@harness-engineering/cli 1.13.0 → 1.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/agents/skills/claude-code/add-harness-component/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/align-documentation/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/check-mechanical-constraints/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/cleanup-dead-code/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/detect-doc-drift/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/enforce-architecture/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-accessibility/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-api-design/SKILL.md +304 -0
- package/dist/agents/skills/claude-code/harness-api-design/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-architecture-advisor/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-auth/SKILL.md +279 -0
- package/dist/agents/skills/claude-code/harness-auth/skill.yaml +81 -0
- package/dist/agents/skills/claude-code/harness-autopilot/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-brainstorming/SKILL.md +39 -0
- package/dist/agents/skills/claude-code/harness-brainstorming/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-caching/SKILL.md +309 -0
- package/dist/agents/skills/claude-code/harness-caching/skill.yaml +73 -0
- package/dist/agents/skills/claude-code/harness-chaos/SKILL.md +295 -0
- package/dist/agents/skills/claude-code/harness-chaos/skill.yaml +72 -0
- package/dist/agents/skills/claude-code/harness-code-review/SKILL.md +44 -0
- package/dist/agents/skills/claude-code/harness-code-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-codebase-cleanup/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-compliance/SKILL.md +303 -0
- package/dist/agents/skills/claude-code/harness-compliance/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-containerization/SKILL.md +284 -0
- package/dist/agents/skills/claude-code/harness-containerization/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-data-pipeline/SKILL.md +274 -0
- package/dist/agents/skills/claude-code/harness-data-pipeline/skill.yaml +81 -0
- package/dist/agents/skills/claude-code/harness-data-validation/SKILL.md +343 -0
- package/dist/agents/skills/claude-code/harness-data-validation/skill.yaml +75 -0
- package/dist/agents/skills/claude-code/harness-database/SKILL.md +258 -0
- package/dist/agents/skills/claude-code/harness-database/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-debugging/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-dependency-health/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-deployment/SKILL.md +255 -0
- package/dist/agents/skills/claude-code/harness-deployment/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-design/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-mobile/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-system/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-design-web/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-diagnostics/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-docs-pipeline/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-dx/SKILL.md +276 -0
- package/dist/agents/skills/claude-code/harness-dx/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-e2e/SKILL.md +245 -0
- package/dist/agents/skills/claude-code/harness-e2e/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-event-driven/SKILL.md +280 -0
- package/dist/agents/skills/claude-code/harness-event-driven/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-execution/SKILL.md +44 -0
- package/dist/agents/skills/claude-code/harness-execution/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-feature-flags/SKILL.md +287 -0
- package/dist/agents/skills/claude-code/harness-feature-flags/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-git-workflow/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-hotspot-detector/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n-process/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-i18n-workflow/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-impact-analysis/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-incident-response/SKILL.md +223 -0
- package/dist/agents/skills/claude-code/harness-incident-response/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-infrastructure-as-code/SKILL.md +279 -0
- package/dist/agents/skills/claude-code/harness-infrastructure-as-code/skill.yaml +80 -0
- package/dist/agents/skills/claude-code/harness-integration-test/SKILL.md +271 -0
- package/dist/agents/skills/claude-code/harness-integration-test/skill.yaml +73 -0
- package/dist/agents/skills/claude-code/harness-integrity/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-knowledge-mapper/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-load-testing/SKILL.md +274 -0
- package/dist/agents/skills/claude-code/harness-load-testing/skill.yaml +79 -0
- package/dist/agents/skills/claude-code/harness-ml-ops/SKILL.md +341 -0
- package/dist/agents/skills/claude-code/harness-ml-ops/skill.yaml +79 -0
- package/dist/agents/skills/claude-code/harness-mobile-patterns/SKILL.md +326 -0
- package/dist/agents/skills/claude-code/harness-mobile-patterns/skill.yaml +82 -0
- package/dist/agents/skills/claude-code/harness-mutation-test/SKILL.md +251 -0
- package/dist/agents/skills/claude-code/harness-mutation-test/skill.yaml +70 -0
- package/dist/agents/skills/claude-code/harness-observability/SKILL.md +283 -0
- package/dist/agents/skills/claude-code/harness-observability/skill.yaml +78 -0
- package/dist/agents/skills/claude-code/harness-onboarding/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-parallel-agents/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-perf/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-perf-tdd/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-planning/SKILL.md +39 -0
- package/dist/agents/skills/claude-code/harness-planning/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-pre-commit-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-product-spec/SKILL.md +285 -0
- package/dist/agents/skills/claude-code/harness-product-spec/skill.yaml +72 -0
