords:
|
|
40
|
+
- chaos engineering
|
|
41
|
+
- fault injection
|
|
42
|
+
- Chaos Toolkit
|
|
43
|
+
- Gremlin
|
|
44
|
+
- Litmus
|
|
45
|
+
- resilience
|
|
46
|
+
- failure mode
|
|
47
|
+
- graceful degradation
|
|
48
|
+
- game day
|
|
49
|
+
- disaster recovery
|
|
50
|
+
stack_signals:
|
|
51
|
+
- "chaos/"
|
|
52
|
+
- "experiments/"
|
|
53
|
+
- "chaos-toolkit/"
|
|
54
|
+
- "litmus/"
|
|
55
|
+
- "fault-injection/"
|
|
56
|
+
phases:
|
|
57
|
+
- name: plan
|
|
58
|
+
description: Identify failure modes, define steady-state hypotheses, and scope blast radius
|
|
59
|
+
required: true
|
|
60
|
+
- name: inject
|
|
61
|
+
description: Apply fault injection using chaos tooling against target services
|
|
62
|
+
required: true
|
|
63
|
+
- name: observe
|
|
64
|
+
description: Monitor system behavior under fault conditions and collect metrics
|
|
65
|
+
required: true
|
|
66
|
+
- name: improve
|
|
67
|
+
description: Analyze findings, recommend resilience improvements, and update runbooks
|
|
68
|
+
required: true
|
|
69
|
+
state:
|
|
70
|
+
persistent: false
|
|
71
|
+
files: []
|
|
72
|
+
depends_on: []
|
|
@@ -0,0 +1,303 @@
|
|
|
1
|
+
# Harness Compliance
|
|
2
|
+
|
|
3
|
+
> SOC2, HIPAA, GDPR compliance checks, audit trails, and regulatory checklists. Scans codebases for compliance-relevant patterns, classifies data by sensitivity, audits implementation against framework-specific controls, and generates gap analysis reports with remediation plans.
|
|
4
|
+
|
|
5
|
+
## When to Use
|
|
6
|
+
|
|
7
|
+
- At milestone boundaries to audit compliance posture before releases to regulated markets
|
|
8
|
+
- On PRs that modify data handling, storage, logging, or user-facing privacy features
|
|
9
|
+
- When preparing for external audits (SOC2 Type II, HIPAA assessment, GDPR DPA review)
|
|
10
|
+
- NOT for runtime security scanning or vulnerability detection (use harness-security-scan)
|
|
11
|
+
- NOT for authentication or authorization implementation (use harness-auth)
|
|
12
|
+
- NOT for infrastructure security hardening (use harness-security-review)
|
|
13
|
+
|
|
14
|
+
## Process
|
|
15
|
+
|
|
16
|
+
### Phase 1: SCAN -- Detect Applicable Frameworks and Data Patterns
|
|
17
|
+
|
|
18
|
+
1. **Identify applicable compliance frameworks.** Scan for indicators:
|
|
19
|
+
- SOC2: presence of `docs/compliance/soc2/`, audit logging implementation, access control patterns
|
|
20
|
+
- HIPAA: healthcare-related data models (patient, diagnosis, prescription), PHI field markers
|
|
21
|
+
- GDPR: EU user data handling, consent collection, cookie banners, privacy policy references
|
|
22
|
+
- PCI-DSS: payment processing, credit card fields, tokenization, PCI scope markers
|
|
23
|
+
- Detect from existing compliance documentation, data models, and configuration files
|
|
24
|
+
|
|
25
|
+
2. **Inventory data stores.** Map all locations where user data is persisted:
|
|
26
|
+
- Databases: table schemas, column names, migration files
|
|
27
|
+
- Object storage: S3 buckets, GCS buckets, Azure Blob containers
|
|
28
|
+
- Caches: Redis keys, Memcached namespaces
|
|
29
|
+
- Log files: structured logging output, log aggregation configuration
|
|
30
|
+
- Third-party services: analytics (Segment, Mixpanel), CRM (Salesforce, HubSpot), email (SendGrid, Mailchimp)
|
|
31
|
+
|
|
32
|
+
3. **Trace data flows.** Map how user data moves through the system:
|
|
33
|
+
- Ingestion: API endpoints that accept user input, form submissions, file uploads
|
|
34
|
+
- Processing: services that transform, aggregate, or enrich user data
