@harness-engineering/cli 1.15.0 → 1.17.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (508) hide show
  1. package/dist/agents/commands/codex/AGENTS.md +39 -0
  2. package/dist/agents/commands/codex/harness/add-harness-component/SKILL.md +195 -0
  3. package/dist/agents/commands/codex/harness/add-harness-component/agents/openai.yaml +3 -0
  4. package/dist/agents/commands/codex/harness/cleanup-dead-code/SKILL.md +248 -0
  5. package/dist/agents/commands/codex/harness/cleanup-dead-code/agents/openai.yaml +3 -0
  6. package/dist/agents/commands/codex/harness/detect-doc-drift/SKILL.md +182 -0
  7. package/dist/agents/commands/codex/harness/detect-doc-drift/agents/openai.yaml +3 -0
  8. package/dist/agents/commands/codex/harness/enforce-architecture/SKILL.md +299 -0
  9. package/dist/agents/commands/codex/harness/enforce-architecture/agents/openai.yaml +3 -0
  10. package/dist/agents/commands/codex/harness/harness-architecture-advisor/SKILL.md +452 -0
  11. package/dist/agents/commands/codex/harness/harness-architecture-advisor/agents/openai.yaml +3 -0
  12. package/dist/agents/commands/codex/harness/harness-autopilot/SKILL.md +919 -0
  13. package/dist/agents/commands/codex/harness/harness-autopilot/agents/openai.yaml +3 -0
  14. package/dist/agents/commands/codex/harness/harness-brainstorming/SKILL.md +409 -0
  15. package/dist/agents/commands/codex/harness/harness-brainstorming/agents/openai.yaml +3 -0
  16. package/dist/agents/commands/codex/harness/harness-code-review/SKILL.md +860 -0
  17. package/dist/agents/commands/codex/harness/harness-code-review/agents/openai.yaml +3 -0
  18. package/dist/agents/commands/codex/harness/harness-codebase-cleanup/SKILL.md +227 -0
  19. package/dist/agents/commands/codex/harness/harness-codebase-cleanup/agents/openai.yaml +3 -0
  20. package/dist/agents/commands/codex/harness/harness-debugging/SKILL.md +369 -0
  21. package/dist/agents/commands/codex/harness/harness-debugging/agents/openai.yaml +3 -0
  22. package/dist/agents/commands/codex/harness/harness-dependency-health/SKILL.md +182 -0
  23. package/dist/agents/commands/codex/harness/harness-dependency-health/agents/openai.yaml +3 -0
  24. package/dist/agents/commands/codex/harness/harness-docs-pipeline/SKILL.md +463 -0
  25. package/dist/agents/commands/codex/harness/harness-docs-pipeline/agents/openai.yaml +3 -0
  26. package/dist/agents/commands/codex/harness/harness-execution/SKILL.md +513 -0
  27. package/dist/agents/commands/codex/harness/harness-execution/agents/openai.yaml +3 -0
  28. package/dist/agents/commands/codex/harness/harness-hotspot-detector/SKILL.md +164 -0
  29. package/dist/agents/commands/codex/harness/harness-hotspot-detector/agents/openai.yaml +3 -0
  30. package/dist/agents/commands/codex/harness/harness-impact-analysis/SKILL.md +187 -0
  31. package/dist/agents/commands/codex/harness/harness-impact-analysis/agents/openai.yaml +3 -0
  32. package/dist/agents/commands/codex/harness/harness-integrity/SKILL.md +170 -0
  33. package/dist/agents/commands/codex/harness/harness-integrity/agents/openai.yaml +3 -0
  34. package/dist/agents/commands/codex/harness/harness-onboarding/SKILL.md +291 -0
  35. package/dist/agents/commands/codex/harness/harness-onboarding/agents/openai.yaml +3 -0
  36. package/dist/agents/commands/codex/harness/harness-perf/SKILL.md +263 -0
  37. package/dist/agents/commands/codex/harness/harness-perf/agents/openai.yaml +3 -0
  38. package/dist/agents/commands/codex/harness/harness-planning/SKILL.md +582 -0
  39. package/dist/agents/commands/codex/harness/harness-planning/agents/openai.yaml +3 -0
  40. package/dist/agents/commands/codex/harness/harness-refactoring/SKILL.md +172 -0
  41. package/dist/agents/commands/codex/harness/harness-refactoring/agents/openai.yaml +3 -0
  42. package/dist/agents/commands/codex/harness/harness-release-readiness/SKILL.md +692 -0
  43. package/dist/agents/commands/codex/harness/harness-release-readiness/agents/openai.yaml +3 -0
  44. package/dist/agents/commands/codex/harness/harness-roadmap/SKILL.md +598 -0
  45. package/dist/agents/commands/codex/harness/harness-roadmap/agents/openai.yaml +3 -0
  46. package/dist/agents/commands/codex/harness/harness-security-scan/SKILL.md +157 -0
  47. package/dist/agents/commands/codex/harness/harness-security-scan/agents/openai.yaml +3 -0
  48. package/dist/agents/commands/codex/harness/harness-skill-authoring/SKILL.md +295 -0
  49. package/dist/agents/commands/codex/harness/harness-skill-authoring/agents/openai.yaml +3 -0
  50. package/dist/agents/commands/codex/harness/harness-soundness-review/SKILL.md +1270 -0
  51. package/dist/agents/commands/codex/harness/harness-soundness-review/agents/openai.yaml +3 -0
  52. package/dist/agents/commands/codex/harness/harness-supply-chain-audit/SKILL.md +247 -0
  53. package/dist/agents/commands/codex/harness/harness-supply-chain-audit/agents/openai.yaml +3 -0
  54. package/dist/agents/commands/codex/harness/harness-tdd/SKILL.md +180 -0
  55. package/dist/agents/commands/codex/harness/harness-tdd/agents/openai.yaml +3 -0
  56. package/dist/agents/commands/codex/harness/harness-test-advisor/SKILL.md +163 -0
  57. package/dist/agents/commands/codex/harness/harness-test-advisor/agents/openai.yaml +3 -0
  58. package/dist/agents/commands/codex/harness/harness-verification/SKILL.md +424 -0
  59. package/dist/agents/commands/codex/harness/harness-verification/agents/openai.yaml +3 -0
  60. package/dist/agents/commands/codex/harness/harness-verify/SKILL.md +162 -0
  61. package/dist/agents/commands/codex/harness/harness-verify/agents/openai.yaml +3 -0
  62. package/dist/agents/commands/codex/harness/initialize-harness-project/SKILL.md +235 -0
  63. package/dist/agents/commands/codex/harness/initialize-harness-project/agents/openai.yaml +3 -0
  64. package/dist/agents/commands/cursor/harness/add-harness-component.mdc +200 -0
  65. package/dist/agents/commands/cursor/harness/cleanup-dead-code.mdc +253 -0
  66. package/dist/agents/commands/cursor/harness/detect-doc-drift.mdc +187 -0
  67. package/dist/agents/commands/cursor/harness/enforce-architecture.mdc +304 -0
  68. package/dist/agents/commands/cursor/harness/harness-architecture-advisor.mdc +457 -0
  69. package/dist/agents/commands/cursor/harness/harness-autopilot.mdc +924 -0
  70. package/dist/agents/commands/cursor/harness/harness-brainstorming.mdc +414 -0
  71. package/dist/agents/commands/cursor/harness/harness-code-review.mdc +865 -0
  72. package/dist/agents/commands/cursor/harness/harness-codebase-cleanup.mdc +232 -0
  73. package/dist/agents/commands/cursor/harness/harness-debugging.mdc +374 -0
  74. package/dist/agents/commands/cursor/harness/harness-dependency-health.mdc +187 -0
  75. package/dist/agents/commands/cursor/harness/harness-docs-pipeline.mdc +468 -0
  76. package/dist/agents/commands/cursor/harness/harness-execution.mdc +518 -0
  77. package/dist/agents/commands/cursor/harness/harness-hotspot-detector.mdc +169 -0
  78. package/dist/agents/commands/cursor/harness/harness-impact-analysis.mdc +192 -0
  79. package/dist/agents/commands/cursor/harness/harness-integrity.mdc +175 -0
  80. package/dist/agents/commands/cursor/harness/harness-onboarding.mdc +296 -0
  81. package/dist/agents/commands/cursor/harness/harness-perf.mdc +268 -0
  82. package/dist/agents/commands/cursor/harness/harness-planning.mdc +587 -0
  83. package/dist/agents/commands/cursor/harness/harness-refactoring.mdc +177 -0
  84. package/dist/agents/commands/cursor/harness/harness-release-readiness.mdc +697 -0
  85. package/dist/agents/commands/cursor/harness/harness-roadmap.mdc +603 -0
  86. package/dist/agents/commands/cursor/harness/harness-security-scan.mdc +162 -0
  87. package/dist/agents/commands/cursor/harness/harness-skill-authoring.mdc +300 -0
