@intentsolutions/audit-harness 1.1.5 → 1.1.7

package/CHANGELOG.md

@@ -2,6 +2,77 @@
 
 All notable changes are recorded here. Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Added — CI-only signed evidence emit for the intent-eval-dashboard (nr75.12)
+
+The dashboard reports hub (labs.intentsolutions.io) ingests a signed `report-manifest.json` of kernel `gate-result/v1` rows per repo. This adds audit-harness's own emit, lighting up its row.
+
+- **`ci/emit-evidence.ts` + `ci/assemble-manifest.ts`** — run the real deterministic self-gate (`harness-hash --verify`), shape it into a kernel `gate-result/v1` + `EvidenceBundle` (fail-closed against `@intentsolutions/core`), cosign-sign the canonical bytes (Fulcio OIDC + Rekor), and assemble the manifest the dashboard re-verifies at ingest.
+- **Zero-dep guarantee preserved.** The emitter lives in `ci/` (excluded from `package.json#files`) and the kernel is installed CI-only via `npm i --no-save` — `dependencies` + `devDependencies` stay empty and the published tarball is unchanged (verified via `npm pack --dry-run`).
+- **`.github/workflows/release.yml`** — adds a GitHub Release on tag push + an `emit-evidence` job (tag-only) that publishes the manifest as a Release asset.
+
+### Added — `currency` advisory upstream-currency report (PP-PLAN-040 Phase 5 / E7)
+
+The fifth verb, and deliberately the weakest: an advisory report with no exit-code authority.
+
+- **`audit-harness currency`** (`scripts/currency.py`, stdlib): reads the per-upstream-identity pin relation (`schemas/currency/pins.v1.json`) and reports which pins are themselves **stale** — `checked_at` older than the pin's staleness window. Each upstream (mcp-spec, skill-md-schema, claude-code, gate-result-predicate, anthropic-sdk, agentskills-spec) carries its own `pinned_version` + `checked_at` + window, so the *pin's own staleness* is detectable (not one opaque scalar).
+- **No exit-code authority (always exit 0), no live-fetch, no auto-fix.** Currency depends on upstream state — non-deterministic and network-bound — so it only reports. `/sync-testing-harness` consumes the report to open advisory bump PRs; it never reddens a build. `--today YYYY-MM-DD` makes reports reproducible.
+- **`tests/currency/`**: golden suite (3 checks) — stale/current/unknown classification, the no-exit-authority guarantee (exit 0 even when all pins are stale), and the shipped relation reporting.
+
+### Added — `scan` security/hygiene/skill-quality gate-runner (PP-PLAN-040 Phase 4 / E6)
+
+The fourth read-only verb: security + hygiene + skill-quality, by orchestrating standard tools (never reimplementing them).
+
+- **`audit-harness scan [repo]`** (`scripts/scan.py`, stdlib): for every `dimension: security | hygiene | skill-quality` gate in the profile, emits a `gate-result/v1` row. Three strategies: **local** (`hygiene-readme` README presence — deterministic), **shell-out** (every gate carrying a `tool` — gitleaks / osv-scanner / semgrep / syft / markdownlint / lychee — clean exit → PASS, findings → ADVISORY(error), tool absent → ADVISORY indeterminate), **consume** (`skill-behavioral` ingests a j-rig Evidence Bundle verdict via `--jrig-verdict`; the harness never runs behavioral judgment itself — no verdict → indeterminate).
+- Advisory-first; `--strict` (or a blocking gate) turns a finding/gap into `FAIL`. Kill-switch → `[]`. Each row records `metadata.method` (`local-presence` / `shell-out` / `consume-j-rig`).
+- **`tests/scan/`**: golden suite (10 checks) with pinned-profile isolation so shell-out tool availability never makes the suite flaky.
+
+**Security note:** on first run this gate caught — and this release redacts from HEAD — a PyPI publish token that had been pasted as a literal value in `python/PUBLISH.md`. The value remains in git history; it must be rotated at the registry (tracked separately). The doc now carries a placeholder.
+
+### Added — `audit` testing-depth gate-runner (PP-PLAN-040 Phase 3 / E5)
+
+The third read-only verb: the "finish the pyramid" testing-depth diagnostic.
+
+- **`audit-harness audit [repo]`** (`scripts/audit.py`, stdlib): for every `dimension: testing-depth` gate in the profile, assesses the gate and emits a `gate-result/v1` row. Two read-only strategies: `crap-score` runs the bundled `crap` scorer (static complexity×coverage); every pyramid layer (unit/integration/e2e/smoke/perf/a11y/contract/migration/property-based/fuzz/sanitizers) gets a per-layer **presence heuristic** (test dirs, framework configs, dependency markers). Layer present → `PASS`; absent → `ADVISORY(warn)` testing-depth gap; not statically assessable → `ADVISORY` indeterminate.
+- **`--fast` (default)** presence heuristics only (<10s); **`--deep`** adds `crap-score`; **`--strict`** turns a gap on a blocking gate into `FAIL`. Kill-switch → `[]`. Each row records `metadata.method` (`crap-static` / `presence-heuristic` / `delegated`) for provenance.
+- **Deliberately does NOT execute the repo's test suite.** Running arbitrary untrusted suites is the repo's own CI's job; the harness reports coverage *presence* and the repo's CI test step produces the execution verdict. `audit` is the diagnostic, not the test runner.
+- **`tests/audit/`**: golden suite (7 checks) + `has-tests`/`no-tests` fixtures — asserts unit→PASS / gap→ADVISORY(default) / gap→FAIL(`--strict`), crap deep-only-in-fast, kill-switch, and gate-result/v1 validity. CI `audit` job.
+
+### Added — registry projection + FP-rate harness (PP-PLAN-040 Phase 0 completion: c2b + c2e)
+
+Closes the data/safety-spine epic (E2): the registry becomes the single canonical datum and gate promotion gets a measured bar.