|
|
35
|
+
- Storage: where processed data is persisted (primary database, cache, search index)
|
|
36
|
+
- Egress: data shared with third parties, exported, or displayed to other users
|
|
37
|
+
- Deletion: how data is removed when retention expires or deletion is requested
|
|
38
|
+
|
|
39
|
+
4. **Check for existing compliance artifacts.** Look for:
|
|
40
|
+
- Privacy policy: `PRIVACY.md`, `privacy-policy.md`, or served via web route
|
|
41
|
+
- Security policy: `SECURITY.md`, security disclosure process
|
|
42
|
+
- Data processing agreements: `docs/compliance/dpa/`
|
|
43
|
+
- Audit trail implementation: `src/**/audit/**`, event sourcing patterns
|
|
44
|
+
- Consent management: cookie consent banners, preference centers
|
|
45
|
+
|
|
46
|
+
5. **Detect sensitive data patterns.** Grep for fields and patterns that indicate regulated data:
|
|
47
|
+
- PII: email, phone, address, SSN, date of birth, government ID
|
|
48
|
+
- PHI: diagnosis, treatment, prescription, medical record number, insurance ID
|
|
49
|
+
- Financial: credit card number, bank account, routing number, transaction amount
|
|
50
|
+
- Authentication: password (even hashed), API key, secret, token
|
|
51
|
+
|
|
52
|
+
---
|
|
53
|
+
|
|
54
|
+
### Phase 2: CLASSIFY -- Data Sensitivity and Regulatory Scope
|
|
55
|
+
|
|
56
|
+
1. **Classify data fields by sensitivity.** Apply a tiered classification:
|
|
57
|
+
- **Critical:** Data whose exposure triggers mandatory breach notification (SSN, credit card, PHI)
|
|
58
|
+
- **Sensitive:** PII that identifies individuals (email, phone, address, name + DOB)
|
|
59
|
+
- **Internal:** Business data not publicly available (order history, usage metrics, preferences)
|
|
60
|
+
- **Public:** Data intentionally shared (username, public profile, published content)
|
|
61
|
+
|
|
62
|
+
2. **Map regulatory scope per data class.** Determine which frameworks apply to each data class:
|
|
63
|
+
- Critical financial data -> PCI-DSS scope
|
|
64
|
+
- PHI data -> HIPAA scope
|
|
65
|
+
- EU resident PII -> GDPR scope
|
|
66
|
+
- All customer data in a SOC2-audited system -> SOC2 scope
|
|
67
|
+
|
|
68
|
+
3. **Identify cross-border data flows.** For GDPR compliance:
|
|
69
|
+
- Where are data stores physically located? (AWS region, GCP region, Azure region)
|
|
70
|
+
- Does data transfer to non-EU countries? (US servers, CDN nodes, third-party processors)
|
|
71
|
+
- Are Standard Contractual Clauses (SCCs) or adequacy decisions in place?
|
|
72
|
+
- Is data residency configurable per tenant?
|
|
73
|
+
|
|
74
|
+
4. **Document data retention policies.** For each data class:
|
|
75
|
+
- What is the defined retention period?
|
|
76
|
+
- Is automatic deletion implemented (TTL, scheduled job, lifecycle policy)?
|
|
77
|
+
- What happens to data in backups after retention expires?
|
|
78
|
+
- Are retention policies documented and accessible?
|
|
79
|
+
|
|
80
|
+
5. **Produce the data classification matrix.** Output a structured inventory:
|
|
81
|
+
- Data field, classification tier, applicable frameworks, storage location, retention policy, encryption status
|
|
82
|
+
|
|
83
|
+
---
|
|
84
|
+
|
|
85
|
+
### Phase 3: AUDIT -- Check Against Framework Controls
|
|
86
|
+
|
|
87
|
+
1. **SOC2 Trust Services Criteria audit.** Check implementation against key controls:
|
|
88
|
+
- **CC6.1 (Logical Access):** Are all endpoints authenticated? Is RBAC/ABAC enforced?
|
|
89
|
+
- **CC6.2 (Credential Management):** Are passwords hashed with strong algorithms? Is MFA available?