- package/dist/agents/skills/claude-code/harness-property-test/SKILL.md +281 -0
- package/dist/agents/skills/claude-code/harness-property-test/skill.yaml +71 -0
- package/dist/agents/skills/claude-code/harness-refactoring/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-release-readiness/SKILL.md +3 -3
- package/dist/agents/skills/claude-code/harness-release-readiness/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-resilience/SKILL.md +255 -0
- package/dist/agents/skills/claude-code/harness-resilience/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-roadmap/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-secrets/SKILL.md +293 -0
- package/dist/agents/skills/claude-code/harness-secrets/skill.yaml +76 -0
- package/dist/agents/skills/claude-code/harness-security-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-security-scan/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-skill-authoring/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-soundness-review/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-sql-review/SKILL.md +315 -0
- package/dist/agents/skills/claude-code/harness-sql-review/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-state-management/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-tdd/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-test-advisor/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-test-data/SKILL.md +268 -0
- package/dist/agents/skills/claude-code/harness-test-data/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/harness-ux-copy/SKILL.md +271 -0
- package/dist/agents/skills/claude-code/harness-ux-copy/skill.yaml +77 -0
- package/dist/agents/skills/claude-code/harness-verification/SKILL.md +35 -0
- package/dist/agents/skills/claude-code/harness-verification/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-verify/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/harness-visual-regression/SKILL.md +257 -0
- package/dist/agents/skills/claude-code/harness-visual-regression/skill.yaml +74 -0
- package/dist/agents/skills/claude-code/initialize-harness-project/SKILL.md +11 -3
- package/dist/agents/skills/claude-code/initialize-harness-project/skill.yaml +1 -0
- package/dist/agents/skills/claude-code/validate-context-engineering/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/add-harness-component/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/align-documentation/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/check-mechanical-constraints/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/cleanup-dead-code/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/detect-doc-drift/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/enforce-architecture/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-accessibility/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-api-design/SKILL.md +304 -0
- package/dist/agents/skills/gemini-cli/harness-api-design/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-architecture-advisor/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-auth/SKILL.md +279 -0
- package/dist/agents/skills/gemini-cli/harness-auth/skill.yaml +81 -0
- package/dist/agents/skills/gemini-cli/harness-autopilot/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-brainstorming/SKILL.md +39 -0
- package/dist/agents/skills/gemini-cli/harness-brainstorming/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-caching/SKILL.md +309 -0
- package/dist/agents/skills/gemini-cli/harness-caching/skill.yaml +73 -0
- package/dist/agents/skills/gemini-cli/harness-chaos/SKILL.md +295 -0
- package/dist/agents/skills/gemini-cli/harness-chaos/skill.yaml +72 -0
- package/dist/agents/skills/gemini-cli/harness-code-review/SKILL.md +44 -0
- package/dist/agents/skills/gemini-cli/harness-code-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-codebase-cleanup/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-compliance/SKILL.md +303 -0
- package/dist/agents/skills/gemini-cli/harness-compliance/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-containerization/SKILL.md +284 -0
- package/dist/agents/skills/gemini-cli/harness-containerization/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-data-pipeline/SKILL.md +274 -0
- package/dist/agents/skills/gemini-cli/harness-data-pipeline/skill.yaml +81 -0
- package/dist/agents/skills/gemini-cli/harness-data-validation/SKILL.md +343 -0
- package/dist/agents/skills/gemini-cli/harness-data-validation/skill.yaml +75 -0
- package/dist/agents/skills/gemini-cli/harness-database/SKILL.md +258 -0
- package/dist/agents/skills/gemini-cli/harness-database/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-debugging/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-dependency-health/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-deployment/SKILL.md +255 -0
- package/dist/agents/skills/gemini-cli/harness-deployment/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-design/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-mobile/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-system/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-design-web/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-diagnostics/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-docs-pipeline/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-dx/SKILL.md +276 -0
- package/dist/agents/skills/gemini-cli/harness-dx/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-e2e/SKILL.md +245 -0
- package/dist/agents/skills/gemini-cli/harness-e2e/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-event-driven/SKILL.md +280 -0
- package/dist/agents/skills/gemini-cli/harness-event-driven/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-execution/SKILL.md +44 -0
- package/dist/agents/skills/gemini-cli/harness-execution/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-feature-flags/SKILL.md +287 -0
- package/dist/agents/skills/gemini-cli/harness-feature-flags/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-git-workflow/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-hotspot-detector/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n-process/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-i18n-workflow/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-impact-analysis/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-incident-response/SKILL.md +223 -0
