@harness-engineering/cli 1.4.0 → 1.6.1

package/dist/agents/skills/gemini-cli/harness-release-readiness/skill.yaml

@@ -0,0 +1,57 @@
+name: harness-release-readiness
+version: "1.0.0"
+description: Audit npm release readiness, run maintenance checks, offer auto-fixes, track progress across sessions
+cognitive_mode: meticulous-verifier
+triggers:
+  - manual
+  - on_milestone
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Write
+  - Edit
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-release-readiness
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: comprehensive
+      description: Run comprehensive checks (API docs, examples, dep health, git hygiene)
+      type: boolean
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-release-readiness
+    path: string
+type: rigid
+phases:
+  - name: audit
+    description: Run release-specific checks (packaging, docs, repo hygiene, CI/CD)
+    required: true
+  - name: maintain
+    description: Dispatch maintenance skills in parallel and collect results
+    required: true
+  - name: fix
+    description: Offer auto-remediation for fixable findings
+    required: true
+  - name: report
+    description: Generate report and persist state for session resumption
+    required: true
+state:
+  persistent: true
+  files:
+    - .harness/release-readiness.json
+depends_on:
+  - detect-doc-drift
+  - cleanup-dead-code
+  - align-documentation
+  - enforce-architecture
+  - harness-diagnostics
+  - harness-parallel-agents

package/dist/agents/skills/gemini-cli/harness-security-review/skill.yaml

@@ -0,0 +1,50 @@
+name: harness-security-review
+version: "1.0.0"
+description: Deep security audit with OWASP baseline and stack-adaptive analysis
+cognitive_mode: meticulous-implementer
+triggers:
+  - manual
+  - on_pr
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Write
+  - Edit
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-security-review
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: deep
+      description: Enable threat modeling phase
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-security-review
+    path: string
+type: rigid
+phases:
+  - name: scan
+    description: Run mechanical security scanner
+    required: true
+  - name: review
+    description: AI-powered security review (OWASP + stack-adaptive)
+    required: true
+  - name: threat-model
+    description: Lightweight threat model from codebase graph
+    required: false
+  - name: report
+    description: Generate findings report with remediation guidance
+    required: true
+state:
+  persistent: false
+  files: []
+depends_on:
+  - harness-code-review