  88. package/dist/agents/commands/cursor/harness/harness-soundness-review.mdc +1275 -0
  89. package/dist/agents/commands/cursor/harness/harness-supply-chain-audit.mdc +252 -0
  90. package/dist/agents/commands/cursor/harness/harness-tdd.mdc +185 -0
  91. package/dist/agents/commands/cursor/harness/harness-test-advisor.mdc +168 -0
  92. package/dist/agents/commands/cursor/harness/harness-verification.mdc +429 -0
  93. package/dist/agents/commands/cursor/harness/harness-verify.mdc +167 -0
  94. package/dist/agents/commands/cursor/harness/initialize-harness-project.mdc +240 -0
  95. package/dist/agents/skills/claude-code/enforce-architecture/SKILL.md +52 -0
  96. package/dist/agents/skills/claude-code/harness-api-design/SKILL.md +52 -0
  97. package/dist/agents/skills/claude-code/harness-architecture-advisor/SKILL.md +52 -0
  98. package/dist/agents/skills/claude-code/harness-auth/SKILL.md +52 -0
  99. package/dist/agents/skills/claude-code/harness-autopilot/SKILL.md +123 -14
  100. package/dist/agents/skills/claude-code/harness-autopilot/skill.yaml +6 -0
  101. package/dist/agents/skills/claude-code/harness-code-review/SKILL.md +97 -3
  102. package/dist/agents/skills/claude-code/harness-code-review/skill.yaml +6 -0
  103. package/dist/agents/skills/claude-code/harness-codebase-cleanup/SKILL.md +2 -4
  104. package/dist/agents/skills/claude-code/harness-database/SKILL.md +52 -0
  105. package/dist/agents/skills/claude-code/harness-deployment/SKILL.md +52 -0
  106. package/dist/agents/skills/claude-code/harness-planning/SKILL.md +99 -3
  107. package/dist/agents/skills/claude-code/harness-planning/skill.yaml +6 -0
  108. package/dist/agents/skills/claude-code/harness-pre-commit-review/SKILL.md +1 -1
  109. package/dist/agents/skills/claude-code/harness-roadmap-pilot/SKILL.md +204 -0
  110. package/dist/agents/skills/claude-code/harness-roadmap-pilot/skill.yaml +52 -0
  111. package/dist/agents/skills/claude-code/harness-security-review/SKILL.md +27 -7
  112. package/dist/agents/skills/claude-code/harness-security-scan/SKILL.md +52 -0
  113. package/dist/agents/skills/claude-code/harness-supply-chain-audit/SKILL.md +281 -0
  114. package/dist/agents/skills/claude-code/harness-supply-chain-audit/skill.yaml +51 -0
  115. package/dist/agents/skills/codex/add-harness-component/SKILL.md +192 -0
  116. package/dist/agents/skills/codex/add-harness-component/skill.yaml +33 -0
  117. package/dist/agents/skills/codex/align-documentation/SKILL.md +213 -0
  118. package/dist/agents/skills/codex/align-documentation/skill.yaml +32 -0
  119. package/dist/agents/skills/codex/check-mechanical-constraints/SKILL.md +191 -0
  120. package/dist/agents/skills/codex/check-mechanical-constraints/skill.yaml +33 -0
  121. package/dist/agents/skills/codex/cleanup-dead-code/SKILL.md +245 -0
  122. package/dist/agents/skills/codex/cleanup-dead-code/skill.yaml +34 -0
  123. package/dist/agents/skills/codex/detect-doc-drift/SKILL.md +179 -0
  124. package/dist/agents/skills/codex/detect-doc-drift/skill.yaml +31 -0
  125. package/dist/agents/skills/codex/enforce-architecture/SKILL.md +296 -0
  126. package/dist/agents/skills/codex/enforce-architecture/skill.yaml +35 -0
  127. package/dist/agents/skills/codex/harness-accessibility/SKILL.md +281 -0
  128. package/dist/agents/skills/codex/harness-accessibility/skill.yaml +52 -0
  129. package/dist/agents/skills/codex/harness-api-design/SKILL.md +356 -0
  130. package/dist/agents/skills/codex/harness-api-design/skill.yaml +74 -0
  131. package/dist/agents/skills/codex/harness-architecture-advisor/SKILL.md +449 -0
  132. package/dist/agents/skills/codex/harness-architecture-advisor/skill.yaml +49 -0
  133. package/dist/agents/skills/codex/harness-auth/SKILL.md +331 -0
  134. package/dist/agents/skills/codex/harness-auth/skill.yaml +81 -0
  135. package/dist/agents/skills/codex/harness-autopilot/SKILL.md +916 -0
  136. package/dist/agents/skills/codex/harness-autopilot/skill.yaml +67 -0
  137. package/dist/agents/skills/codex/harness-brainstorming/SKILL.md +406 -0
  138. package/dist/agents/skills/codex/harness-brainstorming/skill.yaml +50 -0
  139. package/dist/agents/skills/codex/harness-caching/SKILL.md +309 -0
  140. package/dist/agents/skills/codex/harness-caching/skill.yaml +73 -0
  141. package/dist/agents/skills/codex/harness-chaos/SKILL.md +295 -0
  142. package/dist/agents/skills/codex/harness-chaos/skill.yaml +72 -0
  143. package/dist/agents/skills/codex/harness-code-review/SKILL.md +857 -0
  144. package/dist/agents/skills/codex/harness-code-review/skill.yaml +52 -0
  145. package/dist/agents/skills/codex/harness-codebase-cleanup/SKILL.md +224 -0
  146. package/dist/agents/skills/codex/harness-codebase-cleanup/skill.yaml +65 -0
  147. package/dist/agents/skills/codex/harness-compliance/SKILL.md +303 -0
  148. package/dist/agents/skills/codex/harness-compliance/skill.yaml +78 -0
  149. package/dist/agents/skills/codex/harness-containerization/SKILL.md +284 -0
  150. package/dist/agents/skills/codex/harness-containerization/skill.yaml +80 -0
  151. package/dist/agents/skills/codex/harness-data-pipeline/SKILL.md +274 -0
  152. package/dist/agents/skills/codex/harness-data-pipeline/skill.yaml +81 -0
  153. package/dist/agents/skills/codex/harness-data-validation/SKILL.md +343 -0
  154. package/dist/agents/skills/codex/harness-data-validation/skill.yaml +75 -0
  155. package/dist/agents/skills/codex/harness-database/SKILL.md +310 -0
  156. package/dist/agents/skills/codex/harness-database/skill.yaml +80 -0
  157. package/dist/agents/skills/codex/harness-debugging/SKILL.md +366 -0
  158. package/dist/agents/skills/codex/harness-debugging/skill.yaml +48 -0
  159. package/dist/agents/skills/codex/harness-dependency-health/SKILL.md +179 -0
  160. package/dist/agents/skills/codex/harness-dependency-health/skill.yaml +42 -0
  161. package/dist/agents/skills/codex/harness-deployment/SKILL.md +307 -0
  162. package/dist/agents/skills/codex/harness-deployment/skill.yaml +77 -0
  163. package/dist/agents/skills/codex/harness-design/SKILL.md +265 -0
  164. package/dist/agents/skills/codex/harness-design/skill.yaml +54 -0
  165. package/dist/agents/skills/codex/harness-design-mobile/SKILL.md +336 -0
  166. package/dist/agents/skills/codex/harness-design-mobile/skill.yaml +50 -0
  167. package/dist/agents/skills/codex/harness-design-system/SKILL.md +282 -0
  168. package/dist/agents/skills/codex/harness-design-system/skill.yaml +51 -0
  169. package/dist/agents/skills/codex/harness-design-web/SKILL.md +360 -0
  170. package/dist/agents/skills/codex/harness-design-web/skill.yaml +53 -0
  171. package/dist/agents/skills/codex/harness-diagnostics/SKILL.md +318 -0
  172. package/dist/agents/skills/codex/harness-diagnostics/skill.yaml +51 -0
  173. package/dist/agents/skills/codex/harness-docs-pipeline/SKILL.md +460 -0
  174. package/dist/agents/skills/codex/harness-docs-pipeline/skill.yaml +70 -0
  175. package/dist/agents/skills/codex/harness-dx/SKILL.md +276 -0
  176. package/dist/agents/skills/codex/harness-dx/skill.yaml +76 -0
  177. package/dist/agents/skills/codex/harness-e2e/SKILL.md +245 -0
  178. package/dist/agents/skills/codex/harness-e2e/skill.yaml +78 -0
  179. package/dist/agents/skills/codex/harness-event-driven/SKILL.md +280 -0
  180. package/dist/agents/skills/codex/harness-event-driven/skill.yaml +77 -0
  181. package/dist/agents/skills/codex/harness-execution/SKILL.md +510 -0
  182. package/dist/agents/skills/codex/harness-execution/skill.yaml +52 -0
  183. package/dist/agents/skills/codex/harness-feature-flags/SKILL.md +287 -0
  184. package/dist/agents/skills/codex/harness-feature-flags/skill.yaml +74 -0
