@harness-engineering/cli 1.25.7 → 1.26.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (189) hide show
  1. package/dist/agents/skills/README.md +1 -0
  2. package/dist/agents/skills/claude-code/harness-brainstorming/SKILL.md +33 -5
  3. package/dist/agents/skills/claude-code/harness-execution/SKILL.md +6 -0
  4. package/dist/agents/skills/claude-code/harness-knowledge-pipeline/SKILL.md +277 -0
  5. package/dist/agents/skills/claude-code/harness-knowledge-pipeline/skill.yaml +60 -0
  6. package/dist/agents/skills/claude-code/harness-planning/SKILL.md +25 -1
  7. package/dist/agents/skills/claude-code/initialize-harness-project/SKILL.md +22 -6
  8. package/dist/agents/skills/claude-code/initialize-harness-project/skill.yaml +2 -1
  9. package/dist/agents/skills/claude-code/initialize-test-suite-project/SKILL.md +415 -0
  10. package/dist/agents/skills/claude-code/initialize-test-suite-project/skill.yaml +35 -0
  11. package/dist/agents/skills/codex/harness-brainstorming/SKILL.md +33 -5
  12. package/dist/agents/skills/codex/harness-execution/SKILL.md +6 -0
  13. package/dist/agents/skills/codex/harness-knowledge-pipeline/SKILL.md +277 -0
  14. package/dist/agents/skills/codex/harness-knowledge-pipeline/skill.yaml +60 -0
  15. package/dist/agents/skills/codex/harness-planning/SKILL.md +25 -1
  16. package/dist/agents/skills/codex/initialize-harness-project/SKILL.md +22 -6
  17. package/dist/agents/skills/codex/initialize-harness-project/skill.yaml +2 -1
  18. package/dist/agents/skills/codex/initialize-test-suite-project/SKILL.md +415 -0
  19. package/dist/agents/skills/codex/initialize-test-suite-project/skill.yaml +35 -0
  20. package/dist/agents/skills/cursor/harness-brainstorming/SKILL.md +33 -5
  21. package/dist/agents/skills/cursor/harness-execution/SKILL.md +6 -0
  22. package/dist/agents/skills/cursor/harness-knowledge-pipeline/SKILL.md +277 -0
  23. package/dist/agents/skills/cursor/harness-knowledge-pipeline/skill.yaml +60 -0
  24. package/dist/agents/skills/cursor/harness-planning/SKILL.md +25 -1
  25. package/dist/agents/skills/cursor/initialize-harness-project/SKILL.md +22 -6
  26. package/dist/agents/skills/cursor/initialize-harness-project/skill.yaml +2 -1
  27. package/dist/agents/skills/cursor/initialize-test-suite-project/SKILL.md +415 -0
  28. package/dist/agents/skills/cursor/initialize-test-suite-project/skill.yaml +35 -0
  29. package/dist/agents/skills/gemini-cli/harness-brainstorming/SKILL.md +33 -5
  30. package/dist/agents/skills/gemini-cli/harness-execution/SKILL.md +6 -0
  31. package/dist/agents/skills/gemini-cli/harness-knowledge-pipeline/SKILL.md +277 -0
  32. package/dist/agents/skills/gemini-cli/harness-knowledge-pipeline/skill.yaml +60 -0
  33. package/dist/agents/skills/gemini-cli/harness-planning/SKILL.md +25 -1
  34. package/dist/agents/skills/gemini-cli/initialize-harness-project/SKILL.md +22 -6
  35. package/dist/agents/skills/gemini-cli/initialize-harness-project/skill.yaml +2 -1
  36. package/dist/agents/skills/gemini-cli/initialize-test-suite-project/SKILL.md +415 -0
  37. package/dist/agents/skills/gemini-cli/initialize-test-suite-project/skill.yaml +35 -0
  38. package/dist/agents/skills/package.json +2 -2
  39. package/dist/agents/skills/tests/initialize-test-suite-project.test.ts +152 -0
  40. package/dist/{agents-md-QPO3H5HX.js → agents-md-VI3HLR7E.js} +3 -3
  41. package/dist/{architecture-IJLXRHZA.js → architecture-ZDDKEVID.js} +4 -4
  42. package/dist/{assess-project-QU6XIVJK.js → assess-project-Y6W7YDUA.js} +1 -1
  43. package/dist/bin/harness-mcp.js +16 -15
  44. package/dist/bin/harness.js +27 -27
  45. package/dist/{check-phase-gate-TNY64AOS.js → check-phase-gate-CXR3VM22.js} +4 -4
  46. package/dist/{chunk-JJQ3TW2E.js → chunk-2BPPS6YQ.js} +804 -93
  47. package/dist/{chunk-NKQEMWGT.js → chunk-2FPUPRCY.js} +3419 -126
  48. package/dist/{chunk-MLOGYWLY.js → chunk-3AMQYWGT.js} +2 -2
  49. package/dist/{chunk-AS5DQT4S.js → chunk-56A6OXVA.js} +9 -9
  50. package/dist/{chunk-G5SNXUIK.js → chunk-7GY6WNEI.js} +1 -1
  51. package/dist/{chunk-SZ3Q4XEO.js → chunk-AMRC4FU2.js} +441 -288
  52. package/dist/{chunk-K533WNZG.js → chunk-B66LRB5M.js} +1 -1