- package/dist/agents/skills/gemini-cli/harness-incident-response/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-infrastructure-as-code/SKILL.md +279 -0
- package/dist/agents/skills/gemini-cli/harness-infrastructure-as-code/skill.yaml +80 -0
- package/dist/agents/skills/gemini-cli/harness-integration-test/SKILL.md +271 -0
- package/dist/agents/skills/gemini-cli/harness-integration-test/skill.yaml +73 -0
- package/dist/agents/skills/gemini-cli/harness-integrity/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-knowledge-mapper/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-load-testing/SKILL.md +274 -0
- package/dist/agents/skills/gemini-cli/harness-load-testing/skill.yaml +79 -0
- package/dist/agents/skills/gemini-cli/harness-ml-ops/SKILL.md +341 -0
- package/dist/agents/skills/gemini-cli/harness-ml-ops/skill.yaml +79 -0
- package/dist/agents/skills/gemini-cli/harness-mobile-patterns/SKILL.md +326 -0
- package/dist/agents/skills/gemini-cli/harness-mobile-patterns/skill.yaml +82 -0
- package/dist/agents/skills/gemini-cli/harness-mutation-test/SKILL.md +251 -0
- package/dist/agents/skills/gemini-cli/harness-mutation-test/skill.yaml +70 -0
- package/dist/agents/skills/gemini-cli/harness-observability/SKILL.md +283 -0
- package/dist/agents/skills/gemini-cli/harness-observability/skill.yaml +78 -0
- package/dist/agents/skills/gemini-cli/harness-onboarding/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-parallel-agents/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-perf/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-perf-tdd/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-planning/SKILL.md +39 -0
- package/dist/agents/skills/gemini-cli/harness-planning/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-pre-commit-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-product-spec/SKILL.md +285 -0
- package/dist/agents/skills/gemini-cli/harness-product-spec/skill.yaml +72 -0
- package/dist/agents/skills/gemini-cli/harness-property-test/SKILL.md +281 -0
- package/dist/agents/skills/gemini-cli/harness-property-test/skill.yaml +71 -0
- package/dist/agents/skills/gemini-cli/harness-refactoring/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-release-readiness/SKILL.md +3 -3
- package/dist/agents/skills/gemini-cli/harness-release-readiness/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-resilience/SKILL.md +255 -0
- package/dist/agents/skills/gemini-cli/harness-resilience/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-roadmap/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-secrets/SKILL.md +293 -0
- package/dist/agents/skills/gemini-cli/harness-secrets/skill.yaml +76 -0
- package/dist/agents/skills/gemini-cli/harness-security-review/SKILL.md +240 -0
- package/dist/agents/skills/gemini-cli/harness-security-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-security-scan/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-skill-authoring/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-soundness-review/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-sql-review/SKILL.md +315 -0
- package/dist/agents/skills/gemini-cli/harness-sql-review/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-state-management/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-tdd/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-test-advisor/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-test-data/SKILL.md +268 -0
- package/dist/agents/skills/gemini-cli/harness-test-data/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/harness-ux-copy/SKILL.md +271 -0
- package/dist/agents/skills/gemini-cli/harness-ux-copy/skill.yaml +77 -0
- package/dist/agents/skills/gemini-cli/harness-verification/SKILL.md +35 -0
- package/dist/agents/skills/gemini-cli/harness-verification/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-verify/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/harness-visual-regression/SKILL.md +257 -0
- package/dist/agents/skills/gemini-cli/harness-visual-regression/skill.yaml +74 -0
- package/dist/agents/skills/gemini-cli/initialize-harness-project/SKILL.md +11 -3
- package/dist/agents/skills/gemini-cli/initialize-harness-project/skill.yaml +1 -0
- package/dist/agents/skills/gemini-cli/validate-context-engineering/skill.yaml +1 -0
- package/dist/agents-md-YTYQDA3P.js +8 -0
- package/dist/{architecture-ESOOE26S.js → architecture-JQZYM4US.js} +4 -4
- package/dist/bin/harness-mcp.js +16 -15
- package/dist/bin/harness.js +31 -30
- package/dist/{check-phase-gate-S2MZKLFQ.js → check-phase-gate-L3RADYWO.js} +4 -3
- package/dist/{chunk-WPPDRIJL.js → chunk-3C2MLBPJ.js} +4 -4
- package/dist/chunk-6KTUUFRN.js +217 -0
- package/dist/{chunk-MI5XJQDY.js → chunk-7IP4JIFL.js} +24 -10
- package/dist/{chunk-C2ERUR3L.js → chunk-7MJAPE3Z.js} +165 -49
- package/dist/{chunk-KELT6K6M.js → chunk-ABQHQ6I5.js} +1861 -1418
- package/dist/{chunk-L2KLU56K.js → chunk-AOZRDOIP.js} +2 -2
- package/dist/{chunk-QPEH2QPG.js → chunk-DBSOCI3G.js} +53 -54
- package/dist/{chunk-MHBMTPW7.js → chunk-ERS5EVUZ.js} +9 -0
- package/dist/{chunk-JSTQ3AWB.js → chunk-FIAPHX37.js} +1 -1
- package/dist/{chunk-2YPZKGAG.js → chunk-FTMXDOR6.js} +1 -1
- package/dist/{chunk-72GHBOL2.js → chunk-GZKSBLQL.js} +1 -1
- package/dist/{chunk-K6XAPGML.js → chunk-H7Y5CKTM.js} +1 -1
- package/dist/{chunk-HD4IBGLA.js → chunk-N5G5QMS3.js} +24 -1
- package/dist/{chunk-LD3DKUK5.js → chunk-NLVUVUGD.js} +1 -1
- package/dist/{chunk-3KOLLWWE.js → chunk-O5OJVPL6.js} +26 -211
- package/dist/{chunk-NKDM3FMH.js → chunk-OD3S2NHN.js} +1 -1
- package/dist/{chunk-5VY23YK3.js → chunk-OSXBPAMK.js} +2 -2
- package/dist/{chunk-MACVXDZK.js → chunk-OXLLOSSR.js} +45 -47
- package/dist/{chunk-GNGELAXY.js → chunk-RCWZBSK5.js} +2 -2
- package/dist/{chunk-PSNN4LWX.js → chunk-S2FXOWOR.js} +3 -3
- package/dist/{chunk-VUCPTQ6G.js → chunk-SD3SQOZ2.js} +1 -1
- package/dist/{chunk-7PZWR4LI.js → chunk-TPOTOBR7.js} +9 -9
