@harness-engineering/cli 1.6.0 → 1.6.2

package/dist/agents/skills/gemini-cli/harness-release-readiness/skill.yaml

@@ -0,0 +1,57 @@
+name: harness-release-readiness
+version: "1.0.0"
+description: Audit npm release readiness, run maintenance checks, offer auto-fixes, track progress across sessions
+cognitive_mode: meticulous-verifier
+triggers:
+  - manual
+  - on_milestone
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Write
+  - Edit
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-release-readiness
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: comprehensive
+      description: Run comprehensive checks (API docs, examples, dep health, git hygiene)
+      type: boolean
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-release-readiness
+    path: string
+type: rigid
+phases:
+  - name: audit
+    description: Run release-specific checks (packaging, docs, repo hygiene, CI/CD)
+    required: true
+  - name: maintain
+    description: Dispatch maintenance skills in parallel and collect results
+    required: true
+  - name: fix
+    description: Offer auto-remediation for fixable findings
+    required: true
+  - name: report
+    description: Generate report and persist state for session resumption
+    required: true
+state:
+  persistent: true
+  files:
+    - .harness/release-readiness.json
+depends_on:
+  - detect-doc-drift
+  - cleanup-dead-code
+  - align-documentation
+  - enforce-architecture
+  - harness-diagnostics
+  - harness-parallel-agents

package/dist/agents/skills/gemini-cli/harness-security-review/skill.yaml

@@ -0,0 +1,50 @@
+name: harness-security-review
+version: "1.0.0"
+description: Deep security audit with OWASP baseline and stack-adaptive analysis
+cognitive_mode: meticulous-implementer
+triggers:
+  - manual
+  - on_pr
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Write
+  - Edit
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-security-review
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: deep
+      description: Enable threat modeling phase
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-security-review
+    path: string
+type: rigid
+phases:
+  - name: scan
+    description: Run mechanical security scanner
+    required: true
+  - name: review
+    description: AI-powered security review (OWASP + stack-adaptive)
+    required: true
+  - name: threat-model
+    description: Lightweight threat model from codebase graph
+    required: false
+  - name: report
+    description: Generate findings report with remediation guidance
+    required: true
+state:
+  persistent: false
+  files: []
+depends_on:
+  - harness-code-review