+
+- **`audit-harness gen-layer-applicability`** (`scripts/gen-layer-applicability.py`): projects `schemas/audit-profile/registry.v1.json` into `schemas/audit-profile/layer-applicability.md`. `--write` regenerates; `--check` fails on drift. The doc is now a **projection** of the registry datum, not a hand-maintained parallel source — CI gate `layer-applicability-drift` enforces it (c2b).
+- **`audit-harness fp-rate`** (`scripts/fp-rate.py`): measures each gate's false-positive / false-negative rate over a labeled corpus (`tests/fixtures/conform/{valid,malformed}/`). This is the metric that gates advisory→blocking promotion. `--max-fp-rate X` exits 1 if any gate exceeds the bar; CI runs it advisory at the 5% default bar (c2e).
+- **`docs/gate-promotion.md`**: the dedicated advisory→blocking promotion rule — FP-rate ≤ 5% bar, engineer-pinned in `tests/TESTING.md`, re-pinned manifest. Documents *why* FP-rate (not FN-rate) is the gate and how demotion/kill-switch works. `docs/` now ships in the npm package (`files`).
+
+### Added — `conform` verb + bundled content-addressed schemas (PP-PLAN-040 Phase 2)
+
+The second piece of the read-only brain: deterministic conformance, emitting Evidence Bundle rows.
+
+- **`audit-harness conform [repo]`** (`scripts/conform.py`, stdlib + PyYAML): read-only conformance gate-runner. For every `dimension: conformance` gate in the repo's `audit-profile/v1`, it locates the artifact(s) and emits a `gate-result/v1` row (JSON array, stdout). **Never writes, never live-fetches.**
+- **Bundled content-addressed schemas** (`schemas/conform/v1/`): `skillmd-frontmatter`, `mcp-config`, `plugin-manifest`, `agent-frontmatter` — the deterministic *structural floor* (parses + required keys + types), distinct from the IS 100-point rubric / SAK authoring kernel (judgment, stays in `/validate-*`). conform records each schema's sha256 in the row's `policy_hash`, so a row re-verifies against the exact schema version that produced it.
+- **Reproducible-by-design engine.** Bundled JSON-Schemas are checked by an embedded subset validator (complete for the closed bundled schemas) rather than ajv — deliberately, because ajv's availability/version varies per machine and would make signed evidence non-reproducible. Same commit + same harness version produce an identical verdict.
+- **Genuinely-external formats shell out**: OpenAPI to `spectral`, GitHub Action to `yamllint`. Missing tool produces an `ADVISORY` indeterminate (never a false `FAIL`).
+- **Advisory-first.** A conformance violation on an `enforcement: advisory` gate is `ADVISORY` (severity `error`), exit 0 — logged, not blocking. `--strict` (or an engineer-promoted `enforcement: blocking` gate) turns a violation into `FAIL` (exit 1). Missing artifact produces `NOT_APPLICABLE`. Kill-switch (`AUDIT_HARNESS_DISABLE=1` / `.audit-harness.yml`) produces an empty `[]`, exit 0.
+- **`tests/conform/`**: golden suite (31 checks) + pass/fail fixtures (valid + malformed SKILL.md, .mcp.json, plugin manifest, agent) — asserts valid to PASS, malformed to ADVISORY (default) / FAIL (`--strict`), every row validates against `gate-result/v1`, the NOT_APPLICABLE + indeterminate paths, and `policy_hash` == bundled-schema sha256 + reproducible. Wired into CI (`conform` job).
+
+Scope boundary: conformance kinds without a bundled schema (`marketplace`, `hook`) resolve to `ADVISORY` indeterminate — drop a schema into `schemas/conform/v1/` to light them up, no code change. No gate *execution* for testing-depth/security yet (Phase 3+).
+
+### Added — `classify` verb + `audit-profile/v1` (PP-PLAN-040 Phase 0 + Phase 1)
+
+The first piece of the "comprehensive audit, on any repo" build: the read-only brain.
+
+- **`audit-profile/v1` schema** (`schemas/audit-profile/v1.schema.json`): closed, versioned, hash-bearing value mirroring `gate-result/v1`. Four invariants: classifications are a UNION (not a winner), `unresolved[]` is the only Claude-refinable surface, `waived ⇒ disabled` (allOf-enforced), `registry_hash` makes a profile reproducible.
+- **Canonical dimension→gate registry** (`schemas/audit-profile/registry.v1.json`): the single datum that answers "which gates apply to repo-type X, in which dimension, at what applicability" — `layer-applicability.md` and `TESTING.md` become projections of it.
+- **`audit-harness classify [repo]`** (`scripts/classify.py`, stdlib-only): read-only repository classifier. Detects the UNION of repo-type + Claude-artifact classifications, resolves the gate set against the registry, records `registry_hash`, and emits an `audit-profile/v1` value to stdout. **Never writes to the repo.**
+- **Safety levers**: `INDETERMINATE` result class (infra failure ≠ policy failure); dispatcher per-command supervision via `AUDIT_HARNESS_TIMEOUT` (kill a hung gate, exit 124); `AUDIT_HARNESS_DISABLE=1` kill-switch (gate commands no-op; classify emits an all-disabled profile); engineer-owned `.audit-harness.yml` override (`classify_pins`, `advisory`, `disable_gates`, `disable`) — see `.audit-harness.example.yml`.
+- **`tests/classify/`**: golden fixture corpus (6 fixtures, authored before the classifier) + suite — golden-matches classifications, schema-validates every profile, exercises the kill-switch, the unknown/unresolved path, and override honoring. Wired into CI (`classify` job).
+- **`schemas/` now ships in the npm package** (`files`) so the registry + schema are available to consumers on any repo.
+
+Scope boundary: no `conform` verb, no gate execution yet (Phase 2+). `classify` is read-only and emits a profile only.
+
 ## [v1.1.5] - 2026-06-03
 