  53. package/dist/{chunk-YRBNAHH4.js → chunk-BK4DJIIY.js} +4 -4
  54. package/dist/{chunk-2DF6OZLG.js → chunk-DBIX3X4H.js} +2 -2
  55. package/dist/{chunk-LXPRO2FH.js → chunk-FUND5WJR.js} +2 -2
  56. package/dist/{chunk-FRDS4XGD.js → chunk-JV4Y2U5F.js} +1 -1
  57. package/dist/{chunk-XVJRFP7W.js → chunk-K56DTX7G.js} +6 -6
  58. package/dist/{chunk-K35D7HF3.js → chunk-N6B6RKQQ.js} +1 -1
  59. package/dist/{chunk-LTCEV7VF.js → chunk-NY7DTZ6K.js} +3 -3
  60. package/dist/{chunk-JPZY7ZQX.js → chunk-OLW7BJ5N.js} +1 -1
  61. package/dist/{chunk-KVJZQ2MV.js → chunk-ORNEK65Y.js} +1 -1
  62. package/dist/{chunk-D3XL2FLX.js → chunk-PNNFCVW4.js} +5 -5
  63. package/dist/{chunk-E5Z6NTTQ.js → chunk-Q3ZLVMQM.js} +1 -1
  64. package/dist/{chunk-PCOU2UXU.js → chunk-RAVD7QLY.js} +8 -8
  65. package/dist/{chunk-IQO7IINR.js → chunk-TSVYBDDE.js} +1 -1
  66. package/dist/{chunk-MCDCZMKN.js → chunk-TY2ESLVL.js} +1 -1
  67. package/dist/{chunk-TQRCODRJ.js → chunk-VKS3F46M.js} +1 -1
  68. package/dist/{chunk-GVNT2YC7.js → chunk-WZ7UHPT3.js} +9 -9
  69. package/dist/{chunk-ZIYLIYN4.js → chunk-YC4EYIER.js} +8 -2
  70. package/dist/{chunk-IT2KORSK.js → chunk-ZN6ROTYP.js} +1 -1
  71. package/dist/{ci-workflow-FJYRFZYQ.js → ci-workflow-EW37KVPS.js} +3 -3
  72. package/dist/{create-skill-6QWJHQYS.js → create-skill-4T5CBSJ2.js} +2 -2
  73. package/dist/{dist-ZV6GO6FA.js → dist-CJDGASPP.js} +2 -2
  74. package/dist/{dist-HPWNWCT6.js → dist-NCNAXUFD.js} +41 -1
  75. package/dist/{docs-7DW3DI4Z.js → docs-4XI2FQW2.js} +4 -4
  76. package/dist/{engine-P7EE2IWO.js → engine-4L4CDTHU.js} +3 -3
  77. package/dist/{entropy-HCXRTDFU.js → entropy-PBYSIQYS.js} +3 -3
  78. package/dist/{feedback-Y4FYN3NR.js → feedback-OTIFW5MK.js} +1 -1
  79. package/dist/{generate-agent-definitions-3EHPIWBO.js → generate-agent-definitions-CZGUXIIN.js} +4 -4
  80. package/dist/{graph-loader-KXVS3YK3.js → graph-loader-RDXSEBD7.js} +1 -1
  81. package/dist/index.d.ts +8 -8
  82. package/dist/index.js +27 -27
  83. package/dist/{loader-SKHF3JVV.js → loader-UZOXCWFC.js} +3 -3
  84. package/dist/{mcp-MWYIPDQU.js → mcp-GWVVV6LH.js} +16 -15
  85. package/dist/{performance-ADWH5NJY.js → performance-5UQPP3XX.js} +4 -4
  86. package/dist/{review-pipeline-TLKE5OQD.js → review-pipeline-65V4EO6O.js} +3 -3
  87. package/dist/{runtime-7LYAW7GU.js → runtime-PXX7HNB3.js} +3 -3
  88. package/dist/{scan-BGJ7TLLV.js → scan-WM7XDUF7.js} +1 -1
  89. package/dist/{security-5XWINYVB.js → security-CAYDRZIZ.js} +1 -1
  90. package/dist/{validate-BFFHYHY7.js → validate-CWGXR7QM.js} +4 -4
  91. package/dist/{validate-cross-check-GQX7OVCR.js → validate-cross-check-BKCNLZYG.js} +3 -3
  92. package/package.json +10 -10
  93. package/dist/agents/commands/claude-code/harness/harness.md +0 -36
  94. package/dist/agents/commands/codex/AGENTS.md +0 -39
  95. package/dist/agents/commands/codex/harness/add-harness-component/SKILL.md +0 -204
  96. package/dist/agents/commands/codex/harness/add-harness-component/agents/openai.yaml +0 -3
  97. package/dist/agents/commands/codex/harness/cleanup-dead-code/SKILL.md +0 -257
  98. package/dist/agents/commands/codex/harness/cleanup-dead-code/agents/openai.yaml +0 -3
  99. package/dist/agents/commands/codex/harness/detect-doc-drift/SKILL.md +0 -191
  100. package/dist/agents/commands/codex/harness/detect-doc-drift/agents/openai.yaml +0 -3
  101. package/dist/agents/commands/codex/harness/enforce-architecture/SKILL.md +0 -289
  102. package/dist/agents/commands/codex/harness/enforce-architecture/agents/openai.yaml +0 -3
  103. package/dist/agents/commands/codex/harness/harness-architecture-advisor/SKILL.md +0 -442
  104. package/dist/agents/commands/codex/harness/harness-architecture-advisor/agents/openai.yaml +0 -3
  105. package/dist/agents/commands/codex/harness/harness-autopilot/SKILL.md +0 -929
  106. package/dist/agents/commands/codex/harness/harness-autopilot/agents/openai.yaml +0 -3
  107. package/dist/agents/commands/codex/harness/harness-brainstorming/SKILL.md +0 -418
  108. package/dist/agents/commands/codex/harness/harness-brainstorming/agents/openai.yaml +0 -3
  109. package/dist/agents/commands/codex/harness/harness-code-review/SKILL.md +0 -850