- package/dist/{chunk-RZSUJBZZ.js → chunk-XKECDXJS.js} +452 -353
- package/dist/{chunk-VRFZWGMS.js → chunk-XYLGHKG6.js} +5 -1
- package/dist/{chunk-6N4R6FVX.js → chunk-YBJ262QL.js} +1 -1
- package/dist/{chunk-2VU4MFM3.js → chunk-YPYGXRDR.js} +7 -7
- package/dist/{chunk-Q6AB7W5Z.js → chunk-YQ6KC6TE.js} +1 -1
- package/dist/{chunk-7KQSUZVG.js → chunk-YZD2MRNQ.js} +1528 -1010
- package/dist/ci-workflow-EQZFVX3P.js +8 -0
- package/dist/{create-skill-WPXHSLX2.js → create-skill-XSWHMSM5.js} +2 -2
- package/dist/{dist-M6BQODWC.js → dist-B26DFXMP.js} +573 -480
- package/dist/{dist-L7LAAQAS.js → dist-DZ63LLUD.js} +1 -1
- package/dist/{dist-WF4C7A4A.js → dist-HWXF2C3R.js} +18 -2
- package/dist/{dist-D4RYGUZE.js → dist-USY2C5JL.js} +3 -1
- package/dist/{docs-BPYCN2DR.js → docs-7ECGYMAV.js} +5 -3
- package/dist/engine-EG4EH4IX.js +8 -0
- package/dist/{entropy-4VDVV5CR.js → entropy-5USWKLVS.js} +3 -3
- package/dist/{feedback-63QB5RCA.js → feedback-UTBXZZHF.js} +1 -1
- package/dist/{generate-agent-definitions-QABOJG56.js → generate-agent-definitions-3PM5EU7V.js} +5 -5
- package/dist/{glob-helper-5OHBUQAI.js → glob-helper-R5FXNUPS.js} +1 -1
- package/dist/{graph-loader-KO4GJ5N2.js → graph-loader-2M2HXDQI.js} +1 -1
- package/dist/index.d.ts +183 -17
- package/dist/index.js +32 -30
- package/dist/loader-ZPALXIVR.js +10 -0
- package/dist/mcp-362EZHF4.js +35 -0
- package/dist/{performance-26BH47O4.js → performance-OQAFMJUD.js} +3 -3
- package/dist/{review-pipeline-GHR3WFBI.js → review-pipeline-C4GCFVGP.js} +1 -1
- package/dist/runtime-7YLVK453.js +9 -0
- package/dist/{security-UQFUZXEN.js → security-PZOX7AQS.js} +1 -1
- package/dist/skill-executor-XZLYZYAK.js +8 -0
- package/dist/templates/axum/Cargo.toml.hbs +8 -0
- package/dist/templates/axum/src/main.rs +12 -0
- package/dist/templates/axum/template.json +16 -0
- package/dist/templates/django/manage.py.hbs +19 -0
- package/dist/templates/django/requirements.txt.hbs +1 -0
- package/dist/templates/django/src/settings.py.hbs +44 -0
- package/dist/templates/django/src/urls.py +6 -0
- package/dist/templates/django/src/wsgi.py.hbs +9 -0
- package/dist/templates/django/template.json +21 -0
- package/dist/templates/express/package.json.hbs +15 -0
- package/dist/templates/express/src/app.ts +12 -0
- package/dist/templates/express/src/lib/.gitkeep +0 -0
- package/dist/templates/express/template.json +16 -0
- package/dist/templates/fastapi/requirements.txt.hbs +2 -0
- package/dist/templates/fastapi/src/main.py +8 -0
- package/dist/templates/fastapi/template.json +20 -0
- package/dist/templates/gin/go.mod.hbs +5 -0
- package/dist/templates/gin/main.go +15 -0
- package/dist/templates/gin/template.json +19 -0
- package/dist/templates/go-base/.golangci.yml +16 -0
- package/dist/templates/go-base/AGENTS.md.hbs +35 -0
- package/dist/templates/go-base/go.mod.hbs +3 -0
- package/dist/templates/go-base/harness.config.json.hbs +17 -0
- package/dist/templates/go-base/main.go +7 -0
- package/dist/templates/go-base/template.json +14 -0
- package/dist/templates/java-base/AGENTS.md.hbs +35 -0
- package/dist/templates/java-base/checkstyle.xml +20 -0
- package/dist/templates/java-base/harness.config.json.hbs +16 -0
- package/dist/templates/java-base/pom.xml.hbs +39 -0
- package/dist/templates/java-base/src/main/java/App.java.hbs +5 -0
- package/dist/templates/java-base/template.json +13 -0
- package/dist/templates/nestjs/nest-cli.json +5 -0
- package/dist/templates/nestjs/package.json.hbs +18 -0
- package/dist/templates/nestjs/src/app.module.ts +8 -0
- package/dist/templates/nestjs/src/lib/.gitkeep +0 -0
- package/dist/templates/nestjs/src/main.ts +11 -0
- package/dist/templates/nestjs/template.json +16 -0
- package/dist/templates/nextjs/template.json +15 -1
- package/dist/templates/python-base/.python-version +1 -0
- package/dist/templates/python-base/AGENTS.md.hbs +32 -0
- package/dist/templates/python-base/harness.config.json.hbs +16 -0
- package/dist/templates/python-base/pyproject.toml.hbs +18 -0
- package/dist/templates/python-base/ruff.toml +5 -0
- package/dist/templates/python-base/src/__init__.py +0 -0
- package/dist/templates/python-base/template.json +13 -0
- package/dist/templates/react-vite/index.html +12 -0
- package/dist/templates/react-vite/package.json.hbs +18 -0
- package/dist/templates/react-vite/src/App.tsx +7 -0
- package/dist/templates/react-vite/src/lib/.gitkeep +0 -0
- package/dist/templates/react-vite/src/main.tsx +9 -0
- package/dist/templates/react-vite/template.json +19 -0
- package/dist/templates/react-vite/vite.config.ts +6 -0
- package/dist/templates/rust-base/AGENTS.md.hbs +35 -0
- package/dist/templates/rust-base/Cargo.toml.hbs +6 -0
- package/dist/templates/rust-base/clippy.toml +2 -0
- package/dist/templates/rust-base/harness.config.json.hbs +17 -0
- package/dist/templates/rust-base/src/main.rs +3 -0
- package/dist/templates/rust-base/template.json +14 -0
- package/dist/templates/spring-boot/pom.xml.hbs +50 -0
- package/dist/templates/spring-boot/src/main/java/Application.java.hbs +19 -0
- package/dist/templates/spring-boot/template.json +15 -0
- package/dist/templates/vue/index.html +12 -0
- package/dist/templates/vue/package.json.hbs +16 -0
- package/dist/templates/vue/src/App.vue +7 -0
- package/dist/templates/vue/src/lib/.gitkeep +0 -0
- package/dist/templates/vue/src/main.ts +4 -0
- package/dist/templates/vue/template.json +19 -0
- package/dist/templates/vue/vite.config.ts +6 -0
- package/dist/{validate-N7QJOKFZ.js → validate-FD3Z6VJD.js} +4 -4
- package/dist/validate-cross-check-WNJM6H2D.js +8 -0
- package/package.json +6 -6
- package/dist/agents-md-P2RHSUV7.js +0 -8
- package/dist/ci-workflow-4NYBUG6R.js +0 -8
- package/dist/engine-LXLIWQQ3.js +0 -8
- package/dist/loader-Z2IT7QX3.js +0 -10
- package/dist/mcp-KQHEL5IF.js +0 -34
- package/dist/runtime-PDWD7UIK.js +0 -9
- package/dist/skill-executor-RG45LUO5.js +0 -8
- package/dist/validate-cross-check-EDQ5QGTM.js +0 -8
|
@@ -0,0 +1,293 @@
|
|
|
1
|
+
# Harness Secrets
|
|
2
|
+
|
|
3
|
+
> Secret detection, credential hygiene, and vault integration. Find exposed secrets, classify risk, and enforce externalization before they reach production.