  185. package/dist/agents/skills/codex/harness-git-workflow/SKILL.md +268 -0
  186. package/dist/agents/skills/codex/harness-git-workflow/skill.yaml +32 -0
  187. package/dist/agents/skills/codex/harness-hotspot-detector/SKILL.md +161 -0
  188. package/dist/agents/skills/codex/harness-hotspot-detector/skill.yaml +45 -0
  189. package/dist/agents/skills/codex/harness-i18n/SKILL.md +484 -0
  190. package/dist/agents/skills/codex/harness-i18n/skill.yaml +55 -0
  191. package/dist/agents/skills/codex/harness-i18n-process/SKILL.md +388 -0
  192. package/dist/agents/skills/codex/harness-i18n-process/skill.yaml +44 -0
  193. package/dist/agents/skills/codex/harness-i18n-workflow/SKILL.md +512 -0
  194. package/dist/agents/skills/codex/harness-i18n-workflow/skill.yaml +54 -0
  195. package/dist/agents/skills/codex/harness-impact-analysis/SKILL.md +184 -0
  196. package/dist/agents/skills/codex/harness-impact-analysis/skill.yaml +45 -0
  197. package/dist/agents/skills/codex/harness-incident-response/SKILL.md +223 -0
  198. package/dist/agents/skills/codex/harness-incident-response/skill.yaml +78 -0
  199. package/dist/agents/skills/codex/harness-infrastructure-as-code/SKILL.md +279 -0
  200. package/dist/agents/skills/codex/harness-infrastructure-as-code/skill.yaml +80 -0
  201. package/dist/agents/skills/codex/harness-integration-test/SKILL.md +271 -0
  202. package/dist/agents/skills/codex/harness-integration-test/skill.yaml +73 -0
  203. package/dist/agents/skills/codex/harness-integrity/SKILL.md +167 -0
  204. package/dist/agents/skills/codex/harness-integrity/skill.yaml +48 -0
  205. package/dist/agents/skills/codex/harness-knowledge-mapper/SKILL.md +195 -0
  206. package/dist/agents/skills/codex/harness-knowledge-mapper/skill.yaml +50 -0
  207. package/dist/agents/skills/codex/harness-load-testing/SKILL.md +274 -0
  208. package/dist/agents/skills/codex/harness-load-testing/skill.yaml +79 -0
  209. package/dist/agents/skills/codex/harness-ml-ops/SKILL.md +341 -0
  210. package/dist/agents/skills/codex/harness-ml-ops/skill.yaml +79 -0
  211. package/dist/agents/skills/codex/harness-mobile-patterns/SKILL.md +326 -0
  212. package/dist/agents/skills/codex/harness-mobile-patterns/skill.yaml +82 -0
  213. package/dist/agents/skills/codex/harness-mutation-test/SKILL.md +251 -0
  214. package/dist/agents/skills/codex/harness-mutation-test/skill.yaml +70 -0
  215. package/dist/agents/skills/codex/harness-observability/SKILL.md +283 -0
  216. package/dist/agents/skills/codex/harness-observability/skill.yaml +78 -0
  217. package/dist/agents/skills/codex/harness-onboarding/SKILL.md +288 -0
  218. package/dist/agents/skills/codex/harness-onboarding/skill.yaml +31 -0
  219. package/dist/agents/skills/codex/harness-parallel-agents/SKILL.md +256 -0
  220. package/dist/agents/skills/codex/harness-parallel-agents/skill.yaml +34 -0
  221. package/dist/agents/skills/codex/harness-perf/SKILL.md +260 -0
  222. package/dist/agents/skills/codex/harness-perf/skill.yaml +51 -0
  223. package/dist/agents/skills/codex/harness-perf-tdd/SKILL.md +249 -0
  224. package/dist/agents/skills/codex/harness-perf-tdd/skill.yaml +48 -0
  225. package/dist/agents/skills/codex/harness-planning/SKILL.md +579 -0
  226. package/dist/agents/skills/codex/harness-planning/skill.yaml +56 -0
  227. package/dist/agents/skills/codex/harness-pre-commit-review/SKILL.md +324 -0
  228. package/dist/agents/skills/codex/harness-pre-commit-review/skill.yaml +34 -0
  229. package/dist/agents/skills/codex/harness-product-spec/SKILL.md +285 -0
  230. package/dist/agents/skills/codex/harness-product-spec/skill.yaml +72 -0
  231. package/dist/agents/skills/codex/harness-property-test/SKILL.md +281 -0
  232. package/dist/agents/skills/codex/harness-property-test/skill.yaml +71 -0
  233. package/dist/agents/skills/codex/harness-refactoring/SKILL.md +169 -0
  234. package/dist/agents/skills/codex/harness-refactoring/skill.yaml +34 -0
  235. package/dist/agents/skills/codex/harness-release-readiness/SKILL.md +689 -0
  236. package/dist/agents/skills/codex/harness-release-readiness/skill.yaml +58 -0
  237. package/dist/agents/skills/codex/harness-resilience/SKILL.md +255 -0
  238. package/dist/agents/skills/codex/harness-resilience/skill.yaml +76 -0
  239. package/dist/agents/skills/codex/harness-roadmap/SKILL.md +595 -0
  240. package/dist/agents/skills/codex/harness-roadmap/skill.yaml +44 -0
  241. package/dist/agents/skills/codex/harness-roadmap-pilot/SKILL.md +204 -0
  242. package/dist/agents/skills/codex/harness-roadmap-pilot/skill.yaml +52 -0
  243. package/dist/agents/skills/codex/harness-secrets/SKILL.md +293 -0
  244. package/dist/agents/skills/codex/harness-secrets/skill.yaml +76 -0
  245. package/dist/agents/skills/codex/harness-security-review/SKILL.md +260 -0
  246. package/dist/agents/skills/codex/harness-security-review/skill.yaml +53 -0
  247. package/dist/agents/skills/codex/harness-security-scan/SKILL.md +154 -0
  248. package/dist/agents/skills/codex/harness-security-scan/skill.yaml +42 -0
  249. package/dist/agents/skills/codex/harness-skill-authoring/SKILL.md +292 -0
  250. package/dist/agents/skills/codex/harness-skill-authoring/skill.yaml +33 -0
  251. package/dist/agents/skills/codex/harness-soundness-review/SKILL.md +1267 -0
  252. package/dist/agents/skills/codex/harness-soundness-review/skill.yaml +49 -0
  253. package/dist/agents/skills/codex/harness-sql-review/SKILL.md +315 -0
  254. package/dist/agents/skills/codex/harness-sql-review/skill.yaml +74 -0
  255. package/dist/agents/skills/codex/harness-state-management/SKILL.md +309 -0
  256. package/dist/agents/skills/codex/harness-state-management/skill.yaml +33 -0
  257. package/dist/agents/skills/codex/harness-supply-chain-audit/SKILL.md +281 -0
  258. package/dist/agents/skills/codex/harness-supply-chain-audit/skill.yaml +51 -0
  259. package/dist/agents/skills/codex/harness-tdd/SKILL.md +177 -0
  260. package/dist/agents/skills/codex/harness-tdd/skill.yaml +49 -0
  261. package/dist/agents/skills/codex/harness-test-advisor/SKILL.md +160 -0
  262. package/dist/agents/skills/codex/harness-test-advisor/skill.yaml +45 -0
  263. package/dist/agents/skills/codex/harness-test-data/SKILL.md +268 -0
  264. package/dist/agents/skills/codex/harness-test-data/skill.yaml +74 -0
  265. package/dist/agents/skills/codex/harness-ux-copy/SKILL.md +271 -0
  266. package/dist/agents/skills/codex/harness-ux-copy/skill.yaml +77 -0
  267. package/dist/agents/skills/codex/harness-verification/SKILL.md +421 -0
  268. package/dist/agents/skills/codex/harness-verification/skill.yaml +43 -0
  269. package/dist/agents/skills/codex/harness-verify/SKILL.md +159 -0
  270. package/dist/agents/skills/codex/harness-verify/skill.yaml +41 -0
  271. package/dist/agents/skills/codex/harness-visual-regression/SKILL.md +257 -0
  272. package/dist/agents/skills/codex/harness-visual-regression/skill.yaml +74 -0
  273. package/dist/agents/skills/codex/initialize-harness-project/SKILL.md +232 -0
  274. package/dist/agents/skills/codex/initialize-harness-project/skill.yaml +32 -0
  275. package/dist/agents/skills/codex/validate-context-engineering/SKILL.md +150 -0
  276. package/dist/agents/skills/codex/validate-context-engineering/skill.yaml +32 -0
  277. package/dist/agents/skills/cursor/add-harness-component/SKILL.md +192 -0
  278. package/dist/agents/skills/cursor/add-harness-component/skill.yaml +33 -0
  279. package/dist/agents/skills/cursor/align-documentation/SKILL.md +213 -0
  280. package/dist/agents/skills/cursor/align-documentation/skill.yaml +32 -0
  281. package/dist/agents/skills/cursor/check-mechanical-constraints/SKILL.md +191 -0
  282. package/dist/agents/skills/cursor/check-mechanical-constraints/skill.yaml +33 -0