  110. package/dist/agents/commands/codex/harness/harness-code-review/agents/openai.yaml +0 -3
  111. package/dist/agents/commands/codex/harness/harness-codebase-cleanup/SKILL.md +0 -236
  112. package/dist/agents/commands/codex/harness/harness-codebase-cleanup/agents/openai.yaml +0 -3
  113. package/dist/agents/commands/codex/harness/harness-debugging/SKILL.md +0 -378
  114. package/dist/agents/commands/codex/harness/harness-debugging/agents/openai.yaml +0 -3
  115. package/dist/agents/commands/codex/harness/harness-dependency-health/SKILL.md +0 -190
  116. package/dist/agents/commands/codex/harness/harness-dependency-health/agents/openai.yaml +0 -3
  117. package/dist/agents/commands/codex/harness/harness-docs-pipeline/SKILL.md +0 -472
  118. package/dist/agents/commands/codex/harness/harness-docs-pipeline/agents/openai.yaml +0 -3
  119. package/dist/agents/commands/codex/harness/harness-execution/SKILL.md +0 -522
  120. package/dist/agents/commands/codex/harness/harness-execution/agents/openai.yaml +0 -3
  121. package/dist/agents/commands/codex/harness/harness-hotspot-detector/SKILL.md +0 -172
  122. package/dist/agents/commands/codex/harness/harness-hotspot-detector/agents/openai.yaml +0 -3
  123. package/dist/agents/commands/codex/harness/harness-impact-analysis/SKILL.md +0 -195
  124. package/dist/agents/commands/codex/harness/harness-impact-analysis/agents/openai.yaml +0 -3
  125. package/dist/agents/commands/codex/harness/harness-integrity/SKILL.md +0 -178
  126. package/dist/agents/commands/codex/harness/harness-integrity/agents/openai.yaml +0 -3
  127. package/dist/agents/commands/codex/harness/harness-onboarding/SKILL.md +0 -299
  128. package/dist/agents/commands/codex/harness/harness-onboarding/agents/openai.yaml +0 -3
  129. package/dist/agents/commands/codex/harness/harness-perf/SKILL.md +0 -272
  130. package/dist/agents/commands/codex/harness/harness-perf/agents/openai.yaml +0 -3
  131. package/dist/agents/commands/codex/harness/harness-planning/SKILL.md +0 -592
  132. package/dist/agents/commands/codex/harness/harness-planning/agents/openai.yaml +0 -3
  133. package/dist/agents/commands/codex/harness/harness-refactoring/SKILL.md +0 -181
  134. package/dist/agents/commands/codex/harness/harness-refactoring/agents/openai.yaml +0 -3
  135. package/dist/agents/commands/codex/harness/harness-release-readiness/SKILL.md +0 -701
  136. package/dist/agents/commands/codex/harness/harness-release-readiness/agents/openai.yaml +0 -3
  137. package/dist/agents/commands/codex/harness/harness-roadmap/SKILL.md +0 -607
  138. package/dist/agents/commands/codex/harness/harness-roadmap/agents/openai.yaml +0 -3
  139. package/dist/agents/commands/codex/harness/harness-security-scan/SKILL.md +0 -147
  140. package/dist/agents/commands/codex/harness/harness-security-scan/agents/openai.yaml +0 -3
  141. package/dist/agents/commands/codex/harness/harness-skill-authoring/SKILL.md +0 -314
  142. package/dist/agents/commands/codex/harness/harness-skill-authoring/agents/openai.yaml +0 -3
  143. package/dist/agents/commands/codex/harness/harness-soundness-review/SKILL.md +0 -1280
  144. package/dist/agents/commands/codex/harness/harness-soundness-review/agents/openai.yaml +0 -3
  145. package/dist/agents/commands/codex/harness/harness-supply-chain-audit/SKILL.md +0 -255
  146. package/dist/agents/commands/codex/harness/harness-supply-chain-audit/agents/openai.yaml +0 -3
  147. package/dist/agents/commands/codex/harness/harness-tdd/SKILL.md +0 -189
  148. package/dist/agents/commands/codex/harness/harness-tdd/agents/openai.yaml +0 -3
  149. package/dist/agents/commands/codex/harness/harness-test-advisor/SKILL.md +0 -171
  150. package/dist/agents/commands/codex/harness/harness-test-advisor/agents/openai.yaml +0 -3
  151. package/dist/agents/commands/codex/harness/harness-verification/SKILL.md +0 -433
  152. package/dist/agents/commands/codex/harness/harness-verification/agents/openai.yaml +0 -3
  153. package/dist/agents/commands/codex/harness/harness-verify/SKILL.md +0 -170
  154. package/dist/agents/commands/codex/harness/harness-verify/agents/openai.yaml +0 -3