|
|
4
|
+
|
|
5
|
+
## When to Use
|
|
6
|
+
|
|
7
|
+
- When scanning source code for hardcoded secrets, API keys, or credentials
|
|
8
|
+
- When auditing environment variable hygiene and `.env` file management
|
|
9
|
+
- On PRs that modify configuration files or add new service integrations
|
|
10
|
+
- NOT for general application security review (use harness-security-review)
|
|
11
|
+
- NOT for infrastructure credential management (use harness-infrastructure-as-code)
|
|
12
|
+
- NOT for CI/CD secret injection (use harness-deployment)
|
|
13
|
+
|
|
14
|
+
## Process
|
|
15
|
+
|
|
16
|
+
### Phase 1: SCAN -- Detect Secrets in Source Code
|
|
17
|
+
|
|
18
|
+
1. **Scan source files for secret patterns.** Search for common secret formats:
|
|
19
|
+
- **API keys:** Patterns matching `sk-`, `pk_`, `AKIA`, `AIza`, `ghp_`, `glpat-`, `xoxb-`
|
|
20
|
+
- **Connection strings:** Database URIs with embedded credentials (`postgres://user:pass@`)
|
|
21
|
+
- **Private keys:** `-----BEGIN RSA PRIVATE KEY-----`, `-----BEGIN EC PRIVATE KEY-----`
|
|
22
|
+
- **JWT tokens:** Base64-encoded strings matching `eyJ` header pattern
|
|
23
|
+
- **Generic secrets:** Variables named `password`, `secret`, `token`, `api_key` with literal string values
|
|
24
|
+
|
|
25
|
+
2. **Scan configuration files.** Check files that commonly contain secrets:
|
|
26
|
+
- `.env`, `.env.local`, `.env.production` (should be gitignored)
|
|
27
|
+
- `config/*.json`, `config/*.yaml` with credential fields
|
|
28
|
+
- `docker-compose.yml` with inline environment values
|
|
29
|
+
- `application.properties`, `appsettings.json` with connection strings
|
|
30
|
+
- CI/CD pipeline files with hardcoded values
|
|
31
|
+
|
|
32
|
+
3. **Check `.gitignore` coverage.** Verify that sensitive files are excluded from version control:
|
|
33
|
+
- `.env*` files (except `.env.example`)
|
|
34
|
+
- `*.pem`, `*.key` private key files
|
|
35
|
+
- `credentials/`, `secrets/` directories
|
|
36
|
+
- Service account JSON files (`*-credentials.json`)
|
|
37
|
+
- IDE-specific files that may cache environment variables
|
|
38
|
+
|
|
39
|
+
4. **Scan git history for leaked secrets.** Check recent commits:
|
|
40
|
+
- Run `git log --diff-filter=A --name-only` for recently added files
|
|
41
|
+
- Check if any `.env` or credential files were committed and later removed
|
|
42
|
+
- Flag files that appear in git history but are now gitignored (the secret is still in history)
|
|
43
|
+
|
|
44
|
+
5. **Present scan results:**
|
|
45
|
+
|
|
46
|
+
```
|
|
47
|
+
Secret Scan: 7 findings in 5 files
|
|
48
|
+
|
|
49
|
+
CRITICAL (2):
|
|
50
|
+
src/config/database.ts:8 -- Hardcoded PostgreSQL connection string with password
|
|
51
|
+
src/services/stripe.ts:3 -- Stripe secret key (sk_live_...)
|
|
52
|
+
|
|
53
|
+
HIGH (3):
|
|
54
|
+
docker-compose.yml:15 -- MySQL root password in plaintext
|
|
55
|
+
src/config/aws.ts:12 -- AWS access key pattern (AKIA...)
|
|
56
|
+
.env.production:1 -- File committed to git (should be gitignored)
|
|
57
|
+
|
|
58
|
+
MEDIUM (2):
|
|
59
|
+
src/utils/auth.ts:45 -- JWT secret as string literal
|
|
60
|
+
config/app.json:22 -- Generic "apiKey" field with literal value
|
|
61
|
+
```
|
|
62
|
+
|
|
63
|
+
---
|
|
64
|
+
|
|
65
|
+
### Phase 2: CLASSIFY -- Categorize by Risk and Type
|
|
66
|
+
|
|
67
|
+
1. **Assign severity levels.** Classify each finding:
|
|
68
|
+
- **CRITICAL:** Live production credentials, private keys, cloud provider access keys. Immediate rotation required.
|
|
69
|
+
- **HIGH:** Secrets in committed files, database passwords, service API keys. Rotation strongly recommended.
|
|
70
|
+
- **MEDIUM:** Development-only secrets in source, JWT signing keys, generic tokens. Should be externalized.
|
|
71
|
+
- **LOW:** Example values that look like secrets but are placeholders (`YOUR_API_KEY_HERE`), test-only credentials in test fixtures.
|
|
72
|
+
|
|
73
|
+
2. **Identify secret type.** Categorize each finding:
|
|
74
|
+
- Cloud provider credentials (AWS, GCP, Azure)
|
|
75
|
+
- Database credentials (connection strings, passwords)
|
|
76
|
+
- Third-party API keys (Stripe, SendGrid, Twilio)
|
|
77
|
+
- Authentication secrets (JWT keys, OAuth client secrets)
|
|
78
|
+
- Encryption keys (symmetric keys, private keys)
|
|
79
|
+
- Internal service tokens (inter-service auth)
|
|
80
|
+
|
|
81
|
+
3. **Assess blast radius.** For each CRITICAL and HIGH finding:
|
|
82
|
+
- What systems does this credential access?