 ### Added — npm release pipeline (closes the publish-pipeline gap)

package/bin/audit-harness.js

@@ -22,8 +22,22 @@ const COMMANDS = {
   'gherkin-lint':  { script: 'gherkin-lint.sh',  args: [] },
   'crap':          { script: 'crap-score.py',    args: [] },
   'emit-evidence': { script: 'emit-evidence.sh', args: [] },
+  'classify':      { script: 'classify.py',      args: [] },
+  'conform':       { script: 'conform.py',       args: [] },
+  'audit':         { script: 'audit.py',         args: [] },
+  'scan':          { script: 'scan.py',          args: [] },
+  'fp-rate':       { script: 'fp-rate.py',       args: [] },
+  'currency':      { script: 'currency.py',      args: [] },
+  'gen-layer-applicability': { script: 'gen-layer-applicability.py', args: [] },
 };
 
+// Gate commands that may be no-op'd by the AUDIT_HARNESS_DISABLE kill-switch.
+// classify is intentionally NOT here: it emits a meaningful kill-switched profile
+// itself (every gate enforcement=disabled). verify/init/list always run.
+const KILLABLE_GATES = new Set([
+  'escape-scan', 'arch', 'bias', 'gherkin-lint', 'crap', 'emit-evidence',
+]);
+
 function usage() {
   console.log(`audit-harness — deterministic test-enforcement toolkit
 