  155. package/dist/agents/commands/codex/harness/initialize-harness-project/SKILL.md +0 -244
  156. package/dist/agents/commands/codex/harness/initialize-harness-project/agents/openai.yaml +0 -3
  157. package/dist/agents/commands/cursor/harness/add-harness-component.mdc +0 -200
  158. package/dist/agents/commands/cursor/harness/cleanup-dead-code.mdc +0 -253
  159. package/dist/agents/commands/cursor/harness/detect-doc-drift.mdc +0 -187
  160. package/dist/agents/commands/cursor/harness/enforce-architecture.mdc +0 -304
  161. package/dist/agents/commands/cursor/harness/harness-architecture-advisor.mdc +0 -457
  162. package/dist/agents/commands/cursor/harness/harness-autopilot.mdc +0 -924
  163. package/dist/agents/commands/cursor/harness/harness-brainstorming.mdc +0 -414
  164. package/dist/agents/commands/cursor/harness/harness-code-review.mdc +0 -865
  165. package/dist/agents/commands/cursor/harness/harness-codebase-cleanup.mdc +0 -232
  166. package/dist/agents/commands/cursor/harness/harness-debugging.mdc +0 -374
  167. package/dist/agents/commands/cursor/harness/harness-dependency-health.mdc +0 -187
  168. package/dist/agents/commands/cursor/harness/harness-docs-pipeline.mdc +0 -468
  169. package/dist/agents/commands/cursor/harness/harness-execution.mdc +0 -518
  170. package/dist/agents/commands/cursor/harness/harness-hotspot-detector.mdc +0 -169
  171. package/dist/agents/commands/cursor/harness/harness-impact-analysis.mdc +0 -192
  172. package/dist/agents/commands/cursor/harness/harness-integrity.mdc +0 -175
  173. package/dist/agents/commands/cursor/harness/harness-onboarding.mdc +0 -296
  174. package/dist/agents/commands/cursor/harness/harness-perf.mdc +0 -268
  175. package/dist/agents/commands/cursor/harness/harness-planning.mdc +0 -587
  176. package/dist/agents/commands/cursor/harness/harness-refactoring.mdc +0 -177
  177. package/dist/agents/commands/cursor/harness/harness-release-readiness.mdc +0 -697
  178. package/dist/agents/commands/cursor/harness/harness-roadmap.mdc +0 -603
  179. package/dist/agents/commands/cursor/harness/harness-security-scan.mdc +0 -162
  180. package/dist/agents/commands/cursor/harness/harness-skill-authoring.mdc +0 -300
  181. package/dist/agents/commands/cursor/harness/harness-soundness-review.mdc +0 -1275
  182. package/dist/agents/commands/cursor/harness/harness-supply-chain-audit.mdc +0 -252
  183. package/dist/agents/commands/cursor/harness/harness-tdd.mdc +0 -185
  184. package/dist/agents/commands/cursor/harness/harness-test-advisor.mdc +0 -168
  185. package/dist/agents/commands/cursor/harness/harness-verification.mdc +0 -429
  186. package/dist/agents/commands/cursor/harness/harness-verify.mdc +0 -167
  187. package/dist/agents/commands/cursor/harness/initialize-harness-project.mdc +0 -240
  188. package/dist/agents/commands/gemini-cli/harness/harness.toml +0 -277
  189. package/dist/{chunk-RRHUCDRD.js → chunk-ZP5E7YET.js} +3 -3
@@ -1,147 +0,0 @@
1
- <!-- Generated by harness generate-slash-commands. Do not edit. -->
2
-
3
- # Harness Security Scan
4
-
5
- > Lightweight mechanical security scan. Fast triage, not deep review.
6
-
7
- ## When to Use
8
-
9
- - As part of the codebase-health-analyst sweep
10
- - For quick security triage on a project or changed files
11
- - On scheduled cron runs for continuous security coverage
12
- - NOT for deep security review (use harness-security-review)
13
- - NOT for threat modeling (use harness-security-review --deep)
14
-
15
- ## Process
16
-
17
- ### Phase 1: SCAN — Run Mechanical Scanner
18
-
19
- 1. **Resolve project root.** Use provided path or cwd.
20
-
21
- 2. **Load security config.** Read `harness.config.json` and extract `security`
22
- section. Fall back to defaults if absent.
23
-
24
- 3. **Determine file scope.**
25
- - If `--changed-only` or triggered by PR: run `git diff --name-only HEAD~1`
26
- to get changed files. Filter to source files only (exclude node_modules,
27
- dist, test files per config).
28
- - Otherwise: scan all source files in the project.
29
-
30
- 4. **Run SecurityScanner.** Call `SecurityScanner.scanFiles()` from
31
- `@harness-engineering/core`.