|
|
83
|
+
- Is the credential scoped (read-only, limited permissions) or broad (admin)?
|
|
84
|
+
- Is the credential shared across environments?
|
|
85
|
+
- When was the credential last rotated?
|
|
86
|
+
|
|
87
|
+
4. **Check for false positives.** Verify findings are actual secrets:
|
|
88
|
+
- Example/placeholder values in documentation
|
|
89
|
+
- Test fixtures with fake credentials
|
|
90
|
+
- Base64-encoded non-secret data matching JWT patterns
|
|
91
|
+
- Hash values that match key patterns but are not keys
|
|
92
|
+
|
|
93
|
+
5. **Generate classification report:**
|
|
94
|
+
|
|
95
|
+
```
|
|
96
|
+
Classification:
|
|
97
|
+
CRITICAL: 2 (require immediate rotation)
|
|
98
|
+
HIGH: 3 (require rotation within 24 hours)
|
|
99
|
+
MEDIUM: 2 (require externalization)
|
|
100
|
+
LOW: 0
|
|
101
|
+
False positives: 1 (removed from findings)
|
|
102
|
+
|
|
103
|
+
Affected systems:
|
|
104
|
+
- PostgreSQL database (production)
|
|
105
|
+
- Stripe payment processing
|
|
106
|
+
- AWS S3 storage
|
|
107
|
+
```
|
|
108
|
+
|
|
109
|
+
---
|
|
110
|
+
|
|
111
|
+
### Phase 3: REMEDIATE -- Extract and Secure Secrets
|
|
112
|
+
|
|
113
|
+
1. **Recommend secret externalization.** For each finding, provide the remediation:
|
|
114
|
+
- Replace hardcoded value with environment variable reference
|
|
115
|
+
- Add the variable to `.env.example` with a placeholder value
|
|
116
|
+
- Add the actual value to the deployment secret store
|
|
117
|
+
- Verify `.gitignore` includes the actual `.env` file
|
|
118
|
+
|
|
119
|
+
2. **Recommend secret management integration.** Based on the project's infrastructure:
|
|
120
|
+
- **HashiCorp Vault:** Dynamic secrets, lease-based rotation, transit encryption
|
|
121
|
+
- **AWS Secrets Manager:** Native AWS integration, automatic rotation for RDS
|
|
122
|
+
- **Google Secret Manager:** GCP-native, IAM-based access control
|
|
123
|
+
- **Azure Key Vault:** Azure-native, HSM-backed key storage
|
|
124
|
+
- **dotenv + CI secrets:** Minimum viable approach for smaller projects
|
|
125
|
+
|
|
126
|
+
3. **Recommend rotation procedure.** For each CRITICAL and HIGH finding:
|
|
127
|
+
- Generate a new credential in the source system
|
|
128
|
+
- Update the secret store with the new value
|
|
129
|
+
- Deploy the updated configuration
|
|
130
|
+
- Verify the service works with the new credential
|
|
131
|
+
- Revoke the old credential
|
|
132
|
+
- Confirm no systems depend on the old credential
|
|
133
|
+
|
|
134
|
+
4. **Provide code transformation examples.** Show before/after for each finding:
|
|
135
|
+
|
|
136
|
+
```typescript
|
|
137
|
+
// BEFORE (hardcoded)
|
|
138
|
+
const stripe = new Stripe('sk_live_abc123...');
|
|
139
|
+
|
|
140
|
+
// AFTER (externalized)
|
|
141
|
+
const stripe = new Stripe(process.env.STRIPE_SECRET_KEY!);
|
|
142
|
+
```
|
|
143
|
+
|
|
144
|
+
5. **If `--fix` flag is set,** apply automatic transformations:
|
|
145
|
+
- Extract hardcoded values to environment variables
|
|
146
|
+
- Add `.env.example` entries with placeholder values
|
|
147
|
+
- Update `.gitignore` if `.env` files are not excluded
|
|
148
|
+
- Present the diff for review before committing
|
|
149
|
+
|
|
150
|
+
---
|
|
151
|
+
|
|
152
|
+
### Phase 4: VALIDATE -- Verify Remediation Completeness
|
|
153
|
+
|
|
154
|
+
1. **Re-scan after remediation.** Run the same scan from Phase 1 to verify:
|
|
155
|
+
- All CRITICAL and HIGH findings are resolved
|
|
156
|
+
- No new secrets were introduced during remediation
|
|
157
|
+
- Environment variable references resolve correctly
|
|
158
|
+
|
|
159
|
+
2. **Verify `.gitignore` coverage.** Confirm:
|
|
160
|
+
- All `.env` files (except `.env.example`) are gitignored
|
|
161
|
+
- Private key files are gitignored
|
|
162
|
+
- The gitignore patterns are specific enough (not overly broad)
|
|
163
|
+
|
|
164
|
+
3. **Verify `.env.example` completeness.** Check that:
|
|
165
|
+
- Every environment variable referenced in code has an entry
|
|
166
|
+
- Values are placeholders, not actual secrets
|
|
167
|
+
- Each entry has a comment describing the variable's purpose
|
|
168
|
+
- Required vs. optional variables are clearly marked
|
|
169
|
+
|
|
170
|
+
4. **Check git history for residual exposure.** If secrets were previously committed:
|
|
171
|
+
- Warn that the secret exists in git history even after removal
|
|
172
|
+
- Recommend `git filter-repo` or BFG Repo-Cleaner for history rewriting
|
|
173
|
+
- Emphasize that rotation is required regardless of history cleanup
|
|
174
|
+
- Note that force-push to remote may be required after history rewrite
|
|
175
|
+
|
|
176
|
+
5. **Generate validation report:**
|
|
177
|
+
|
|
178
|
+
```
|
|
179
|
+
Secret Validation: [PASS/WARN/FAIL]
|
|
180
|
+
|
|
181
|
+
Rescan: PASS (0 CRITICAL, 0 HIGH findings)
|
|
182
|
+
.gitignore: PASS (all sensitive patterns covered)
|
|
183
|
+
.env.example: WARN (missing STRIPE_WEBHOOK_SECRET entry)
|
|
184
|
+
Git history: WARN (2 secrets exist in history -- rotation required)
|
|
185
|
+
|
|
186
|
+
Actions remaining:
|
|
187
|
+
1. Add STRIPE_WEBHOOK_SECRET to .env.example
|
|
188
|
+
2. Rotate PostgreSQL password (exposed in commit abc1234)
|
|
189
|
+
3. Rotate Stripe key (exposed in commit def5678)
|
|
190
|
+
4. Consider git history rewrite after rotation
|
|
191
|
+
```
|
|
192
|
+
|
|
193
|
+
---
|
|
194
|
+
|
|
195
|
+
## Harness Integration
|
|
196
|
+
|
|
197
|
+
- **`harness skill run harness-secrets`** -- Primary invocation for secret scanning and remediation.