  283. package/dist/agents/skills/cursor/cleanup-dead-code/SKILL.md +245 -0
  284. package/dist/agents/skills/cursor/cleanup-dead-code/skill.yaml +34 -0
  285. package/dist/agents/skills/cursor/detect-doc-drift/SKILL.md +179 -0
  286. package/dist/agents/skills/cursor/detect-doc-drift/skill.yaml +31 -0
  287. package/dist/agents/skills/cursor/enforce-architecture/SKILL.md +296 -0
  288. package/dist/agents/skills/cursor/enforce-architecture/skill.yaml +35 -0
  289. package/dist/agents/skills/cursor/harness-accessibility/SKILL.md +281 -0
  290. package/dist/agents/skills/cursor/harness-accessibility/skill.yaml +52 -0
  291. package/dist/agents/skills/cursor/harness-api-design/SKILL.md +356 -0
  292. package/dist/agents/skills/cursor/harness-api-design/skill.yaml +74 -0
  293. package/dist/agents/skills/cursor/harness-architecture-advisor/SKILL.md +449 -0
  294. package/dist/agents/skills/cursor/harness-architecture-advisor/skill.yaml +49 -0
  295. package/dist/agents/skills/cursor/harness-auth/SKILL.md +331 -0
  296. package/dist/agents/skills/cursor/harness-auth/skill.yaml +81 -0
  297. package/dist/agents/skills/cursor/harness-autopilot/SKILL.md +916 -0
  298. package/dist/agents/skills/cursor/harness-autopilot/skill.yaml +67 -0
  299. package/dist/agents/skills/cursor/harness-brainstorming/SKILL.md +406 -0
  300. package/dist/agents/skills/cursor/harness-brainstorming/skill.yaml +50 -0
  301. package/dist/agents/skills/cursor/harness-caching/SKILL.md +309 -0
  302. package/dist/agents/skills/cursor/harness-caching/skill.yaml +73 -0
  303. package/dist/agents/skills/cursor/harness-chaos/SKILL.md +295 -0
  304. package/dist/agents/skills/cursor/harness-chaos/skill.yaml +72 -0
  305. package/dist/agents/skills/cursor/harness-code-review/SKILL.md +857 -0
  306. package/dist/agents/skills/cursor/harness-code-review/skill.yaml +52 -0
  307. package/dist/agents/skills/cursor/harness-codebase-cleanup/SKILL.md +224 -0
  308. package/dist/agents/skills/cursor/harness-codebase-cleanup/skill.yaml +65 -0
  309. package/dist/agents/skills/cursor/harness-compliance/SKILL.md +303 -0
  310. package/dist/agents/skills/cursor/harness-compliance/skill.yaml +78 -0
  311. package/dist/agents/skills/cursor/harness-containerization/SKILL.md +284 -0
  312. package/dist/agents/skills/cursor/harness-containerization/skill.yaml +80 -0
  313. package/dist/agents/skills/cursor/harness-data-pipeline/SKILL.md +274 -0
  314. package/dist/agents/skills/cursor/harness-data-pipeline/skill.yaml +81 -0
  315. package/dist/agents/skills/cursor/harness-data-validation/SKILL.md +343 -0
  316. package/dist/agents/skills/cursor/harness-data-validation/skill.yaml +75 -0
  317. package/dist/agents/skills/cursor/harness-database/SKILL.md +310 -0
  318. package/dist/agents/skills/cursor/harness-database/skill.yaml +80 -0
  319. package/dist/agents/skills/cursor/harness-debugging/SKILL.md +366 -0
  320. package/dist/agents/skills/cursor/harness-debugging/skill.yaml +48 -0
  321. package/dist/agents/skills/cursor/harness-dependency-health/SKILL.md +179 -0
  322. package/dist/agents/skills/cursor/harness-dependency-health/skill.yaml +42 -0
  323. package/dist/agents/skills/cursor/harness-deployment/SKILL.md +307 -0
  324. package/dist/agents/skills/cursor/harness-deployment/skill.yaml +77 -0
  325. package/dist/agents/skills/cursor/harness-design/SKILL.md +265 -0
  326. package/dist/agents/skills/cursor/harness-design/skill.yaml +54 -0
  327. package/dist/agents/skills/cursor/harness-design-mobile/SKILL.md +336 -0
  328. package/dist/agents/skills/cursor/harness-design-mobile/skill.yaml +50 -0
  329. package/dist/agents/skills/cursor/harness-design-system/SKILL.md +282 -0
  330. package/dist/agents/skills/cursor/harness-design-system/skill.yaml +51 -0
  331. package/dist/agents/skills/cursor/harness-design-web/SKILL.md +360 -0
  332. package/dist/agents/skills/cursor/harness-design-web/skill.yaml +53 -0
  333. package/dist/agents/skills/cursor/harness-diagnostics/SKILL.md +318 -0
  334. package/dist/agents/skills/cursor/harness-diagnostics/skill.yaml +51 -0
  335. package/dist/agents/skills/cursor/harness-docs-pipeline/SKILL.md +460 -0
  336. package/dist/agents/skills/cursor/harness-docs-pipeline/skill.yaml +70 -0
  337. package/dist/agents/skills/cursor/harness-dx/SKILL.md +276 -0
  338. package/dist/agents/skills/cursor/harness-dx/skill.yaml +76 -0
  339. package/dist/agents/skills/cursor/harness-e2e/SKILL.md +245 -0
  340. package/dist/agents/skills/cursor/harness-e2e/skill.yaml +78 -0
  341. package/dist/agents/skills/cursor/harness-event-driven/SKILL.md +280 -0
  342. package/dist/agents/skills/cursor/harness-event-driven/skill.yaml +77 -0
  343. package/dist/agents/skills/cursor/harness-execution/SKILL.md +510 -0
  344. package/dist/agents/skills/cursor/harness-execution/skill.yaml +52 -0
  345. package/dist/agents/skills/cursor/harness-feature-flags/SKILL.md +287 -0
  346. package/dist/agents/skills/cursor/harness-feature-flags/skill.yaml +74 -0
  347. package/dist/agents/skills/cursor/harness-git-workflow/SKILL.md +268 -0
  348. package/dist/agents/skills/cursor/harness-git-workflow/skill.yaml +32 -0
  349. package/dist/agents/skills/cursor/harness-hotspot-detector/SKILL.md +161 -0
  350. package/dist/agents/skills/cursor/harness-hotspot-detector/skill.yaml +45 -0
  351. package/dist/agents/skills/cursor/harness-i18n/SKILL.md +484 -0
  352. package/dist/agents/skills/cursor/harness-i18n/skill.yaml +55 -0
  353. package/dist/agents/skills/cursor/harness-i18n-process/SKILL.md +388 -0
  354. package/dist/agents/skills/cursor/harness-i18n-process/skill.yaml +44 -0
  355. package/dist/agents/skills/cursor/harness-i18n-workflow/SKILL.md +512 -0
  356. package/dist/agents/skills/cursor/harness-i18n-workflow/skill.yaml +54 -0
  357. package/dist/agents/skills/cursor/harness-impact-analysis/SKILL.md +184 -0
  358. package/dist/agents/skills/cursor/harness-impact-analysis/skill.yaml +45 -0
  359. package/dist/agents/skills/cursor/harness-incident-response/SKILL.md +223 -0
  360. package/dist/agents/skills/cursor/harness-incident-response/skill.yaml +78 -0
  361. package/dist/agents/skills/cursor/harness-infrastructure-as-code/SKILL.md +279 -0
  362. package/dist/agents/skills/cursor/harness-infrastructure-as-code/skill.yaml +80 -0
  363. package/dist/agents/skills/cursor/harness-integration-test/SKILL.md +271 -0
  364. package/dist/agents/skills/cursor/harness-integration-test/skill.yaml +73 -0
  365. package/dist/agents/skills/cursor/harness-integrity/SKILL.md +167 -0
  366. package/dist/agents/skills/cursor/harness-integrity/skill.yaml +48 -0
  367. package/dist/agents/skills/cursor/harness-knowledge-mapper/SKILL.md +195 -0
  368. package/dist/agents/skills/cursor/harness-knowledge-mapper/skill.yaml +50 -0
  369. package/dist/agents/skills/cursor/harness-load-testing/SKILL.md +274 -0
  370. package/dist/agents/skills/cursor/harness-load-testing/skill.yaml +79 -0
  371. package/dist/agents/skills/cursor/harness-ml-ops/SKILL.md +341 -0
  372. package/dist/agents/skills/cursor/harness-ml-ops/skill.yaml +79 -0
  373. package/dist/agents/skills/cursor/harness-mobile-patterns/SKILL.md +326 -0
  374. package/dist/agents/skills/cursor/harness-mobile-patterns/skill.yaml +82 -0
  375. package/dist/agents/skills/cursor/harness-mutation-test/SKILL.md +251 -0
  376. package/dist/agents/skills/cursor/harness-mutation-test/skill.yaml +70 -0
  377. package/dist/agents/skills/cursor/harness-observability/SKILL.md +283 -0
  378. package/dist/agents/skills/cursor/harness-observability/skill.yaml +78 -0
  379. package/dist/agents/skills/cursor/harness-onboarding/SKILL.md +288 -0
  380. package/dist/agents/skills/cursor/harness-onboarding/skill.yaml +31 -0