32
-
33
- 5. **Filter by severity threshold.** Remove findings below the configured
34
- threshold:
35
- - `error`: only errors
36
- - `warning`: errors and warnings (default)
37
- - `info`: all findings
38
-
39
- 6. **Output report.** Present findings grouped by severity:
40
-
41
- ```
42
- Security Scan: [PASS/FAIL]
43
- Scanned: N files, M rules applied
44
- Errors: N | Warnings: N | Info: N
45
-
46
- [List findings with rule ID, file:line, severity, message, remediation]
47
- ```
48
-
49
- ## Gates
50
-
51
- - **Error-severity findings are blocking.** Report is FAIL if any error-severity
52
- finding exists after filtering.
53
- - **No AI review.** This skill is mechanical only. Do not perform OWASP analysis
54
- or threat modeling.
55
-
56
- ## Harness Integration
57
-
58
- - **`harness check-security`** — CLI command that invokes this skill's scanner.
59
- - **`SecurityScanner`** — Core class from `@harness-engineering/core` that executes the rule engine.
60
- - **`harness.config.json`** — Security section configures severity threshold and file exclusions.
61
- - **codebase-health-analyst persona** — Invokes this skill as part of its sweep.
62
-
63
- ## Evidence Requirements
64
-
65
- When this skill makes claims about existing code, architecture, or behavior,
66
- it MUST cite evidence using one of:
67
-
68
- 1. **File reference:** `file:line` format (e.g., `src/auth.ts:42`)
69
- 2. **Code pattern reference:** `file` with description (e.g., `src/utils/hash.ts` —
70
- "existing bcrypt wrapper")
71
- 3. **Test/command output:** Inline or referenced output from a test run or CLI command
72
- 4. **Session evidence:** Write to the `evidence` session section via `manage_state`
73
-
74
- **Uncited claims:** Technical assertions without citations MUST be prefixed with
75
- `[UNVERIFIED]`. Example: `[UNVERIFIED] The auth middleware supports refresh tokens`.
76
-
77
- ## Red Flags
78
-
79
- ### Universal
80
-
81
- These apply to ALL skills. If you catch yourself doing any of these, STOP.
82
-
83
- - **"I believe the codebase does X"** — Stop. Read the code and cite a file:line
84
- reference. Belief is not evidence.
85
- - **"Let me recommend [pattern] for this"** without checking existing patterns — Stop.
86
- Search the codebase first. The project may already have a convention.
87
- - **"While we're here, we should also [unrelated improvement]"** — Stop. Flag the idea
88
- but do not expand scope beyond the stated task.
89
-
90
- ### Domain-Specific
91
-
92
- - **"This finding is in test code, so it's not a real issue"** — Stop. Test code can leak secrets, establish bad patterns, and be copy-pasted to production.
93
- - **"This dependency is widely used, so it's safe"** — Stop. Popularity is not a security guarantee. Check CVE databases and advisory feeds.
94
- - **"This is a low-severity finding, skipping"** — Stop. Low-severity findings compound. Document why you are deprioritizing, do not silently skip.
95
- - **"The scanner didn't flag it, so it's clean"** — Stop. Scanners have false negatives. A clean scan is not proof of security — it is absence of evidence.
96
-
97
- ## Rationalizations to Reject
98
-
99
- | Rationalization | Reality |
100
- | --- | --- |
101
- | "No attacker would find this" | Security by obscurity. If the code is wrong, flag it regardless of discoverability. |
102
- | "We're behind a firewall" | Network boundaries change. Code should be secure at every layer regardless of deployment topology. |
103
- | "The framework handles this for us" | Verify the framework's actual behavior. Misuse of a secure framework is still insecure. |
104
-
105
- ## Escalation
106
-
107
- - **When error-severity findings are disputed:** The scanner is mechanical — it may flag false positives. If a finding is a false positive, add a `// harness-ignore SEC-XXX` comment on the line and document the rationale. Do not suppress without explanation.
108
- - **When the scanner misses a known vulnerability:** This skill runs pattern-based rules only. For semantic analysis (taint tracking, control flow), use `/harness:security-review` instead.
109
- - **When scan is too slow on large codebases:** Use `--changed-only` to scope to recently changed files. Full scans can run on a scheduled cron instead.
110
-
111
- ## Success Criteria
112
-
113
- - Scanner ran and produced findings (or confirmed clean)
114
- - Findings are filtered by the configured severity threshold
115
- - Report follows the structured format
116
- - Exit code reflects pass/fail status
117
-
118
- ## Examples
119
-
120
- ### Example: Clean Scan
121
-
122
- ```
123
- Security Scan: PASS
124
- Scanned: 42 files, 12 rules applied
125
- Errors: 0 | Warnings: 0 | Info: 0
126
- ```
127
-
128
- ### Example: Findings Detected
129
-
130
- ```
131
- Security Scan: FAIL
132
- Scanned: 42 files, 12 rules applied
133
- Errors: 1 | Warnings: 2 | Info: 0
134
-
135
- [SEC-SECRET-001] src/config.ts:15 (error)
136
- Hardcoded API key detected: `const API_KEY = "sk-..."`
137
- Remediation: Move to environment variable, use dotenv or secrets manager.