package/dist/agents/skills/gemini-cli/harness-security-scan/SKILL.md

@@ -0,0 +1,102 @@
+# Harness Security Scan
+
+> Lightweight mechanical security scan. Fast triage, not deep review.
+
+## When to Use
+
+- As part of the codebase-health-analyst sweep
+- For quick security triage on a project or changed files
+- On scheduled cron runs for continuous security coverage
+- NOT for deep security review (use harness-security-review)
+- NOT for threat modeling (use harness-security-review --deep)
+
+## Process
+
+### Phase 1: SCAN — Run Mechanical Scanner
+
+1. **Resolve project root.** Use provided path or cwd.
+
+2. **Load security config.** Read `harness.config.json` and extract `security`
+   section. Fall back to defaults if absent.
+
+3. **Determine file scope.**
+   - If `--changed-only` or triggered by PR: run `git diff --name-only HEAD~1`
+     to get changed files. Filter to source files only (exclude node_modules,
+     dist, test files per config).
+   - Otherwise: scan all source files in the project.
+
+4. **Run SecurityScanner.** Call `SecurityScanner.scanFiles()` from
+   `@harness-engineering/core`.
+
+5. **Filter by severity threshold.** Remove findings below the configured
+   threshold:
+   - `error`: only errors
+   - `warning`: errors and warnings (default)
+   - `info`: all findings
+
+6. **Output report.** Present findings grouped by severity:
+
+   ```
+   Security Scan: [PASS/FAIL]
+   Scanned: N files, M rules applied
+   Errors: N | Warnings: N | Info: N
+
+   [List findings with rule ID, file:line, severity, message, remediation]
+   ```
+
+## Gates
+
+- **Error-severity findings are blocking.** Report is FAIL if any error-severity
+  finding exists after filtering.
+- **No AI review.** This skill is mechanical only. Do not perform OWASP analysis
+  or threat modeling.
+
+## Harness Integration
+
+- **`harness check-security`** — CLI command that invokes this skill's scanner.
+- **`SecurityScanner`** — Core class from `@harness-engineering/core` that executes the rule engine.
+- **`harness.config.json`** — Security section configures severity threshold and file exclusions.
+- **codebase-health-analyst persona** — Invokes this skill as part of its sweep.
+
+## Escalation
+
+- **When error-severity findings are disputed:** The scanner is mechanical — it may flag false positives. If a finding is a false positive, add a `// harness-ignore SEC-XXX` comment on the line and document the rationale. Do not suppress without explanation.
+- **When the scanner misses a known vulnerability:** This skill runs pattern-based rules only. For semantic analysis (taint tracking, control flow), use `/harness:security-review` instead.
+- **When scan is too slow on large codebases:** Use `--changed-only` to scope to recently changed files. Full scans can run on a scheduled cron instead.
+
+## Success Criteria
+
+- Scanner ran and produced findings (or confirmed clean)
+- Findings are filtered by the configured severity threshold
+- Report follows the structured format
+- Exit code reflects pass/fail status
+
+## Examples
+
+### Example: Clean Scan
+
+```
+Security Scan: PASS
+Scanned: 42 files, 12 rules applied
+Errors: 0 | Warnings: 0 | Info: 0
+```
+
+### Example: Findings Detected
+
+```
+Security Scan: FAIL
+Scanned: 42 files, 12 rules applied
+Errors: 1 | Warnings: 2 | Info: 0
+
+[SEC-SECRET-001] src/config.ts:15 (error)
+  Hardcoded API key detected: `const API_KEY = "sk-..."`
+  Remediation: Move to environment variable, use dotenv or secrets manager.
+
+[SEC-NET-001] src/cors.ts:5 (warning)
+  CORS wildcard origin: `origin: "*"`
+  Remediation: Restrict to specific allowed origins.
+
+[SEC-CRYPTO-001] src/auth.ts:22 (warning)
+  Weak hash algorithm: `crypto.createHash("md5")`
+  Remediation: Use SHA-256 or stronger.
+```

package/dist/agents/skills/gemini-cli/harness-security-scan/skill.yaml

@@ -0,0 +1,41 @@
+name: harness-security-scan
+version: "1.0.0"
+description: Lightweight mechanical security scan for health checks
+cognitive_mode: meticulous-implementer
+triggers:
+  - manual
+  - scheduled
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-security-scan
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: severity
+      description: Minimum severity threshold (error, warning, info)
+      required: false
+    - name: changed-only
+      description: Only scan git-changed files
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-security-scan
+    path: string
+type: rigid
+phases:
+  - name: scan
+    description: Run SecurityScanner and filter by severity threshold
+    required: true
+state:
+  persistent: false
+  files: []
+depends_on: []