  381. package/dist/agents/skills/cursor/harness-parallel-agents/SKILL.md +256 -0
  382. package/dist/agents/skills/cursor/harness-parallel-agents/skill.yaml +34 -0
  383. package/dist/agents/skills/cursor/harness-perf/SKILL.md +260 -0
  384. package/dist/agents/skills/cursor/harness-perf/skill.yaml +51 -0
  385. package/dist/agents/skills/cursor/harness-perf-tdd/SKILL.md +249 -0
  386. package/dist/agents/skills/cursor/harness-perf-tdd/skill.yaml +48 -0
  387. package/dist/agents/skills/cursor/harness-planning/SKILL.md +579 -0
  388. package/dist/agents/skills/cursor/harness-planning/skill.yaml +56 -0
  389. package/dist/agents/skills/cursor/harness-pre-commit-review/SKILL.md +324 -0
  390. package/dist/agents/skills/cursor/harness-pre-commit-review/skill.yaml +34 -0
  391. package/dist/agents/skills/cursor/harness-product-spec/SKILL.md +285 -0
  392. package/dist/agents/skills/cursor/harness-product-spec/skill.yaml +72 -0
  393. package/dist/agents/skills/cursor/harness-property-test/SKILL.md +281 -0
  394. package/dist/agents/skills/cursor/harness-property-test/skill.yaml +71 -0
  395. package/dist/agents/skills/cursor/harness-refactoring/SKILL.md +169 -0
  396. package/dist/agents/skills/cursor/harness-refactoring/skill.yaml +34 -0
  397. package/dist/agents/skills/cursor/harness-release-readiness/SKILL.md +689 -0
  398. package/dist/agents/skills/cursor/harness-release-readiness/skill.yaml +58 -0
  399. package/dist/agents/skills/cursor/harness-resilience/SKILL.md +255 -0
  400. package/dist/agents/skills/cursor/harness-resilience/skill.yaml +76 -0
  401. package/dist/agents/skills/cursor/harness-roadmap/SKILL.md +595 -0
  402. package/dist/agents/skills/cursor/harness-roadmap/skill.yaml +44 -0
  403. package/dist/agents/skills/cursor/harness-roadmap-pilot/SKILL.md +204 -0
  404. package/dist/agents/skills/cursor/harness-roadmap-pilot/skill.yaml +52 -0
  405. package/dist/agents/skills/cursor/harness-secrets/SKILL.md +293 -0
  406. package/dist/agents/skills/cursor/harness-secrets/skill.yaml +76 -0
  407. package/dist/agents/skills/cursor/harness-security-review/SKILL.md +260 -0
  408. package/dist/agents/skills/cursor/harness-security-review/skill.yaml +53 -0
  409. package/dist/agents/skills/cursor/harness-security-scan/SKILL.md +154 -0
  410. package/dist/agents/skills/cursor/harness-security-scan/skill.yaml +42 -0
  411. package/dist/agents/skills/cursor/harness-skill-authoring/SKILL.md +292 -0
  412. package/dist/agents/skills/cursor/harness-skill-authoring/skill.yaml +33 -0
  413. package/dist/agents/skills/cursor/harness-soundness-review/SKILL.md +1267 -0
  414. package/dist/agents/skills/cursor/harness-soundness-review/skill.yaml +49 -0
  415. package/dist/agents/skills/cursor/harness-sql-review/SKILL.md +315 -0
  416. package/dist/agents/skills/cursor/harness-sql-review/skill.yaml +74 -0
  417. package/dist/agents/skills/cursor/harness-state-management/SKILL.md +309 -0
  418. package/dist/agents/skills/cursor/harness-state-management/skill.yaml +33 -0
  419. package/dist/agents/skills/cursor/harness-supply-chain-audit/SKILL.md +281 -0
  420. package/dist/agents/skills/cursor/harness-supply-chain-audit/skill.yaml +51 -0
  421. package/dist/agents/skills/cursor/harness-tdd/SKILL.md +177 -0
  422. package/dist/agents/skills/cursor/harness-tdd/skill.yaml +49 -0
  423. package/dist/agents/skills/cursor/harness-test-advisor/SKILL.md +160 -0
  424. package/dist/agents/skills/cursor/harness-test-advisor/skill.yaml +45 -0
  425. package/dist/agents/skills/cursor/harness-test-data/SKILL.md +268 -0
  426. package/dist/agents/skills/cursor/harness-test-data/skill.yaml +74 -0
  427. package/dist/agents/skills/cursor/harness-ux-copy/SKILL.md +271 -0
  428. package/dist/agents/skills/cursor/harness-ux-copy/skill.yaml +77 -0
  429. package/dist/agents/skills/cursor/harness-verification/SKILL.md +421 -0
  430. package/dist/agents/skills/cursor/harness-verification/skill.yaml +43 -0
  431. package/dist/agents/skills/cursor/harness-verify/SKILL.md +159 -0
  432. package/dist/agents/skills/cursor/harness-verify/skill.yaml +41 -0
  433. package/dist/agents/skills/cursor/harness-visual-regression/SKILL.md +257 -0
  434. package/dist/agents/skills/cursor/harness-visual-regression/skill.yaml +74 -0
  435. package/dist/agents/skills/cursor/initialize-harness-project/SKILL.md +232 -0
  436. package/dist/agents/skills/cursor/initialize-harness-project/skill.yaml +32 -0
  437. package/dist/agents/skills/cursor/validate-context-engineering/SKILL.md +150 -0
  438. package/dist/agents/skills/cursor/validate-context-engineering/skill.yaml +32 -0
  439. package/dist/agents/skills/gemini-cli/enforce-architecture/SKILL.md +52 -0
  440. package/dist/agents/skills/gemini-cli/harness-api-design/SKILL.md +52 -0
  441. package/dist/agents/skills/gemini-cli/harness-architecture-advisor/SKILL.md +52 -0
  442. package/dist/agents/skills/gemini-cli/harness-auth/SKILL.md +52 -0
  443. package/dist/agents/skills/gemini-cli/harness-autopilot/SKILL.md +123 -14
  444. package/dist/agents/skills/gemini-cli/harness-autopilot/skill.yaml +6 -0
  445. package/dist/agents/skills/gemini-cli/harness-code-review/SKILL.md +97 -3
  446. package/dist/agents/skills/gemini-cli/harness-code-review/skill.yaml +6 -0
  447. package/dist/agents/skills/gemini-cli/harness-codebase-cleanup/SKILL.md +2 -4
  448. package/dist/agents/skills/gemini-cli/harness-database/SKILL.md +52 -0
  449. package/dist/agents/skills/gemini-cli/harness-deployment/SKILL.md +52 -0
  450. package/dist/agents/skills/gemini-cli/harness-planning/SKILL.md +99 -3
  451. package/dist/agents/skills/gemini-cli/harness-planning/skill.yaml +6 -0
  452. package/dist/agents/skills/gemini-cli/harness-pre-commit-review/SKILL.md +1 -1
  453. package/dist/agents/skills/gemini-cli/harness-roadmap-pilot/SKILL.md +204 -0
  454. package/dist/agents/skills/gemini-cli/harness-roadmap-pilot/skill.yaml +52 -0
  455. package/dist/agents/skills/gemini-cli/harness-security-review/SKILL.md +27 -7
  456. package/dist/agents/skills/gemini-cli/harness-security-scan/SKILL.md +52 -0
  457. package/dist/agents/skills/gemini-cli/harness-supply-chain-audit/SKILL.md +281 -0
  458. package/dist/agents/skills/gemini-cli/harness-supply-chain-audit/skill.yaml +51 -0
  459. package/dist/agents/skills/package.json +5 -5
  460. package/dist/agents/skills/templates/discipline-template.md +49 -0
  461. package/dist/agents/skills/tests/schema.ts +1 -1
  462. package/dist/{agents-md-ZGNIDWAF.js → agents-md-DUYNKHJZ.js} +1 -1
  463. package/dist/{architecture-ZLIH5533.js → architecture-UBO5KKUV.js} +2 -2
  464. package/dist/bin/harness-mcp.js +14 -14
  465. package/dist/bin/harness.js +20 -20
  466. package/dist/{check-phase-gate-ZOXVBDCN.js → check-phase-gate-OSHN2AEL.js} +3 -3
  467. package/dist/{chunk-NNHDDXYT.js → chunk-2DMIQ35P.js} +486 -132
  468. package/dist/{chunk-OFXQSFOW.js → chunk-5FM64G6D.js} +2 -2
  469. package/dist/{chunk-RCWZBSK5.js → chunk-6KWBH4EO.js} +1 -1
  470. package/dist/{chunk-LGYBN7Y6.js → chunk-ABQUCXRE.js} +2 -1
  471. package/dist/{chunk-VEPAJXBW.js → chunk-APNPXLB2.js} +4 -4
  472. package/dist/{chunk-ZOAWBDWU.js → chunk-CJDVBBPB.js} +5 -1
  473. package/dist/{chunk-FTMXDOR6.js → chunk-CZZXE6BL.js} +1 -1
  474. package/dist/{chunk-N25INEIX.js → chunk-GWXP3JVA.js} +3 -3
  475. package/dist/{chunk-XYLGHKG6.js → chunk-HKUX2X7O.js} +11 -2
  476. package/dist/{chunk-YBJ262QL.js → chunk-LRG3B43J.js} +1 -1
  477. package/dist/{chunk-AOZRDOIP.js → chunk-M6TIO6NF.js} +1 -1
  478. package/dist/{chunk-J4RAX7YB.js → chunk-OA3MOZGG.js} +1683 -507
  479. package/dist/{chunk-YLXFKVJE.js → chunk-OHZVGIPE.js} +9 -9
  480. package/dist/{chunk-2BKLWLY6.js → chunk-QSRRBNLY.js} +8 -8
  481. package/dist/{chunk-3ZZKVN62.js → chunk-TG7IUJ3J.js} +1 -1