|
|
90
|
+
- **CC6.3 (Encryption):** Is data encrypted at rest (database, file storage) and in transit (TLS)?
|
|
91
|
+
- **CC7.2 (System Monitoring):** Are security events logged? Are alerts configured for anomalies?
|
|
92
|
+
- **CC8.1 (Change Management):** Is there a code review process? Are deployments auditable?
|
|
93
|
+
|
|
94
|
+
2. **HIPAA Security Rule audit.** If PHI is present:
|
|
95
|
+
- **164.312(a)(1) Access Control:** Unique user identification, emergency access, automatic logoff, encryption
|
|
96
|
+
- **164.312(b) Audit Controls:** Record and examine activity in information systems containing PHI
|
|
97
|
+
- **164.312(c)(1) Integrity:** Protect electronic PHI from improper alteration or destruction
|
|
98
|
+
- **164.312(d) Authentication:** Verify identity of person or entity seeking access to PHI
|
|
99
|
+
- **164.312(e)(1) Transmission Security:** Encrypt PHI during electronic transmission
|
|
100
|
+
|
|
101
|
+
3. **GDPR compliance audit.** If EU data is processed:
|
|
102
|
+
- **Article 6 (Lawful Basis):** Is consent collected? Is legitimate interest documented?
|
|
103
|
+
- **Article 13/14 (Transparency):** Is a privacy notice provided at data collection points?
|
|
104
|
+
- **Article 15 (Right of Access):** Can users export their data? Is there a data export endpoint?
|
|
105
|
+
- **Article 17 (Right to Erasure):** Can users request deletion? Is it implemented across all stores?
|
|
106
|
+
- **Article 25 (Data Protection by Design):** Are privacy defaults enforced (minimal data collection)?
|
|
107
|
+
- **Article 30 (Records of Processing):** Is there a processing activities register?
|
|
108
|
+
- **Article 32 (Security of Processing):** Encryption, pseudonymization, resilience, regular testing
|
|
109
|
+
- **Article 33 (Breach Notification):** Is there a 72-hour breach notification process?
|
|
110
|
+
|
|
111
|
+
4. **PCI-DSS audit.** If payment data is present:
|
|
112
|
+
- **Requirement 3:** Is cardholder data encrypted at rest? Is PAN masked in displays?
|
|
113
|
+
- **Requirement 4:** Is cardholder data encrypted in transit?
|
|
114
|
+
- **Requirement 6:** Are secure development practices followed? Is input validated?
|
|
115
|
+
- **Requirement 8:** Is access to cardholder data authenticated and authorized?
|
|
116
|
+
- **Requirement 10:** Are all access events to cardholder data logged?
|
|
117
|
+
|
|
118
|
+
5. **Audit trail verification.** For all applicable frameworks:
|
|
119
|
+
- Are audit events immutable (append-only log, write-once storage)?
|
|
120
|
+
- Do audit records include who, what, when, where, and outcome?
|
|
121
|
+
- Is the audit log protected from tampering (separate access controls, checksums)?
|
|
122
|
+
- Is the audit log retained for the required period (SOC2: 1 year, HIPAA: 6 years, GDPR: varies)?