|
|
198
|
+
- **`harness validate`** -- Run after remediation to verify project health.
|
|
199
|
+
- **`harness check-security`** -- Complementary mechanical security scan that includes basic secret detection.
|
|
200
|
+
- **`emit_interaction`** -- Present findings and gather decisions on remediation approach.
|
|
201
|
+
|
|
202
|
+
## Success Criteria
|
|
203
|
+
|
|
204
|
+
- All source files are scanned for secret patterns
|
|
205
|
+
- Findings are classified by severity with accurate false-positive filtering
|
|
206
|
+
- CRITICAL and HIGH findings have specific rotation recommendations
|
|
207
|
+
- Environment variable externalization is verified
|
|
208
|
+
- `.gitignore` covers all sensitive file patterns
|
|
209
|
+
- `.env.example` is complete with placeholder values
|
|
210
|
+
- Git history exposure is flagged with rotation guidance
|
|
211
|
+
|
|
212
|
+
## Examples
|
|
213
|
+
|
|
214
|
+
### Example: Express.js API with Hardcoded Stripe Keys
|
|
215
|
+
|
|
216
|
+
```
|
|
217
|
+
Phase 1: SCAN
|
|
218
|
+
Scanned: 86 files
|
|
219
|
+
Findings: 4
|
|
220
|
+
|
|
221
|
+
CRITICAL: src/payments/stripe.ts:5 -- sk_live_EXAMPLE_KEY_REDACTED_0000
|
|
222
|
+
HIGH: docker-compose.yml:22 -- POSTGRES_PASSWORD=supersecret
|
|
223
|
+
MEDIUM: src/config/jwt.ts:3 -- JWT_SECRET = "my-jwt-secret-key"
|
|
224
|
+
LOW: tests/fixtures/auth.ts:8 -- fake-api-key-for-testing (false positive)
|
|
225
|
+
|
|
226
|
+
Phase 2: CLASSIFY
|
|
227
|
+
CRITICAL: 1 (Stripe production secret key -- full payment access)
|
|
228
|
+
HIGH: 1 (PostgreSQL password -- database access)
|
|
229
|
+
MEDIUM: 1 (JWT secret -- token forgery risk)
|
|
230
|
+
False positives: 1 (test fixture removed from findings)
|
|
231
|
+
|
|
232
|
+
Phase 3: REMEDIATE
|
|
233
|
+
1. Stripe key -> process.env.STRIPE_SECRET_KEY
|
|
234
|
+
2. Postgres password -> ${POSTGRES_PASSWORD} in compose, actual value in .env
|
|
235
|
+
3. JWT secret -> process.env.JWT_SECRET
|
|
236
|
+
Added 3 entries to .env.example
|
|
237
|
+
Updated .gitignore with .env* pattern
|
|
238
|
+
|
|
239
|
+
Phase 4: VALIDATE
|
|
240
|
+
Rescan: PASS (0 findings)
|
|
241
|
+
.gitignore: PASS
|
|
242
|
+
.env.example: PASS (all 3 variables documented)
|
|
243
|
+
Git history: WARN (Stripe key in commit history)
|
|
244
|
+
Result: WARN -- secrets externalized, rotation required for Stripe and Postgres
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
### Example: Django Application with AWS Credentials
|
|
248
|
+
|
|
249
|
+
```
|
|
250
|
+
Phase 1: SCAN
|
|
251
|
+
Scanned: 124 files
|
|
252
|
+
Findings: 5
|
|
253
|
+
|
|
254
|
+
CRITICAL: settings/production.py:45 -- AWS_ACCESS_KEY_ID = "AKIA..."
|
|
255
|
+
CRITICAL: settings/production.py:46 -- AWS_SECRET_ACCESS_KEY = "wJal..."
|
|
256
|
+
HIGH: .env.production committed to git (12 secrets inside)
|
|
257
|
+
MEDIUM: settings/base.py:88 -- SECRET_KEY = "django-insecure-..."