  482. package/dist/{chunk-EDXIVMAP.js → chunk-TZIHFNEG.js} +20 -6
  483. package/dist/{chunk-ND2ENWDM.js → chunk-UX3JHYEA.js} +1 -1
  484. package/dist/{chunk-Z2OOPXJO.js → chunk-VF23UTNB.js} +1771 -164
  485. package/dist/{chunk-7MJAPE3Z.js → chunk-YLN34N65.js} +1 -0
  486. package/dist/{chunk-B2HKP423.js → chunk-ZA2I7S3E.js} +28 -1
  487. package/dist/{ci-workflow-765LSHRD.js → ci-workflow-FJZMNZPT.js} +1 -1
  488. package/dist/{create-skill-XSWHMSM5.js → create-skill-NDXQSTIK.js} +2 -2
  489. package/dist/{dist-ALQDD67R.js → dist-MF5BK5AD.js} +77 -1
  490. package/dist/{dist-B26DFXMP.js → dist-U7EAO6T2.js} +110 -60
  491. package/dist/{docs-NRMQCOJ6.js → docs-WZHW4N4P.js} +3 -3
  492. package/dist/{engine-3RB7MXPP.js → engine-VS6ZJ2VZ.js} +2 -2
  493. package/dist/{entropy-6AGX2ZUN.js → entropy-FCIGJIIT.js} +2 -2
  494. package/dist/{feedback-MY4QZIFD.js → feedback-O3FYTZIE.js} +1 -1
  495. package/dist/{generate-agent-definitions-ZAE726AU.js → generate-agent-definitions-EYG263XD.js} +3 -3
  496. package/dist/{graph-loader-2M2HXDQI.js → graph-loader-KMHDQYDT.js} +1 -1
  497. package/dist/index.d.ts +95 -15
  498. package/dist/index.js +20 -20
  499. package/dist/{loader-UUTVMQCC.js → loader-B4XWX4K6.js} +1 -1
  500. package/dist/{mcp-VU5FMO52.js → mcp-DVVUODN7.js} +14 -14
  501. package/dist/{performance-2D7G6NMJ.js → performance-NMJDV6HF.js} +4 -2
  502. package/dist/{review-pipeline-RAQ55ISU.js → review-pipeline-MSEJWTKM.js} +1 -1
  503. package/dist/{runtime-BCK5RRZQ.js → runtime-YHVLJNPG.js} +1 -1
  504. package/dist/{security-2RPQEN62.js → security-HTDKKGMX.js} +1 -1
  505. package/dist/{skill-executor-XZLYZYAK.js → skill-executor-XEVDGXUM.js} +2 -2
  506. package/dist/{validate-KBYQAEWE.js → validate-SPSTH2YW.js} +2 -2
  507. package/dist/{validate-cross-check-OABMREW4.js → validate-cross-check-YTDWIMFI.js} +1 -1
  508. package/package.json +20 -20
package/dist/agents/skills/codex/harness-security-review/SKILL.md ADDED
@@ -0,0 +1,260 @@
1
+ # Harness Security Review
2
+
3
+ > Deep security audit combining mechanical scanning with AI-powered vulnerability analysis. OWASP baseline + stack-adaptive rules + optional threat modeling.
4
+
5
+ ## When to Use
6
+
7
+ - Before a release or security-sensitive merge
8
+ - After updating dependencies (supply chain risk)
9
+ - When auditing a new or unfamiliar codebase
10
+ - When `on_pr` triggers fire on security-sensitive paths
11
+ - NOT for quick pre-commit checks (use harness-pre-commit-review for that)
12
+ - NOT for general code review (use harness-code-review for that)
13
+
14
+ ## Scope Adaptation
15
+
16
+ This skill adapts its behavior based on invocation context — standalone or as part of the code review pipeline.
17
+
18
+ ### Detection
19
+
20
+ Check for `pipelineContext` in `.harness/handoff.json`. If present, run in **changed-files mode**. Otherwise, run in **full mode**.
21
+
22
+ ```bash
23
+ # Check for pipeline context
24
+ cat .harness/handoff.json 2>/dev/null | grep -q '"pipelineContext"'
25
+ ```
26
+
27
+ ### Changed-Files Mode (Code Review Pipeline)
28
+
29
+ When invoked from the code review pipeline (Phase 4 fan-out, security slot):
30
+
31
+ - **Phase 1 (SCAN): SKIPPED.** The mechanical security scan already ran in code review Phase 2. Read the mechanical findings from `PipelineContext.findings` where `domain === 'security'` instead of re-running `run_security_scan`.
32
+ - **Phase 2 (REVIEW):** Run OWASP baseline + stack-adaptive analysis on **changed files only** plus their direct imports (for data flow tracing). The changed file list is provided in the context bundle from the pipeline.
33
+ - **Phase 3 (THREAT-MODEL): SKIPPED** unless `--deep` flag was passed through from code review.
34
+ - **Phase 4 (REPORT): SKIPPED.** Return findings as `ReviewFinding[]` to the pipeline. The pipeline handles output formatting (Phase 7).
35
+
36
+ Findings returned in this mode **must** use the `ReviewFinding` schema with populated security fields (`cweId`, `owaspCategory`, `confidence`, `remediation`, `references`).
37
+
38
+ ### Full Mode (Standalone)
39
+
40
+ When invoked directly (no PipelineContext):
41
+
42
+ - All phases run as documented below (Phase 1 through Phase 4).
43
+ - Output is the standalone security report format.
44
+ - This is the existing behavior — no changes.
45
+
46
+ ## Principle: Layered Security
47
+
48
+ This skill follows the Deterministic-vs-LLM Responsibility Split principle. The mechanical scanner runs first and catches what patterns can catch. The AI review then looks for semantic issues that patterns miss — user input flowing through multiple functions to a dangerous sink, missing authorization checks, logic flaws in authentication flows.
49
+
50
+ ## Process
51
+
52
+ ### Phase 1: SCAN — Mechanical Security Scanner (full mode only)
53
+
54
+ > **Note:** This phase is skipped in changed-files mode. See [Scope Adaptation](#scope-adaptation) above.
55
+
56
+ Run the built-in security scanner against the project.
57
+
58
+ 1. **Run the scanner.** Use the `harness check-security` CLI command:
59
+
60
+ ```bash
61
+ harness check-security
62
+ ```
63
+
64
+ For machine-readable output, add `--json`. For scanning only changed files, add `--changed-only`.
65
+
66
+ 2. **Review findings.** Categorize by severity:
67
+ - **Error (blocking):** Must fix before merge — secrets, injection, eval, weak crypto
68
+ - **Warning (review):** Should fix — CORS wildcards, disabled TLS, path traversal patterns
69
+ - **Info (note):** Consider — HTTP URLs, missing security headers
70
+
71
+ 3. **Report mechanical findings.** Present each finding with:
72
+ - Rule ID and name
73
+ - File, line number, matched code
74
+ - Remediation guidance
75
+ - CWE/OWASP reference
76
+
77
+ ### Phase 2: REVIEW — AI-Powered Security Analysis
78
+
79
+ After mechanical scanning, perform deeper AI analysis.
80
+
81
+ #### OWASP Baseline (always runs)
82
+
83
+ Review the codebase against OWASP Top 10 and CWE Top 25:
84
+
85
+ 1. **Injection (CWE-89, CWE-78, CWE-79):** Look for user input flowing to SQL queries, shell commands, or HTML output without sanitization. Trace data flow across function boundaries — patterns only catch single-line issues.
86
+
87
+ 2. **Broken Authentication (CWE-287):** Check for weak session management, missing MFA enforcement, hardcoded credentials, predictable tokens.
88
+
89
+ 3. **Sensitive Data Exposure (CWE-200):** Look for PII logged to console/files, sensitive data in error messages, missing encryption for data at rest or in transit.
90
+
91
+ 4. **Broken Access Control (CWE-862):** Check for missing authorization on API endpoints, IDOR vulnerabilities, privilege escalation paths.
92
+
93
+ 5. **Security Misconfiguration (CWE-16):** Check for debug mode in production configs, default credentials, overly permissive CORS, missing security headers.
94
+
95
+ #### Stack-Adaptive Review (based on detected tech)
96
+
97
+ After the OWASP baseline, add stack-specific checks:
98
+
99
+ - **Node.js:** Prototype pollution via `Object.assign` or spread on user input, `__proto__` injection, unhandled promise rejections exposing stack traces
100
+ - **Express:** Missing helmet, rate limiting, CSRF protection, body parser limits
101
+ - **React:** XSS via `dangerouslySetInnerHTML`, sensitive data in client state, insecure `postMessage` listeners
102
+ - **Go:** Race conditions in concurrent handlers, `unsafe.Pointer` usage, format string injection
103
+
104
+ #### Insecure Defaults Analysis
105
+
106
+ For each configuration variable that controls a security feature (auth, encryption, TLS, CORS, rate limiting), verify:
107
+
108
+ - Does the feature **fail-closed** (error/deny) when configuration is missing?