|
|
123
|
+
|
|
124
|
+
---
|
|
125
|
+
|
|
126
|
+
### Phase 4: REPORT -- Generate Gap Analysis and Remediation Plan
|
|
127
|
+
|
|
128
|
+
1. **Score compliance posture per framework.** For each applicable framework:
|
|
129
|
+
- Total controls assessed
|
|
130
|
+
- Controls fully met, partially met, and not met
|
|
131
|
+
- Overall compliance percentage
|
|
132
|
+
- Risk rating: High (critical controls missing), Medium (non-critical gaps), Low (minor gaps)
|
|
133
|
+
|
|
134
|
+
2. **Produce the gap analysis.** For each control not fully met:
|
|
135
|
+
- Control identifier and description
|
|
136
|
+
- Current implementation status (not started, partial, misconfigured)
|
|
137
|
+
- Specific code locations or configurations that need change
|
|
138
|
+
- Remediation steps with effort estimate (hours/days)
|
|
139
|
+
- Priority based on risk and audit timeline
|
|
140
|
+
|
|
141
|
+
3. **Generate audit-ready checklists.** Produce framework-specific checklists:
|
|
142
|
+
- SOC2: Trust Services Criteria checklist with evidence references
|
|
143
|
+
- HIPAA: Security Rule safeguard checklist with implementation status
|
|
144
|
+
- GDPR: Article-by-article compliance checklist with data flow references
|
|
145
|
+
- PCI-DSS: Requirement checklist with scope boundaries
|
|
146
|
+
|
|
147
|
+
4. **Create remediation plan.** Organize gaps into actionable work:
|
|
148
|
+
- **Phase 1 (Critical, 0-2 weeks):** Fix blocking gaps that would fail an audit
|
|
149
|
+
- **Phase 2 (Important, 2-6 weeks):** Address significant gaps that reduce compliance posture
|
|
150
|
+
- **Phase 3 (Improvement, 6-12 weeks):** Enhance documentation, monitoring, and process maturity
|
|
151
|
+
- Each item includes: description, affected control, owner placeholder, effort estimate
|
|
152
|
+
|
|
153
|
+
5. **Output the compliance report.** Generate `docs/compliance/audit-report-YYYY-MM-DD.md`:
|
|
154
|
+
|
|
155
|
+
```
|
|
156
|
+
Compliance Audit Report — YYYY-MM-DD
|
|
157
|
+
|
|
158
|
+
Frameworks Assessed: SOC2, GDPR
|
|
159
|
+
Data Classifications: 12 critical, 28 sensitive, 45 internal, 15 public
|
|
160
|
+
|
|
161
|
+
SOC2 Status: 78% (18/23 controls met, 3 partial, 2 not met)
|
|
162
|
+
NOT MET:
|
|
163
|
+
CC7.2 — No security event alerting configured
|
|
164
|
+
CC8.1 — No deployment audit trail
|
|
165
|
+
PARTIAL:
|
|
166
|
+
CC6.1 — RBAC exists but 4 endpoints lack authorization checks
|
|
167
|
+
CC6.3 — TLS in transit, but database encryption at rest not configured
|
|
168
|
+
CC6.2 — Passwords hashed, but no MFA available
|
|
169
|
+
|
|
170
|
+
GDPR Status: 65% (11/17 controls met, 4 partial, 2 not met)
|
|
171
|
+
NOT MET:
|
|
172
|
+
Article 17 — No data deletion endpoint implemented
|
|
173
|
+
Article 30 — No processing activities register
|
|
174
|
+
PARTIAL:
|
|
175
|
+
Article 15 — Data export exists but incomplete (missing analytics data)
|
|
176
|
+
...
|
|
177
|
+
|
|
178
|
+
Remediation Plan: 7 items (2 critical, 3 important, 2 improvement)
|
|
179
|
+
Estimated total effort: 45 engineering-hours
|
|
180
|
+
```
|
|
181
|
+
|
|
182
|
+
---
|
|
183
|
+
|
|
184
|
+
## Harness Integration
|
|
185
|
+
|
|
186
|
+
- **`harness skill run harness-compliance`** -- Primary CLI entry point. Runs all four phases.
|
|
187
|
+
- **`harness validate`** -- Run after generating compliance artifacts to verify project structure.
|
|
188
|
+
- **`harness check-deps`** -- Verify that compliance-related dependencies (audit logging libraries, encryption modules) are declared.
|
|
189
|
+
- **`emit_interaction`** -- Used at framework selection (checkpoint:decision) when multiple frameworks apply and the team wants to prioritize, and at remediation plan review (checkpoint:human-verify).
|
|
190
|
+
- **`Glob`** -- Discover compliance documentation, audit trail implementations, privacy policies, and data models.
|
|
191
|
+
- **`Grep`** -- Search for PII field patterns, encryption configurations, consent collection, logging patterns, and sensitive data handling.
|
|
192
|
+
- **`Write`** -- Generate compliance reports, audit checklists, and remediation plans.
|
|
193
|
+
- **`Edit`** -- Update existing compliance documentation with current audit status.