138
-
139
- [SEC-NET-001] src/cors.ts:5 (warning)
140
- CORS wildcard origin: `origin: "*"`
141
- Remediation: Restrict to specific allowed origins.
142
-
143
- [SEC-CRYPTO-001] src/auth.ts:22 (warning)
144
- Weak hash algorithm: `crypto.createHash("md5")`
145
- Remediation: Use SHA-256 or stronger.
146
- ```
147
-
@@ -1,3 +0,0 @@
1
- # Reserved for Phase B native integration
2
- name: harness-security-scan
3
- version: "1.0.0"
@@ -1,314 +0,0 @@
1
- <!-- Generated by harness generate-slash-commands. Do not edit. -->
2
-
3
- # Harness Skill Authoring
4
-
5
- > Create and extend harness skills following the rich skill format. Define purpose, choose type, write skill.yaml and SKILL.md with all required sections, validate, and test.
6
-
7
- ## When to Use
8
-
9
- - Creating a new skill for a team's recurring workflow
10
- - Extending an existing skill with new phases, gates, or examples
11
- - Converting an informal process ("how we do code reviews") into a formal harness skill
12
- - When a team notices they repeat the same multi-step process and wants to codify it
13
- - NOT when running an existing skill (use the skill directly)
14
- - NOT when listing or discovering skills (use `harness skill list`)
15
- - NOT when the process is a one-off task that will not recur
16
-
17
- ## Process
18
-
19
- ### Phase 1: DEFINE — Establish the Skill's Purpose
20
-
21
- 1. **Identify the recurring process.** What does the team do repeatedly? Name it. Describe it in one sentence. This becomes the skill's `description` in `skill.yaml` and the blockquote summary in `SKILL.md`.
22
-
23
- 2. **Define the scope boundary.** A good skill does one thing well. If the process has distinct phases that could be done independently, consider whether it should be multiple skills. Signs of a skill that is too broad: more than 6 phases, multiple unrelated triggers, trying to serve two different audiences.
24
-
25
- 3. **Identify the trigger conditions.** When should this skill activate?
26
- - `manual` — Only when explicitly invoked
27
- - `on_new_feature` — When starting a new feature
28
- - `on_bug_fix` — When fixing a bug
29
- - `on_pr_review` — When reviewing a pull request
30
- - `on_project_init` — When initializing or entering a project
31
- - Multiple triggers are fine if the skill genuinely applies to all of them
32
-
33
- 4. **Determine required tools.** What tools does the skill need? Common sets:
34
- - Read-only analysis: `Read`, `Glob`, `Grep`
35
- - Code modification: `Read`, `Write`, `Edit`, `Glob`, `Grep`, `Bash`
36
- - Full workflow: all of the above plus specialized tools
37
-
38
- ### Phase 2: CHOOSE TYPE — Rigid or Flexible
39
-
40
- 1. **Choose rigid when:**
41
- - The process has strict ordering that must not be violated
42
- - Skipping steps causes real damage (data loss, security holes, broken deployments)
43
- - Compliance or policy requires auditability of each step
44
- - The process includes mandatory checkpoints where human approval is needed
45
- - Examples: TDD cycle, deployment pipeline, security audit, database migration
46
-
47
- 2. **Choose flexible when:**
48
- - The process has recommended steps but the order can adapt to context
49
- - The agent should use judgment about which steps to emphasize
50
- - Different situations call for different subsets of the process
51
- - The process is more about guidelines than rigid procedure
52
- - Examples: code review, onboarding, brainstorming, project initialization
53
-
54
- 3. **Key difference in SKILL.md:** Rigid skills require `## Gates` and `## Escalation` sections. Flexible skills may omit them (though they can include them if useful).
55
-
56
- ### Phase 3: WRITE SKILL.YAML — Define Metadata
57
-
58
- 1. **Create the skill directory** under `agents/skills/<platform>/<skill-name>/`.
59
-
60
- 2. **Write `skill.yaml`** with all required fields:
61
-
62
- ```yaml
63
- name: <skill-name> # Kebab-case, matches directory name
64
- version: '1.0.0' # Semver
65
- description: <one-line summary> # What this skill does
66
- triggers:
67
- - <trigger-1>
68
- - <trigger-2>
69
- platforms:
70
- - claude-code # Which agent platforms support this skill
71
- tools:
72
- - <tool-1> # Tools the skill requires
73
- - <tool-2>
74
- cli:
75
- command: harness skill run <skill-name>
76
- args:
77
- - name: <arg-name>
78
- description: <arg-description>
79
- required: <true|false>
80
- mcp:
81
- tool: run_skill
82
- input:
83
- skill: <skill-name>
84
- type: <rigid|flexible>
85
- state:
86
- persistent: <true|false> # Does this skill maintain state across sessions?
87
- files:
88
- - <state-file-path> # List state files if persistent
89
- depends_on:
90
- - <prerequisite-skill> # Skills that must be available (not necessarily run first)
91
- ```
92
-
93
- 3. **Validate the YAML.** Ensure proper indentation, correct field names, and valid values. The `name` field must match the directory name exactly.