109
+ - Or does it **fail-open** (degrade to permissive/disabled)?
110
+ - Trace fallback chains: `config.x ?? env.Y ?? default` — is the final default secure?
111
+
112
+ Patterns the mechanical `SEC-DEF-*` rules cannot catch (focus here):
113
+
114
+ - Multi-line fallback chains where the insecure default is not adjacent to the security variable name
115
+ - Conditional logic that enables security features only in specific environments (e.g., `if (isProd) enableTLS()`)
116
+ - Error handlers that swallow failures in auth, session, or token validation code (multi-line `catch` blocks)
117
+ - Silent type coercions that convert truthy env vars to falsy values
118
+
119
+ **Rationalizations to reject** (adapted from Trail of Bits):
120
+
121
+ - "The default is only used in development" — production deployments inherit defaults when config is missing
122
+ - "The env var will always be set" — missing env vars are the #1 cause of fail-open in production
123
+ - "The catch block will be filled in later" — empty auth catch blocks ship to production
124
+ - "It's behind a feature flag" — feature flags can be inadvertently enabled or disabled
125
+
126
+ ### Phase 3: THREAT-MODEL (optional, `--deep` flag; full mode or explicit `--deep` in pipeline)
127
+
128
+ When invoked with `--deep`, build a lightweight threat model:
129
+
130
+ 1. **Identify entry points.** Find all HTTP routes, API endpoints, message handlers, CLI commands, and file upload handlers.
131
+
132
+ 2. **Map trust boundaries.** Where does data cross from untrusted (user input, external APIs) to trusted (database queries, file system, internal services)?
133
+
134
+ 3. **Trace data flows.** For each entry point, trace how user-controlled data flows through the system. Use the knowledge graph if available (`query_graph`, `get_relationships`).
135
+
136
+ 4. **Identify threat scenarios.** For each trust boundary crossing, ask:
137
+ - What if this input is malicious?
138
+ - What is the worst-case impact?
139
+ - What controls are in place?
140
+
141
+ 5. **Report threat model.** Present as a table:
142
+ | Entry Point | Data Flow | Trust Boundary | Threats | Controls | Risk |
143
+ |-------------|-----------|----------------|---------|----------|------|
144
+
145
+ ### Phase 4: REPORT — Consolidated Findings
146
+
147
+ Produce a unified security report:
148
+
149
+ ```
150
+ Security Review: [PASS/WARN/FAIL]
151
+
152
+ Mechanical Scanner:
153
+ - Scanned: N files, M rules applied
154
+ - Coverage: baseline/enhanced
155
+ - Errors: N | Warnings: N | Info: N
156
+
157
+ [List each finding with rule ID, file:line, severity, and remediation]
158
+
159
+ AI Review:
160
+ - OWASP Baseline: [findings or "No issues found"]
161
+ - Stack-Adaptive ([detected stacks]): [findings or "No issues found"]
162
+
163
+ [If --deep]
164
+ Threat Model:
165
+ - Entry points: N
166
+ - Trust boundaries: N
167
+ - High-risk flows: [list]
168
+ ```
169
+
170
+ ## Harness Integration
171
+
172
+ - **`harness check-security`** — Run the mechanical scanner via CLI. Use `--json` for machine-readable output.
173
+ - **`harness validate`** — Standard project health check
174
+ - **`query_graph` / `get_relationships`** — Used in threat modeling phase for data flow tracing
175
+ - **`get_impact`** — Understand blast radius of security-sensitive changes
176
+
177
+ ## Gates
178
+
179
+ - **Mechanical scanner must run before AI review.** The scanner catches what patterns can catch; AI reviews what remains.
180
+ - **Error-severity findings are blocking.** The report must be FAIL if any error-severity finding exists.
181
+ - **AI review must reference specific code.** No vague warnings like "consider improving security." Every finding must point to a file, line, and specific issue.
182
+ - **Threat model is optional.** Only runs with `--deep`. Do not run it unless explicitly requested.
183
+
184
+ ## Success Criteria
185
+
186
+ - Mechanical scanner ran and produced findings (or confirmed clean)
187
+ - AI review covered OWASP Top 10 baseline
188
+ - Stack-adaptive checks matched the detected technology
189
+ - Every finding includes file, line, CWE reference, and remediation
190
+ - Report follows the structured format
191
+ - Error-severity findings result in FAIL status
192
+
193
+ ## Escalation
194
+
195
+ - **Scanner finds secrets in committed code:** Flag immediately. Recommend rotating the compromised credentials. This is urgent regardless of other findings.
196
+ - **AI review finds a critical vulnerability (RCE, SQLi, auth bypass):** Mark as blocking. Do not approve the PR. Provide exact remediation code.
197
+ - **Conflict between scanner and AI review:** If the scanner flags something the AI thinks is a false positive, include both perspectives in the report. Let the human decide.
198
+ - **Scope too large for meaningful review:** If the project has >1000 source files, recommend scoping the review to changed files or a specific subsystem.
199
+
200
+ ## Examples
201
+
202
+ ### Example: Clean Scan
203
+
204
+ ```
205
+ Security Review: PASS
206
+
207
+ Mechanical Scanner:
208
+ - Scanned: 42 files, 22 rules applied
209
+ - Coverage: baseline
210
+ - Errors: 0 | Warnings: 0 | Info: 0
211
+
212
+ AI Review:
213
+ - OWASP Baseline: No issues found
214
+ - Stack-Adaptive (node, express): No issues found
215
+ ```
216
+
217
+ ### Example: Findings Detected
218
+
219
+ ```
220
+ Security Review: FAIL
221
+
222
+ Mechanical Scanner:
223
+ - Scanned: 42 files, 22 rules applied
224
+ - Coverage: baseline
225
+ - Errors: 2 | Warnings: 1 | Info: 0
226
+
227
+ Findings:
228
+ 1. [SEC-SEC-002] ERROR src/config.ts:12 — Hardcoded API key or secret detected
229
+ Remediation: Use environment variables: process.env.API_KEY
230
+ 2. [SEC-INJ-002] ERROR src/db.ts:45 — SQL query built with string concatenation
231
+ Remediation: Use parameterized queries: query("SELECT * FROM users WHERE id = $1", [id])
232
+ 3. [SEC-NET-001] WARNING src/cors.ts:8 — CORS wildcard origin allows any website to make requests
233
+ Remediation: Restrict CORS to specific trusted origins
234
+
235
+ AI Review:
236
+ - OWASP Baseline: 1 finding — user input from req.params.id flows through formatQuery() to db.execute() without sanitization (confirms SEC-INJ-002 with data flow trace)
237
+ - Stack-Adaptive (node, express): Missing helmet middleware, missing rate limiting on /api/* routes
238
+ ```
239
+
240
+ ### Example: Deep Audit with Threat Model
241
+
242
+ ```
243
+ Security Review: WARN
244
+
245
+ Mechanical Scanner:
246
+ - Scanned: 120 files, 30 rules applied
247
+ - Coverage: baseline
248
+ - Errors: 0 | Warnings: 2 | Info: 3
249
+
250
+ AI Review:
251
+ - OWASP Baseline: No critical issues
252
+ - Stack-Adaptive (node, react): localStorage used for session token (SEC-REACT-001)
253
+
254
+ Threat Model:
255
+ - Entry points: 12 (8 REST endpoints, 2 WebSocket handlers, 2 CLI commands)
256
+ - Trust boundaries: 4 (client→API, API→database, API→external service, CLI→filesystem)
257
+ - High-risk flows:
258
+ 1. POST /api/upload → file stored to disk without size limit or type validation
259
+ 2. WebSocket message handler passes user data to eval-like template engine
260
+ ```
package/dist/agents/skills/codex/harness-security-review/skill.yaml ADDED
@@ -0,0 +1,53 @@
1
+ name: harness-security-review
2
+ version: "1.0.0"
3
+ description: Deep security audit with OWASP baseline and stack-adaptive analysis
4
+ cognitive_mode: meticulous-implementer
5
+ triggers:
6
+ - manual
7
+ - on_pr
8
+ platforms:
9
+ - claude-code
10
+ - gemini-cli
11
+ tools:
12
+ - Bash
13
+ - Read
14
+ - Write
15
+ - Edit
16
+ - Glob
17
+ - Grep
18
+ cli:
19
+ command: harness skill run harness-security-review
20
+ args:
21
+ - name: path
22
+ description: Project root path
23
+ required: false
24
+ - name: deep
25
+ description: Enable threat modeling phase
26
+ required: false
27
+ - name: scope
28
+ description: "Scope mode: 'changed-files' or 'full'. Auto-detected from PipelineContext when omitted."