package/dist/agents/skills/gemini-cli/harness-test-advisor/SKILL.md

@@ -0,0 +1,131 @@
+# Harness Test Advisor
+
+> Graph-based test selection. Answers: "I changed these files — what tests should I run?"
+
+## When to Use
+
+- Before pushing code — run only the tests that matter
+- In CI — optimize test suite execution order
+- When a test fails — understand which changes could have caused it
+- When `on_pr` triggers fire
+- NOT for writing tests (use harness-tdd)
+- NOT for test quality analysis (out of scope)
+
+## Prerequisites
+
+A knowledge graph must exist at `.harness/graph/`. Run `harness scan` if no graph is available.
+If the graph exists but code has changed since the last scan, re-run `harness scan` first — stale graph data leads to inaccurate results.
+
+## Process
+
+### Phase 1: PARSE — Identify Changed Files
+
+1. **From diff**: Parse `git diff --name-only` to get changed file paths.
+2. **From input**: Accept comma-separated file paths.
+3. **Filter**: Only consider `.ts`, `.tsx`, `.js`, `.jsx` files (skip docs, config).
+
+### Phase 2: DISCOVER — Find Related Tests via Graph
+
+For each changed file, use graph traversal to find test files:
+
+1. **Direct test coverage**: Use `get_impact` to find test files that import the changed file.
+
+   ```
+   get_impact(filePath="src/services/auth.ts")
+   → tests: ["tests/services/auth.test.ts", "tests/integration/auth-flow.test.ts"]
+   ```
+
+2. **Transitive test coverage**: Use `query_graph` with depth 2 to find tests that import files that import the changed file.
+
+   ```
+   query_graph(rootNodeIds=["file:src/services/auth.ts"], maxDepth=2, includeEdges=["imports"], bidirectional=true)
+   ```
+
+3. **Co-change tests**: Check `co_changes_with` edges for test files that historically change alongside the modified files.
+
+### Phase 3: PRIORITIZE — Rank and Generate Commands
+
+Organize tests into three tiers:
+
+**Tier 1 — Must Run** (direct coverage):
+Tests that directly import or test the changed files. These are most likely to catch regressions.
+
+**Tier 2 — Should Run** (transitive coverage):
+Tests that cover code one hop away from the changed files. These catch indirect breakage.
+
+**Tier 3 — Could Run** (related):
+Tests in the same module or that co-change with the modified files. Lower probability of failure but worth running if time permits.
+
+### Output
+
+```
+## Test Advisor Report
+
+### Changed Files
+- src/services/auth.ts (modified)
+- src/types/user.ts (modified)
+
+### Tier 1 — Must Run (direct coverage)
+1. tests/services/auth.test.ts — imports auth.ts
+2. tests/types/user.test.ts — imports user.ts
+
+### Tier 2 — Should Run (transitive)
+3. tests/routes/login.test.ts — imports routes/login.ts → imports auth.ts
+4. tests/middleware/verify.test.ts — imports middleware/verify.ts → imports auth.ts
+
+### Tier 3 — Could Run (related)
+5. tests/integration/auth-flow.test.ts — same module, co-changes with auth.ts
+
+### Quick Run Command
+npx vitest run tests/services/auth.test.ts tests/types/user.test.ts tests/routes/login.test.ts tests/middleware/verify.test.ts
+
+### Full Run Command (all tiers)
+npx vitest run tests/services/auth.test.ts tests/types/user.test.ts tests/routes/login.test.ts tests/middleware/verify.test.ts tests/integration/auth-flow.test.ts
+```
+
+## Harness Integration
+
+- **`harness scan`** — Must run before this skill to ensure graph is current.
+- **`harness validate`** — Run after acting on findings to verify project health.
+- **Graph tools** — This skill uses `query_graph`, `get_impact`, and `get_relationships` MCP tools.
+
+## Success Criteria
+
+- Tests prioritized into 3 tiers (Must Run, Should Run, Could Run)
+- Executable run commands generated for quick and full test runs
+- Coverage gaps flagged for changed files with no test coverage
+- Report follows the structured output format
+- All findings are backed by graph query evidence, not heuristics
+
+## Examples
+
+### Example: Selecting Tests for a Services Change
+
+```
+Input: git diff shows src/services/auth.ts and src/types/user.ts modified
+
+1. PARSE    — 2 changed files identified (both .ts)
+2. DISCOVER — get_impact(filePath="src/services/auth.ts")
+              query_graph with depth 2 for transitive tests
+              Tier 1: auth.test.ts, user.test.ts (direct imports)
+              Tier 2: login.test.ts, verify.test.ts (one hop away)
+              Tier 3: auth-flow.test.ts (co-change history)
+3. PRIORITIZE — 5 tests across 3 tiers
+
+Output:
+  Tier 1 (must run): 2 tests
+  Tier 2 (should run): 2 tests
+  Tier 3 (could run): 1 test
+  Quick command: npx vitest run auth.test.ts user.test.ts login.test.ts verify.test.ts
+  Coverage gaps: none
+```
+
+## Gates
+
+- **No advice without graph.** If no graph exists, fall back to: "Run all tests in the same directory as changed files."
+- **Always include Tier 1.** Direct test coverage is non-negotiable — always recommend running these.
+
+## Escalation
+
+- **When changed file has no test coverage**: Flag as a gap: "No tests found for src/services/auth.ts — consider adding tests before merging."
+- **When Tier 1 has >20 tests**: The changed file may be a hub. Suggest running Tier 1 in parallel or splitting the file.