|
|
194
|
+
|
|
195
|
+
## Success Criteria
|
|
196
|
+
|
|
197
|
+
- All applicable compliance frameworks are identified with justification for inclusion
|
|
198
|
+
- Data classification matrix covers all persisted user data fields with sensitivity tier and storage location
|
|
199
|
+
- Audit checks reference specific framework control identifiers (SOC2 CC6.1, GDPR Article 17, etc.)
|
|
200
|
+
- Gap analysis includes specific file locations and code references, not just abstract control descriptions
|
|
201
|
+
- Remediation plan items have effort estimates and are prioritized by risk and audit timeline
|
|
202
|
+
- Audit-ready checklists can be handed directly to an external auditor as evidence documentation
|
|
203
|
+
|
|
204
|
+
## Examples
|
|
205
|
+
|
|
206
|
+
### Example: SaaS Application with SOC2 and GDPR Requirements
|
|
207
|
+
|
|
208
|
+
```
|
|
209
|
+
Phase 1: SCAN
|
|
210
|
+
Frameworks detected:
|
|
211
|
+
- SOC2: docs/compliance/soc2/ directory exists, audit logging in src/audit/
|
|
212
|
+
- GDPR: EU customers present (detected from i18n locales and privacy policy)
|
|
213
|
+
- PCI-DSS: Not applicable (payments via Stripe, card data never touches servers)
|
|
214
|
+
Data stores: PostgreSQL (primary), Redis (cache/sessions), S3 (file uploads)
|
|
215
|
+
Third-party processors: Stripe, SendGrid, Segment, Datadog
|
|
216
|
+
|
|
217
|
+
Phase 2: CLASSIFY
|
|
218
|
+
Critical: None (no SSN, card data handled by Stripe)
|
|
219
|
+
Sensitive: email, phone, address (users table), IP address (access_logs)
|
|
220
|
+
Internal: order_history, preferences, usage_metrics
|
|
221
|
+
Public: username, display_name, avatar_url
|
|
222
|
+
Cross-border: Primary DB in us-east-1, CDN globally, Segment data to US
|
|
223
|
+
GDPR gap: No SCCs documented for US-based sub-processors
|
|
224
|
+
|
|
225
|
+
Phase 3: AUDIT
|
|
226
|
+
SOC2: 78% compliant (18/23)
|
|
227
|
+
CC6.3 — PostgreSQL not using column-level encryption for sensitive fields
|
|
228
|
+
CC7.2 — Datadog alerts exist but no security-specific monitors
|
|
229
|
+
GDPR: 65% compliant (11/17)
|
|
230
|
+
Article 17 — DELETE /api/users/:id exists but does not cascade to S3 files or Segment
|
|
231
|
+
Article 30 — No Records of Processing Activities document
|
|
232
|
+
|
|
233
|
+
Phase 4: REPORT
|
|
234
|
+
Generated: docs/compliance/audit-report-2026-03-27.md
|
|
235
|
+
Remediation plan:
|
|
236
|
+
Critical (week 1-2):
|
|
237
|
+
1. Implement cascading deletion across PostgreSQL, S3, Segment, SendGrid
|
|
238
|
+
2. Create Records of Processing Activities document
|
|
239
|
+
Important (week 3-6):
|
|
240
|
+
3. Add column-level encryption for email, phone, address fields
|
|
241
|
+
4. Create security-specific Datadog monitors for auth failures
|
|
242
|
+
5. Document SCCs for all US-based sub-processors
|
|
243
|
+
Improvement (week 7-12):
|
|
244
|
+
6. Implement data export endpoint including Segment analytics data
|
|
245
|
+
7. Add automated retention enforcement with TTL-based cleanup jobs
|
|
246
|
+
```
|
|
247
|
+
|
|
248
|
+
### Example: Healthcare Platform with HIPAA Requirements
|
|
249
|
+
|
|
250
|
+
```
|
|
251
|
+
Phase 1: SCAN
|
|
252
|
+
Frameworks detected:
|
|
253
|
+
- HIPAA: patient, diagnosis, prescription models in src/models/
|
|
254
|
+
- SOC2: Required by enterprise customers, docs/compliance/soc2/ present
|
|
255
|
+
Data stores: PostgreSQL (primary), Redis (session cache), AWS S3 (medical records)
|
|
256
|
+
Third-party processors: Twilio (patient notifications), AWS (infrastructure)
|
|
257
|
+
BAA status: AWS BAA signed, Twilio BAA signed
|
|
258
|
+
|
|
259
|
+
Phase 2: CLASSIFY
|
|
260
|
+
Critical (PHI):
|
|
261
|
+
- patient_records: name, DOB, SSN, diagnosis_code, treatment_plan
|
|
262
|
+
- prescriptions: medication, dosage, prescribing_physician