|
|
258
|
+
MEDIUM: settings/base.py:92 -- DATABASE_URL with embedded password
|
|
259
|
+
|
|
260
|
+
Phase 2: CLASSIFY
|
|
261
|
+
CRITICAL: 2 (AWS IAM credentials -- full account access)
|
|
262
|
+
HIGH: 1 (.env.production in git -- 12 leaked values)
|
|
263
|
+
MEDIUM: 2 (Django secret key and database URL)
|
|
264
|
+
|
|
265
|
+
Phase 3: REMEDIATE
|
|
266
|
+
1. AWS credentials -> boto3 credential chain (env vars or IAM role)
|
|
267
|
+
2. Remove .env.production from git, add to .gitignore
|
|
268
|
+
3. Django SECRET_KEY -> os.environ["DJANGO_SECRET_KEY"]
|
|
269
|
+
4. DATABASE_URL -> os.environ["DATABASE_URL"]
|
|
270
|
+
Recommend: Switch to django-environ for all settings
|
|
271
|
+
Recommend: Use IAM roles instead of access keys for production
|
|
272
|
+
|
|
273
|
+
Phase 4: VALIDATE
|
|
274
|
+
Rescan: PASS
|
|
275
|
+
.gitignore: PASS
|
|
276
|
+
.env.example: PASS
|
|
277
|
+
Git history: CRITICAL (AWS keys and .env.production in history)
|
|
278
|
+
Result: FAIL -- rotation required before deployment, history rewrite recommended
|
|
279
|
+
```
|
|
280
|
+
|
|
281
|
+
## Gates
|
|
282
|
+
|
|
283
|
+
- **No CRITICAL findings may remain unaddressed.** Production credentials exposed in source code are blocking. Execution halts until the credential is rotated and the code is remediated.
|
|
284
|
+
- **No `.env` files with actual secrets committed to git.** A committed `.env` file containing real credentials is a blocking finding, even if the file is later gitignored.
|
|
285
|
+
- **No secrets in git history without rotation.** If a secret was previously committed, it must be rotated regardless of whether it was removed from the current tree.
|
|
286
|
+
- **No remediation without verification.** The `--fix` flag must be followed by a rescan to confirm all findings are resolved.
|
|
287
|
+
|
|
288
|
+
## Escalation
|
|
289
|
+
|
|
290
|
+
- **When a production credential is exposed in a public repository:** This is an emergency. Immediately recommend rotating the credential, then address code remediation. Do not wait for a PR review cycle -- rotation must happen within minutes.
|
|
291
|
+
- **When git history contains secrets and the repo is public:** Recommend making the repo private temporarily, rotating all exposed credentials, running BFG Repo-Cleaner, and force-pushing. Note that GitHub caches may retain the data -- contact GitHub support if needed.
|
|
292
|
+
- **When the team has no secret management infrastructure:** Recommend starting with CI/CD platform secrets (GitHub Secrets, GitLab CI variables) as a minimum viable approach. Design a migration path to a dedicated secret manager for later.
|
|
293
|
+
- **When false positive rate is high:** Adjust scan patterns for the project's domain. Add a `.harness/secret-scan-ignore` file with documented exceptions for known false positives (test fixtures, example values, hash constants).
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
name: harness-secrets
|
|
2
|
+
version: "1.0.0"
|
|
3
|
+
description: Vault integration, credential rotation, and environment variable hygiene
|
|
4
|
+
cognitive_mode: meticulous-verifier
|
|
5
|
+
tier: 3
|
|
6
|
+
internal: false
|
|
7
|
+
keywords:
|
|
8
|
+
- secrets
|
|
9
|
+
- vault
|
|
10
|
+
- credentials
|
|
11
|
+
- env
|
|
12
|
+
- environment variables
|
|
13
|
+
- rotation
|
|
14
|
+
- HashiCorp
|
|
15
|
+
- AWS Secrets Manager
|
|
16
|
+
- dotenv
|
|
17
|
+
- encryption
|
|
18
|
+
- API keys
|
|
19
|
+
stack_signals:
|
|
20
|
+
- ".env*"
|
|
21
|
+
- "vault.hcl"
|
|
22
|
+
- "src/**/secrets/**"
|
|
23
|
+
- "src/**/config/**"
|
|
24
|
+
- ".sops.yaml"
|
|
25
|
+
- "secrets/"
|
|
26
|
+
- "credentials/"
|
|
27
|
+
triggers:
|
|
28
|
+
- manual
|
|
29
|
+
- on_pr
|
|
30
|
+
- on_commit
|
|
31
|
+
platforms:
|
|
32
|
+
- claude-code
|
|
33
|
+
- gemini-cli
|
|
34
|
+
tools:
|
|
35
|
+
- Bash
|
|
36
|
+
- Read
|
|
37
|
+
- Glob
|
|
38
|
+
- Grep
|
|
39
|
+
- emit_interaction
|
|
40
|
+
cli:
|
|
41
|
+
command: harness skill run harness-secrets
|
|
42
|
+
args:
|
|
43
|
+
- name: path
|
|
44
|
+
description: Project root path
|
|
45
|
+
required: false
|
|
46
|
+
- name: changed-only
|
|
47
|
+
description: Only scan git-changed files
|
|
48
|
+
type: boolean
|
|
49
|
+
required: false
|
|
50
|
+
- name: fix
|
|
51
|
+
description: Auto-remediate by extracting secrets to env vars
|
|
52
|
+
type: boolean
|
|
53
|
+
required: false
|
|
54
|
+
mcp:
|
|
55
|
+
tool: run_skill
|
|
56
|
+
input:
|
|
57
|
+
skill: harness-secrets
|
|
58
|
+
path: string
|
|
59
|
+
type: rigid
|
|
60
|
+
phases:
|
|
61
|
+
- name: scan
|
|
62
|
+
description: Detect secrets, credentials, and sensitive values in source code
|
|
63
|
+
required: true
|
|
64
|
+
- name: classify
|
|
65
|
+
description: Categorize findings by severity and secret type
|
|
66
|
+
required: true
|
|
67
|
+
- name: remediate
|
|
68
|
+
description: Recommend or apply secret extraction and rotation strategies
|
|
69
|
+
required: true
|
|
70
|
+
- name: validate
|
|
71
|
+
description: Verify secrets are properly externalized and gitignored
|
|
72
|
+
required: true
|
|
73
|
+
state:
|
|
74
|
+
persistent: false
|
|
75
|
+
files: []
|
|
76
|
+
depends_on: []
|