package/dist/agents/skills/gemini-cli/harness-test-advisor/skill.yaml

@@ -0,0 +1,44 @@
+name: harness-test-advisor
+version: "1.0.0"
+description: Graph-based test selection — answers "what tests should I run?"
+cognitive_mode: advisory-guide
+triggers:
+  - manual
+  - on_pr
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-test-advisor
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: files
+      description: Comma-separated list of changed files
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-test-advisor
+    path: string
+type: flexible
+phases:
+  - name: parse
+    description: Identify changed files from diff or input
+    required: true
+  - name: discover
+    description: Find related tests via graph traversal
+    required: true
+  - name: prioritize
+    description: Rank tests by relevance and generate commands
+    required: true
+state:
+  persistent: false
+  files: []
+depends_on: []

package/dist/agents/skills/tests/platform-parity.test.ts

@@ -0,0 +1,131 @@
+// agents/skills/tests/platform-parity.test.ts
+//
+// Ensures all AI platform variations (claude-code, gemini-cli) of skills
+// exist and are in sync. Every skill must be present in every platform
+// directory with identical SKILL.md and skill.yaml files.
+
+import { describe, it, expect } from 'vitest';
+import { glob } from 'glob';
+import { readFileSync, existsSync } from 'fs';
+import { resolve, dirname } from 'path';
+import { fileURLToPath } from 'url';
+import { ALLOWED_PLATFORMS } from './schema';
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const SKILLS_DIR = resolve(__dirname, '..');
+
+// Discover all platform directories
+const platforms = ALLOWED_PLATFORMS.filter((p) => existsSync(resolve(SKILLS_DIR, p)));
+
+// Files that must exist and be identical in every platform
+const SKILL_FILES = ['SKILL.md', 'skill.yaml'];
+
+// Collect all skill names across all platforms
+function getAllSkillNames(): Map<string, Set<string>> {
+  const skillsByPlatform = new Map<string, Set<string>>();
+
+  for (const platform of platforms) {
+    const dirs = glob.sync('*/', {
+      cwd: resolve(SKILLS_DIR, platform),
+      ignore: ['node_modules/'],
+    });
+    const names = new Set(
+      dirs
+        .map((d) => d.replace(/\/$/, ''))
+        .filter((name) => {
+          // Only include directories that have at least one skill file
+          return SKILL_FILES.some((f) => existsSync(resolve(SKILLS_DIR, platform, name, f)));
+        })
+    );
+    skillsByPlatform.set(platform, names);
+  }
+
+  return skillsByPlatform;
+}
+
+describe('platform parity', () => {
+  if (platforms.length < 2) {
+    it.skip('fewer than 2 platform directories found', () => {});
+    return;
+  }
+
+  const skillsByPlatform = getAllSkillNames();
+
+  // Get the union of all skill names across platforms
+  const allSkillNames = new Set<string>();
+  for (const names of skillsByPlatform.values()) {
+    for (const name of names) {
+      allSkillNames.add(name);
+    }
+  }
+
+  if (allSkillNames.size === 0) {
+    it.skip('no skills found in any platform', () => {});
+    return;
+  }
+
+  describe('every skill exists in all platforms', () => {
+    const cases = Array.from(allSkillNames)
+      .sort()
+      .flatMap((skill) => platforms.map((platform) => ({ skill, platform })));
+
+    it.each(cases)('$skill exists in $platform', ({ skill, platform }) => {
+      const skillDir = resolve(SKILLS_DIR, platform, skill);
+      expect(
+        existsSync(skillDir),
+        `Skill "${skill}" is missing from platform "${platform}". ` +
+          `It exists in: ${platforms.filter((p) => skillsByPlatform.get(p)?.has(skill)).join(', ')}`
+      ).toBe(true);
+    });
+  });
+
+  describe('skill files are identical across platforms', () => {
+    // Use the first platform as the reference
+    const [referencePlatform, ...otherPlatforms] = platforms;
+
+    const cases = Array.from(allSkillNames)
+      .sort()
+      .flatMap((skill) =>
+        SKILL_FILES.flatMap((file) => otherPlatforms.map((platform) => ({ skill, file, platform })))
+      );
+
+    it.each(cases)(
+      '$skill/$file is identical in $platform vs ' + platforms[0],
+      ({ skill, file, platform }) => {
+        const refPath = resolve(SKILLS_DIR, referencePlatform!, skill, file);
+        const otherPath = resolve(SKILLS_DIR, platform, skill, file);
+
+        if (!existsSync(refPath) || !existsSync(otherPath)) {
+          // Missing file is caught by the existence test above
+          return;
+        }
+
+        const refContent = readFileSync(refPath, 'utf-8');
+        const otherContent = readFileSync(otherPath, 'utf-8');
+
+        expect(
+          otherContent,
+          `${skill}/${file} differs between ${referencePlatform} and ${platform}. ` +
+            `Run: cp agents/skills/${referencePlatform}/${skill}/${file} agents/skills/${platform}/${skill}/${file}`
+        ).toBe(refContent);
+      }
+    );
+  });
+
+  describe('platform skill counts match', () => {
+    it('all platforms have the same number of skills', () => {
+      const counts = platforms.map((p) => ({
+        platform: p,
+        count: skillsByPlatform.get(p)?.size ?? 0,
+      }));
+
+      const first = counts[0]!;
+      for (const { platform, count } of counts.slice(1)) {
+        expect(
+          count,
+          `Platform "${platform}" has ${count} skills but "${first.platform}" has ${first.count}`
+        ).toBe(first.count);
+      }
+    });
+  });
+});