package/dist/agents/skills/gemini-cli/harness-security-scan/SKILL.md

@@ -0,0 +1,102 @@
+# Harness Security Scan
+
+> Lightweight mechanical security scan. Fast triage, not deep review.
+
+## When to Use
+
+- As part of the codebase-health-analyst sweep
+- For quick security triage on a project or changed files
+- On scheduled cron runs for continuous security coverage
+- NOT for deep security review (use harness-security-review)
+- NOT for threat modeling (use harness-security-review --deep)
+
+## Process
+
+### Phase 1: SCAN — Run Mechanical Scanner
+
+1. **Resolve project root.** Use provided path or cwd.
+
+2. **Load security config.** Read `harness.config.json` and extract `security`
+   section. Fall back to defaults if absent.
+
+3. **Determine file scope.**
+   - If `--changed-only` or triggered by PR: run `git diff --name-only HEAD~1`
+     to get changed files. Filter to source files only (exclude node_modules,
+     dist, test files per config).
+   - Otherwise: scan all source files in the project.
+
+4. **Run SecurityScanner.** Call `SecurityScanner.scanFiles()` from
+   `@harness-engineering/core`.
+
+5. **Filter by severity threshold.** Remove findings below the configured
+   threshold:
+   - `error`: only errors
+   - `warning`: errors and warnings (default)
+   - `info`: all findings
+
+6. **Output report.** Present findings grouped by severity:
+
+   ```
+   Security Scan: [PASS/FAIL]
+   Scanned: N files, M rules applied
+   Errors: N | Warnings: N | Info: N
+
+   [List findings with rule ID, file:line, severity, message, remediation]
+   ```
+
+## Gates
+
+- **Error-severity findings are blocking.** Report is FAIL if any error-severity
+  finding exists after filtering.
+- **No AI review.** This skill is mechanical only. Do not perform OWASP analysis
+  or threat modeling.
+
+## Harness Integration
+
+- **`harness check-security`** — CLI command that invokes this skill's scanner.
+- **`SecurityScanner`** — Core class from `@harness-engineering/core` that executes the rule engine.
+- **`harness.config.json`** — Security section configures severity threshold and file exclusions.
+- **codebase-health-analyst persona** — Invokes this skill as part of its sweep.
+
+## Escalation
+
+- **When error-severity findings are disputed:** The scanner is mechanical — it may flag false positives. If a finding is a false positive, add a `// harness-ignore SEC-XXX` comment on the line and document the rationale. Do not suppress without explanation.
+- **When the scanner misses a known vulnerability:** This skill runs pattern-based rules only. For semantic analysis (taint tracking, control flow), use `/harness:security-review` instead.
+- **When scan is too slow on large codebases:** Use `--changed-only` to scope to recently changed files. Full scans can run on a scheduled cron instead.
+
+## Success Criteria
+
+- Scanner ran and produced findings (or confirmed clean)
+- Findings are filtered by the configured severity threshold
+- Report follows the structured format
+- Exit code reflects pass/fail status
+
+## Examples
+
+### Example: Clean Scan
+
+```
+Security Scan: PASS
+Scanned: 42 files, 12 rules applied
+Errors: 0 | Warnings: 0 | Info: 0
+```
+
+### Example: Findings Detected
+
+```
+Security Scan: FAIL
+Scanned: 42 files, 12 rules applied
+Errors: 1 | Warnings: 2 | Info: 0
+
+[SEC-SECRET-001] src/config.ts:15 (error)
+  Hardcoded API key detected: `const API_KEY = "sk-..."`
+  Remediation: Move to environment variable, use dotenv or secrets manager.
+
+[SEC-NET-001] src/cors.ts:5 (warning)
+  CORS wildcard origin: `origin: "*"`
+  Remediation: Restrict to specific allowed origins.
+
+[SEC-CRYPTO-001] src/auth.ts:22 (warning)
+  Weak hash algorithm: `crypto.createHash("md5")`
+  Remediation: Use SHA-256 or stronger.
+```

package/dist/agents/skills/gemini-cli/harness-security-scan/skill.yaml

@@ -0,0 +1,41 @@
+name: harness-security-scan
+version: "1.0.0"
+description: Lightweight mechanical security scan for health checks
+cognitive_mode: meticulous-implementer
+triggers:
+  - manual
+  - scheduled
+platforms:
+  - claude-code
+  - gemini-cli
+tools:
+  - Bash
+  - Read
+  - Glob
+  - Grep
+cli:
+  command: harness skill run harness-security-scan
+  args:
+    - name: path
+      description: Project root path
+      required: false
+    - name: severity
+      description: Minimum severity threshold (error, warning, info)
+      required: false
+    - name: changed-only
+      description: Only scan git-changed files
+      required: false
+mcp:
+  tool: run_skill
+  input:
+    skill: harness-security-scan
+    path: string
+type: rigid
+phases:
+  - name: scan
+    description: Run SecurityScanner and filter by severity threshold
+    required: true
+state:
+  persistent: false
+  files: []
+depends_on: []

package/dist/bin/harness.js

@@ -1,8 +1,9 @@
 #!/usr/bin/env node
 import {
   createProgram
-} from "../chunk-VS4OTOKZ.js";
-import "../chunk-3U5VZYR7.js";
+} from "../chunk-IUFFBBYV.js";
+import "../chunk-UDWGSL3T.js";
+import "../chunk-USEYPS7F.js";
 import {
   handleError
 } from "../chunk-ACMDUQJG.js";