29
+ required: false
30
+ mcp:
31
+ tool: run_skill
32
+ input:
33
+ skill: harness-security-review
34
+ path: string
35
+ type: rigid
36
+ tier: 3
37
+ phases:
38
+ - name: scan
39
+ description: Run mechanical security scanner (skipped in changed-files mode)
40
+ required: false
41
+ - name: review
42
+ description: AI-powered security review (OWASP + stack-adaptive)
43
+ required: true
44
+ - name: threat-model
45
+ description: Lightweight threat model from codebase graph
46
+ required: false
47
+ - name: report
48
+ description: Generate findings report with remediation guidance (skipped in pipeline mode)
49
+ required: false
50
+ state:
51
+ persistent: false
52
+ files: []
53
+ depends_on: []
package/dist/agents/skills/codex/harness-security-scan/SKILL.md ADDED
@@ -0,0 +1,154 @@
1
+ # Harness Security Scan
2
+
3
+ > Lightweight mechanical security scan. Fast triage, not deep review.
4
+
5
+ ## When to Use
6
+
7
+ - As part of the codebase-health-analyst sweep
8
+ - For quick security triage on a project or changed files
9
+ - On scheduled cron runs for continuous security coverage
10
+ - NOT for deep security review (use harness-security-review)
11
+ - NOT for threat modeling (use harness-security-review --deep)
12
+
13
+ ## Process
14
+
15
+ ### Phase 1: SCAN — Run Mechanical Scanner
16
+
17
+ 1. **Resolve project root.** Use provided path or cwd.
18
+
19
+ 2. **Load security config.** Read `harness.config.json` and extract `security`
20
+ section. Fall back to defaults if absent.
21
+
22
+ 3. **Determine file scope.**
23
+ - If `--changed-only` or triggered by PR: run `git diff --name-only HEAD~1`
24
+ to get changed files. Filter to source files only (exclude node_modules,
25
+ dist, test files per config).
26
+ - Otherwise: scan all source files in the project.
27
+
28
+ 4. **Run SecurityScanner.** Call `SecurityScanner.scanFiles()` from
29
+ `@harness-engineering/core`.
30
+
31
+ 5. **Filter by severity threshold.** Remove findings below the configured
32
+ threshold:
33
+ - `error`: only errors
34
+ - `warning`: errors and warnings (default)
35
+ - `info`: all findings
36
+
37
+ 6. **Output report.** Present findings grouped by severity:
38
+
39
+ ```
40
+ Security Scan: [PASS/FAIL]
41
+ Scanned: N files, M rules applied
42
+ Errors: N | Warnings: N | Info: N
43
+
44
+ [List findings with rule ID, file:line, severity, message, remediation]
45
+ ```
46
+
47
+ ## Gates
48
+
49
+ - **Error-severity findings are blocking.** Report is FAIL if any error-severity
50
+ finding exists after filtering.
51
+ - **No AI review.** This skill is mechanical only. Do not perform OWASP analysis
52
+ or threat modeling.
53
+
54
+ ## Harness Integration
55
+
56
+ - **`harness check-security`** — CLI command that invokes this skill's scanner.
57
+ - **`SecurityScanner`** — Core class from `@harness-engineering/core` that executes the rule engine.
58
+ - **`harness.config.json`** — Security section configures severity threshold and file exclusions.
59
+ - **codebase-health-analyst persona** — Invokes this skill as part of its sweep.
60
+
61
+ ## Evidence Requirements
62
+
63
+ When this skill makes claims about existing code, architecture, or behavior,
64
+ it MUST cite evidence using one of:
65
+
66
+ 1. **File reference:** `file:line` format (e.g., `src/auth.ts:42`)
67
+ 2. **Code pattern reference:** `file` with description (e.g., `src/utils/hash.ts` —
68
+ "existing bcrypt wrapper")
69
+ 3. **Test/command output:** Inline or referenced output from a test run or CLI command
70
+ 4. **Session evidence:** Write to the `evidence` session section via `manage_state`
71
+
72
+ **Uncited claims:** Technical assertions without citations MUST be prefixed with
73
+ `[UNVERIFIED]`. Example: `[UNVERIFIED] The auth middleware supports refresh tokens`.
74
+
75
+ ## Red Flags
76
+
77
+ ### Universal
78
+
79
+ These apply to ALL skills. If you catch yourself doing any of these, STOP.
80
+
81
+ - **"I believe the codebase does X"** — Stop. Read the code and cite a file:line
82
+ reference. Belief is not evidence.
83
+ - **"Let me recommend [pattern] for this"** without checking existing patterns — Stop.
84
+ Search the codebase first. The project may already have a convention.
85
+ - **"While we're here, we should also [unrelated improvement]"** — Stop. Flag the idea
86
+ but do not expand scope beyond the stated task.
87
+
88
+ ### Domain-Specific
89
+
90
+ - **"This finding is in test code, so it's not a real issue"** — Stop. Test code can leak secrets, establish bad patterns, and be copy-pasted to production.
91
+ - **"This dependency is widely used, so it's safe"** — Stop. Popularity is not a security guarantee. Check CVE databases and advisory feeds.
92
+ - **"This is a low-severity finding, skipping"** — Stop. Low-severity findings compound. Document why you are deprioritizing, do not silently skip.
93
+ - **"The scanner didn't flag it, so it's clean"** — Stop. Scanners have false negatives. A clean scan is not proof of security — it is absence of evidence.
94
+
95
+ ## Rationalizations to Reject
96
+
97
+ ### Universal
98
+
99
+ These reasoning patterns sound plausible but lead to bad outcomes. Reject them.
100
+
101
+ - **"It's probably fine"** — "Probably" is not evidence. Verify before asserting.
102
+ - **"This is best practice"** — Best practice in what context? Cite the source and
103
+ confirm it applies to this codebase.
104
+ - **"We can fix it later"** — If it is worth flagging, it is worth documenting now
105
+ with a concrete follow-up plan.
106
+
107
+ ### Domain-Specific
108
+
109
+ - **"No attacker would find this"** — Security by obscurity. If the code is wrong, flag it regardless of discoverability.
110
+ - **"We're behind a firewall"** — Network boundaries change. Code should be secure at every layer regardless of deployment topology.
111
+ - **"The framework handles this for us"** — Verify the framework's actual behavior. Misuse of a secure framework is still insecure.
112
+
113
+ ## Escalation
114
+
115
+ - **When error-severity findings are disputed:** The scanner is mechanical — it may flag false positives. If a finding is a false positive, add a `// harness-ignore SEC-XXX` comment on the line and document the rationale. Do not suppress without explanation.
116
+ - **When the scanner misses a known vulnerability:** This skill runs pattern-based rules only. For semantic analysis (taint tracking, control flow), use `/harness:security-review` instead.
117
+ - **When scan is too slow on large codebases:** Use `--changed-only` to scope to recently changed files. Full scans can run on a scheduled cron instead.
118
+
119
+ ## Success Criteria
120
+
121
+ - Scanner ran and produced findings (or confirmed clean)
122
+ - Findings are filtered by the configured severity threshold
123
+ - Report follows the structured format
124
+ - Exit code reflects pass/fail status
125
+
126
+ ## Examples
127
+
128
+ ### Example: Clean Scan
129
+
130
+ ```
131
+ Security Scan: PASS
132
+ Scanned: 42 files, 12 rules applied
133
+ Errors: 0 | Warnings: 0 | Info: 0
134
+ ```
135
+
136
+ ### Example: Findings Detected
137
+
138
+ ```
139
+ Security Scan: FAIL
140
+ Scanned: 42 files, 12 rules applied
141
+ Errors: 1 | Warnings: 2 | Info: 0
142
+
143
+ [SEC-SECRET-001] src/config.ts:15 (error)
144
+ Hardcoded API key detected: `const API_KEY = "sk-..."`
145
+ Remediation: Move to environment variable, use dotenv or secrets manager.
146
+
147
+ [SEC-NET-001] src/cors.ts:5 (warning)
148
+ CORS wildcard origin: `origin: "*"`
149
+ Remediation: Restrict to specific allowed origins.
150
+
151
+ [SEC-CRYPTO-001] src/auth.ts:22 (warning)
152
+ Weak hash algorithm: `crypto.createHash("md5")`
153
+ Remediation: Use SHA-256 or stronger.
154
+ ```
package/dist/agents/skills/codex/harness-security-scan/skill.yaml ADDED
@@ -0,0 +1,42 @@
1
+ name: harness-security-scan
2
+ version: "1.0.0"
3
+ description: Lightweight mechanical security scan for health checks
4
+ cognitive_mode: meticulous-implementer
5
+ triggers:
6
+ - manual
7
+ - on_milestone
8
+ platforms:
9
+ - claude-code
10
+ - gemini-cli
11
+ tools:
12
+ - Bash
13
+ - Read
14
+ - Glob
15
+ - Grep
16
+ cli:
17
+ command: harness skill run harness-security-scan
18
+ args:
19
+ - name: path
20
+ description: Project root path
21
+ required: false
22
+ - name: severity
23
+ description: Minimum severity threshold (error, warning, info)
24
+ required: false
25
+ - name: changed-only
26
+ description: Only scan git-changed files
27
+ required: false
28
+ mcp:
29
+ tool: run_skill
30
+ input:
31
+ skill: harness-security-scan
32
+ path: string
33
+ type: rigid
34
+ tier: 2
35
+ phases:
36
+ - name: scan
37
+ description: Run SecurityScanner and filter by severity threshold
38
+ required: true
39
+ state:
40
+ persistent: false
41
+ files: []
42
+ depends_on: []