package/dist/agents/skills/tests/schema.ts

@@ -39,6 +39,8 @@ const ALLOWED_TRIGGERS = [
   'on_refactor',
   'on_project_init',
   'on_review',
+  'on_milestone',
+  'on_task_complete',
 ] as const;
 
 const ALLOWED_PLATFORMS = ['claude-code', 'gemini-cli'] as const;

package/dist/bin/harness.js

@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 import {
   createProgram
-} from "../chunk-C3J2HW4Y.js";
+} from "../chunk-O6NEKDYP.js";
 import "../chunk-3U5VZYR7.js";
 import {
   handleError
-} from "../chunk-EFZOLZFB.js";
+} from "../chunk-ACMDUQJG.js";
 
 // src/bin/harness.ts
 async function main() {

package/dist/{chunk-EFZOLZFB.js → chunk-ACMDUQJG.js}

@@ -37,7 +37,9 @@ var ALLOWED_TRIGGERS = [
   "on_bug_fix",
   "on_refactor",
   "on_project_init",
-  "on_review"
+  "on_review",
+  "on_milestone",
+  "on_task_complete"
 ];
 var ALLOWED_PLATFORMS = ["claude-code", "gemini-cli"];
 var ALLOWED_COGNITIVE_MODES = [
@@ -115,7 +117,7 @@ function buildSkillYaml(opts) {
     description: opts.description,
     cognitive_mode: opts.cognitiveMode ?? "constructive-architect",
     triggers: ["manual"],
-    platforms: ["claude-code"],
+    platforms: ["claude-code", "gemini-cli"],
     tools: ["Read", "Grep", "Glob", "Edit", "Write", "Bash"],
     type: "flexible",
     state: {