|
|
263
|
+
- medical_images: stored in S3 bucket 'patient-records-prod'
|
|
264
|
+
Sensitive: provider email, staff credentials, appointment schedules
|
|
265
|
+
PHI field count: 23 fields across 8 tables
|
|
266
|
+
|
|
267
|
+
Phase 3: AUDIT
|
|
268
|
+
HIPAA Security Rule: 72% compliant
|
|
269
|
+
164.312(a)(1) — Access control exists but no automatic session logoff
|
|
270
|
+
164.312(b) — Audit log captures reads but not all PHI access events
|
|
271
|
+
164.312(c)(1) — No integrity checksums on medical records in S3
|
|
272
|
+
164.312(e)(1) — TLS 1.2 in transit, AES-256 at rest in PostgreSQL and S3
|
|
273
|
+
SOC2: 81% compliant
|
|
274
|
+
All findings overlap with HIPAA gaps
|
|
275
|
+
|
|
276
|
+
Phase 4: REPORT
|
|
277
|
+
Generated: docs/compliance/hipaa-audit-2026-03-27.md
|
|
278
|
+
Remediation plan:
|
|
279
|
+
Critical (week 1-2):
|
|
280
|
+
1. Add automatic session timeout (15 min idle) for clinical users
|
|
281
|
+
2. Extend audit logging to capture all PHI read events with user context
|
|
282
|
+
3. Add SHA-256 integrity checksums to S3 medical record objects
|
|
283
|
+
Important (week 3-6):
|
|
284
|
+
4. Implement minimum necessary access — restrict PHI queries to treating providers
|
|
285
|
+
5. Add PHI access review report for compliance officer (monthly)
|
|
286
|
+
Improvement (week 7-12):
|
|
287
|
+
6. Implement emergency access ("break the glass") with post-access audit
|
|
288
|
+
7. Add automated HIPAA compliance regression tests to CI pipeline
|
|
289
|
+
```
|
|
290
|
+
|
|
291
|
+
## Gates
|
|
292
|
+
|
|
293
|
+
- **No compliance report without data classification.** A compliance audit that does not inventory and classify data fields is incomplete. The classification matrix must be produced before controls can be meaningfully assessed. Without knowing what data exists and where, control checks are theoretical.
|
|
294
|
+
- **No critical control gaps left without remediation plan.** Every control marked "not met" must have a corresponding remediation item with effort estimate and priority. Identifying gaps without a path to closure is shelf-ware.
|
|
295
|
+
- **No PII/PHI field handling changes without re-audit.** When a PR adds or modifies fields classified as sensitive or critical, the compliance audit for affected frameworks must be re-run. Data handling changes can invalidate previous compliance assessments.
|
|
296
|
+
- **No third-party data sharing without documented basis.** Every third-party that receives user data must have a documented lawful basis (GDPR), BAA (HIPAA), or be within scope boundaries (SOC2/PCI-DSS). Undocumented data sharing is a blocking compliance gap.
|
|
297
|
+
|
|
298
|
+
## Escalation
|
|
299
|
+
|
|
300
|
+
- **When compliance requirements conflict with business timelines:** Report: "The GDPR Article 17 implementation requires [N] engineering-hours and touches [M] services. If the audit deadline is [date], recommend prioritizing the critical controls and documenting a remediation timeline for the remaining gaps. Partial compliance with a credible plan is better than no plan."
|
|
301
|
+
- **When legal interpretation is needed:** Report: "The application of [specific regulation article] to [specific data handling pattern] requires legal interpretation. This skill identifies technical implementation gaps but cannot determine legal applicability. Recommend consulting with legal counsel on [specific question]."
|
|
302
|
+
- **When third-party processors lack required agreements:** Report: "[Processor] handles [data type] but no [BAA/DPA/SCC] is on file. This is a blocking compliance gap. Options: (1) execute the required agreement with the processor, (2) migrate to an alternative processor with agreements in place, (3) stop sending regulated data to this processor."