94
-
95
- ### Phase 4: WRITE SKILL.MD — Author the Skill Content
96
-
97
- 1. **Start with the heading and summary:**
98
-
99
- ```markdown
100
- # <Skill Name>
101
-
102
- > <One-sentence description of what the skill does and why.>
103
- ```
104
-
105
- 2. **Write `## When to Use`.** Include both positive (when TO use) and negative (when NOT to use) conditions. Be specific. Negative conditions prevent misapplication and point to the correct alternative skill.
106
-
107
- 3. **Write `## Process`.** This is the core of the skill. Guidelines for writing good process sections:
108
- - **Use phases to organize.** Group related steps into named phases (e.g., ASSESS, IMPLEMENT, VERIFY). Each phase should have a clear purpose and completion criteria.
109
- - **Number every step.** Steps within a phase are numbered. This makes them referenceable ("go back to Phase 2, step 3").
110
- - **Be prescriptive about actions.** Say "Run `harness validate`" not "consider validating." Say "Read the file" not "you might want to read the file."
111
- - **Include decision points.** When the process branches, state the conditions clearly: "If X, do A. If Y, do B."
112
- - **State what NOT to do.** Prohibitions prevent common mistakes: "Do not proceed to Phase 3 if validation fails."
113
- - **For rigid skills:** Add an Iron Law at the top — the one inviolable principle. Then define phases with mandatory ordering and explicit gates between them.
114
- - **For flexible skills:** Describe the recommended flow but acknowledge that adaptation is expected. Focus on outcomes rather than exact commands.
115
-
116
- 4. **Write `## Harness Integration`.** List every harness CLI command the skill uses, with a brief description of when to use it. This section connects the skill to the harness toolchain.
117
-
118
- 5. **Write `## Success Criteria`.** Define how to know the skill was executed well. Each criterion should be observable and verifiable — not subjective.
119
-
120
- 6. **Write `## Examples`.** At least one concrete example showing the full process from start to finish. Use realistic project names, file paths, and commands. Show both the commands and their expected outputs.
121
-
122
- 7. **For rigid skills, write `## Gates`.** Gates are hard stops — conditions that must be true to proceed. Each gate should state what happens if violated. Format: "**<condition> = <consequence>.**"
123
-
124
- 8. **For rigid skills, write `## Escalation`.** Define when to stop and ask for help. Each escalation condition should describe the symptom, the likely cause, and what to report.
125
-
126
- 9. **Write `## Rationalizations to Reject`.** Every user-facing skill must include this section. It contains domain-specific rationalizations that prevent agents from skipping steps with plausible-sounding excuses. Format requirements:
127
-
128
- - **Table format:** `| Rationalization | Reality |` with a header separator row
129
- - **3-8 entries** per skill, each specific to the skill's domain
130
- - **No generic filler.** Every entry must address a rationalization that is plausible in the context of this specific skill
131
- - **Do not repeat universal rationalizations.** The following three are always in effect for all skills and must NOT appear in individual skill tables:
132
-
133
- | Rationalization | Reality |
134
- | --- | --- |
135
- | "It's probably fine" | "Probably" is not evidence. Verify before asserting. |
136
- | "This is best practice" | Best practice in what context? Cite the source and confirm it applies here. |
137
- | "We can fix it later" | If worth flagging, document now with a concrete follow-up plan. |
138
-
139
- Example of a good domain-specific entry (for a code review skill):
140
-
141
- | Rationalization | Reality |
142
- | --- | --- |
143
- | "The tests pass so the logic must be correct" | Passing tests prove the tested paths work. They say nothing about untested paths, edge cases, or whether the tests themselves are correct. |
144
-
145
- ### Phase 5: VALIDATE — Verify the Skill
146
-
147
- 1. **Run `harness skill validate`** to check:
148
- - `skill.yaml` has all required fields and valid values
149
- - `SKILL.md` has all required sections (`## When to Use`, `## Process`, `## Harness Integration`, `## Success Criteria`, `## Examples`, `## Rationalizations to Reject`)
150
- - Rigid skills have `## Gates` and `## Escalation` sections
151
- - The `name` in `skill.yaml` matches the directory name
152
- - Referenced tools exist
153
- - Referenced dependencies exist
154
-
155
- 2. **Fix any validation errors.** Common issues:
156
- - Missing required section in `SKILL.md`
157
- - `name` field does not match directory name
158
- - Invalid trigger name
159
- - Missing `type` field in `skill.yaml`
160
-
161
- 3. **Test by running the skill:** `harness skill run <name>`. Verify it loads correctly and the process instructions make sense in context.
162
-
163
- ### Skill Quality Checklist
164
-
165
- Evaluate every skill along two dimensions:
166
-
167
- | | **Clear activation** | **Ambiguous activation** | **Missing activation** |
168
- | --------------------------- | ----------------------------------- | --------------------------------------- | ---------------------- |
169
- | **Specific implementation** | Good skill | Wasted — good instructions nobody finds | Broken |
170
- | **Vague implementation** | Trap — agents activate but flounder | Bad skill | Empty shell |
171
- | **Missing implementation** | Stub | Stub | Does not exist |
172
-
173
- - **Good skill** = clear activation + specific implementation. The agent knows when to use it and exactly what to do.
174
- - **Clear activation + vague implementation** = trap. The skill fires correctly but the agent has no concrete instructions, leading to inconsistent results.