|
|
303
|
+
- **When audit trail implementation requires significant architecture changes:** Report: "The current logging infrastructure does not support immutable, tamper-evident audit trails required by [framework]. Options: (1) add append-only audit table with separate write credentials, (2) use a dedicated audit service (e.g., AWS CloudTrail, custom event store), (3) adopt event sourcing for regulated data flows. Effort estimate: [N] weeks."
|
|
@@ -0,0 +1,78 @@
|
|
|
1
|
+
name: harness-compliance
|
|
2
|
+
version: "1.0.0"
|
|
3
|
+
description: SOC2, HIPAA, GDPR compliance checks, audit trails, and regulatory checklists
|
|
4
|
+
cognitive_mode: meticulous-verifier
|
|
5
|
+
triggers:
|
|
6
|
+
- manual
|
|
7
|
+
- on_milestone
|
|
8
|
+
- on_pr
|
|
9
|
+
platforms:
|
|
10
|
+
- claude-code
|
|
11
|
+
- gemini-cli
|
|
12
|
+
tools:
|
|
13
|
+
- Bash
|
|
14
|
+
- Read
|
|
15
|
+
- Write
|
|
16
|
+
- Edit
|
|
17
|
+
- Glob
|
|
18
|
+
- Grep
|
|
19
|
+
- emit_interaction
|
|
20
|
+
cli:
|
|
21
|
+
command: harness skill run harness-compliance
|
|
22
|
+
args:
|
|
23
|
+
- name: path
|
|
24
|
+
description: Project root path
|
|
25
|
+
required: false
|
|
26
|
+
- name: framework
|
|
27
|
+
description: "Compliance framework: soc2, hipaa, gdpr, pci-dss, or all. Defaults to all detected."
|
|
28
|
+
required: false
|
|
29
|
+
- name: scope
|
|
30
|
+
description: "Audit scope: full, changed-only, or data-flows. Defaults to full."
|
|
31
|
+
required: false
|
|
32
|
+
mcp:
|
|
33
|
+
tool: run_skill
|
|
34
|
+
input:
|
|
35
|
+
skill: harness-compliance
|
|
36
|
+
path: string
|
|
37
|
+
type: rigid
|
|
38
|
+
tier: 3
|
|
39
|
+
internal: false
|
|
40
|
+
keywords:
|
|
41
|
+
- compliance
|
|
42
|
+
- SOC2
|
|
43
|
+
- HIPAA
|
|
44
|
+
- GDPR
|
|
45
|
+
- PCI-DSS
|
|
46
|
+
- audit trail
|
|
47
|
+
- data retention
|
|
48
|
+
- privacy
|
|
49
|
+
- PII
|
|
50
|
+
- data classification
|
|
51
|
+
- right to deletion
|
|
52
|
+
- consent
|
|
53
|
+
- DPA
|
|
54
|
+
stack_signals:
|
|
55
|
+
- "docs/compliance/"
|
|
56
|
+
- "audit/"
|
|
57
|
+
- "src/**/audit/**"
|
|
58
|
+
- "src/**/*gdpr*"
|
|
59
|
+
- "src/**/*privacy*"
|
|
60
|
+
- "SECURITY.md"
|
|
61
|
+
- "PRIVACY.md"
|
|
62
|
+
phases:
|
|
63
|
+
- name: scan
|
|
64
|
+
description: Detect applicable compliance frameworks and inventory data handling patterns
|
|
65
|
+
required: true
|
|
66
|
+
- name: classify
|
|
67
|
+
description: Classify data by sensitivity, identify PII flows, and map regulatory scope
|
|
68
|
+
required: true
|
|
69
|
+
- name: audit
|
|
70
|
+
description: Check implementation against framework-specific control requirements
|
|
71
|
+
required: true
|
|
72
|
+
- name: report
|
|
73
|
+
description: Generate compliance gap analysis, remediation plan, and audit-ready documentation
|
|
74
|
+
required: true
|
|
75
|
+
state:
|
|
76
|
+
persistent: false
|
|
77
|
+
files: []
|
|
78
|
+
depends_on: []
|