175
- - **Ambiguous activation + specific implementation** = wasted. Great instructions that never get used because the agent does not know when to activate the skill.
176
-
177
- Use this checklist as a final quality gate before declaring a skill complete.
178
-
179
- ## Harness Integration
180
-
181
- - **`harness skill validate`** — Validate a skill's `skill.yaml` and `SKILL.md` against the schema and structure requirements.
182
- - **`harness skill run <name>`** — Execute a skill to test it in context.
183
- - **`harness skill list`** — List all available skills, useful for checking that a new skill appears after creation.
184
- - **`harness add skill <name> --type <type>`** — Scaffold a new skill directory with template files (alternative to manual creation).
185
-
186
- ## Success Criteria
187
-
188
- - `skill.yaml` exists with all required fields and passes schema validation
189
- - `SKILL.md` exists with all required sections filled with substantive content (not placeholders)
190
- - The skill name in `skill.yaml` matches the directory name
191
- - `harness skill validate` passes with zero errors
192
- - The process section has clear, numbered, actionable steps organized into phases
193
- - When to Use includes both positive and negative conditions
194
- - At least one concrete example demonstrates the full process
195
- - Rigid skills include Gates and Escalation sections with specific conditions and consequences
196
- - The skill can be loaded and run with `harness skill run <name>`
197
-
198
- ## Examples
199
-
200
- ### Example: Creating a Flexible Skill for Database Migration Review
201
-
202
- **DEFINE:**
203
-
204
- ```
205
- Process: The team reviews database migrations before applying them.
206
- Scope: Review only — not creating or applying migrations.
207
- Triggers: manual (invoked when a migration PR is opened).
208
- Tools: Read, Glob, Grep, Bash.
209
- ```
210
-
211
- **CHOOSE TYPE:** Flexible — the review steps can vary based on migration complexity. Some migrations need data impact analysis, others do not.
212
-
213
- **WRITE skill.yaml:**
214
-
215
- ```yaml
216
- name: review-db-migration
217
- version: '1.0.0'
218
- description: Review database migration files for safety and correctness
219
- triggers:
220
- - manual
221
- platforms:
222
- - claude-code
223
- tools:
224
- - Read
225
- - Glob
226
- - Grep
227
- - Bash
228
- cli:
229
- command: harness skill run review-db-migration
230
- args:
231
- - name: migration-file
232
- description: Path to the migration file to review
233
- required: true
234
- mcp:
235
- tool: run_skill
236
- input:
237
- skill: review-db-migration
238
- type: flexible
239
- state:
240
- persistent: false
241
- files: []
242
- depends_on: []
243
- ```
244
-
245
- **WRITE SKILL.md:**
246
-
247
- ```markdown
248
- # Review Database Migration
249
-
250
- > Review database migration files for safety, correctness, and
251
- > reversibility before they are applied to any environment.
252
-
253
- ## When to Use
254
-
255
- - When a new migration file has been created and needs review
256
- - When a migration PR is opened
257
- - NOT when writing migrations (write first, then review)
258
- - NOT when applying migrations to environments (that is a deployment concern)
259
-
260
- ## Process
261
-
262
- ### Phase 1: ANALYZE — Understand the Migration
263
-
264
- 1. Read the migration file completely...
265
- [... full process content ...]
266
-
267
- ## Harness Integration
268
-
269
- - `harness validate` — Verify project health after migration review
270
- [... etc ...]
271
- ```
272
-
273
- **VALIDATE:**
274
-
275
- ```bash
276
- harness skill validate review-db-migration # Pass
277
- harness skill run review-db-migration # Loads correctly
278
- ```
279
-
280
- ### Example: Creating a Rigid Skill for Release Deployment
281
-
282
- **DEFINE:**
283
-
284
- ```
285
- Process: Deploy a release to production. Strict ordering — cannot skip steps.
286
- Triggers: manual.
287
- Tools: Bash, Read, Glob.
288
- ```
289
-
290
- **CHOOSE TYPE:** Rigid — skipping the smoke test or rollback verification step could cause production outages. Mandatory checkpoints for human approval before each environment promotion.
291
-
292
- **WRITE SKILL.md (key rigid sections):**
293
-
294
- ```markdown
295
- ## Gates
296
-
297
- - **Tests must pass before build.** If the test suite fails, do not
298
- proceed to build. Fix the tests first.
299
- - **Staging must be verified before production.** If staging smoke tests
300
- fail, do not promote to production. Roll back staging and investigate.
301
- - **Human approval required at each promotion.** Use [checkpoint:human-verify]
302
- before promoting from staging to production. No auto-promotion.
303
-
304
- ## Escalation
305
-
306
- - **When staging smoke tests fail on a test that passed locally:**
307
- Report: "Smoke test [name] fails in staging but passes locally.
308
- Likely cause: environment-specific configuration or data difference.
309
- Need to investigate before proceeding."
310
- - **When rollback verification fails:** This is critical. Report immediately:
311
- "Rollback to version [X] failed. Current state: [description].
312
- Manual intervention required."
313
- ```
314
-
@@ -1,3 +0,0 @@
1
- # Reserved for Phase B native integration
2
- name: harness-skill-authoring
3
- version: "1.0.0"