@@ -40,6 +54,46 @@ Commands:
   bias                     Count test-bias patterns (tautology, smoke-only, etc.)
   gherkin-lint             Advisory Gherkin quality check
   crap [args...]           CRAP complexity × coverage scorer (multi-language)
+  classify [repo]          Read-only repository classifier. Emits an audit-profile/v1
+                           value (JSON, stdout) describing the UNION of detected
+                           classifications + the resolved gate set. Never writes.
+  conform [repo]           Read-only conformance gate-runner. Validates each repo
+                           artifact (SKILL.md, .mcp.json, plugin/agent ...) against a
+                           content-addressed schema BUNDLED in this harness version
+                           and emits gate-result/v1 rows (JSON array, stdout). Never
+                           writes, never live-fetches. Advisory by default; --strict
+                           turns any conformance violation into FAIL (exit 1).
+                           OpenAPI -> spectral, Action -> yamllint (missing tool =
+                           INDETERMINATE advisory).
+  audit [repo]             Read-only testing-depth gate-runner. For each
+                           testing-depth gate in the profile, reports coverage
+                           PRESENCE per pyramid layer (unit/integration/e2e/perf/
+                           fuzz/...) + runs crap-score. Emits gate-result/v1 rows.
+                           --fast (default) presence only; --deep adds crap-score;
+                           --strict turns a gap into FAIL. Does NOT execute the
+                           repo's test suite — execution stays in the repo's CI.
+  scan [repo]              Read-only security/hygiene/skill-quality gate-runner.
+                           hygiene-readme is a local presence check; every tool-
+                           backed gate (gitleaks/osv-scanner/semgrep/syft/
+                           markdownlint/lychee) shells out (clean->PASS, findings->
+                           ADVISORY, tool absent->INDETERMINATE); skill-behavioral
+                           CONSUMES a j-rig verdict (--jrig-verdict PATH), never
+                           reimplementing judgment. Emits gate-result/v1 rows.
+                           Advisory by default; --strict turns findings into FAIL.
+  fp-rate                  Measure each gate's false-positive / false-negative rate
+                           over a labeled corpus (valid/ should be clean, malformed/
+                           should flag). The metric that gates advisory->blocking
+                           promotion. --max-fp-rate X exits 1 if any gate exceeds X.
+                           See docs/gate-promotion.md.
+  currency                 Advisory upstream-currency report. Reads the per-upstream
+                           pin relation (schemas/currency/pins.v1.json) and flags
+                           pins whose checked_at is past their staleness window.
+                           NO exit-code authority (always exit 0), no live-fetch,
+                           no auto-fix — it reports; /sync-testing-harness acts.
+  gen-layer-applicability  Project schemas/audit-profile/registry.v1.json into
+                           schemas/audit-profile/layer-applicability.md. --write to
+                           regenerate, --check to fail on drift (CI gate). The doc
+                           is a PROJECTION of the canonical registry datum.
   emit-evidence            Wrap a gate-result JSON envelope in an in-toto
                            Statement v1 (predicate https://evals.intentsolutions.io/gate-result/v1)
                            Read JSON on stdin: <gate> --json | audit-harness emit-evidence
@@ -50,6 +104,14 @@ Evidence Bundle (v0.3.0+):
   and intent-eval-lab/specs/evidence-bundle/v0.1.0-draft/SPEC.md for the
   envelope schema.
 
+Safety levers:
+  AUDIT_HARNESS_DISABLE=1  Kill-switch. Gate commands no-op (exit 0, banner);
+                           classify still emits a profile with every gate disabled.
+  AUDIT_HARNESS_TIMEOUT=N  Per-command supervision: kill the gate after N seconds
+                           (exit 124) so a hung gate never blocks the pipeline.
+  .audit-harness.yml       Engineer-owned per-repo override (classify_pins, advisory,
+                           disable_gates, disable) honored by classify.
+
 Options:
   --version, -v            Print version
   --help, -h               Print this help
@@ -87,12 +149,39 @@ if (!existsSync(scriptPath)) {
   process.exit(2);
 }
 
+// Kill-switch: gate commands no-op; classify/verify/init/list still run.
+if (process.env.AUDIT_HARNESS_DISABLE === '1' && KILLABLE_GATES.has(cmd)) {
+  console.error(`audit-harness: KILL-SWITCH active (AUDIT_HARNESS_DISABLE=1) — '${cmd}' skipped`);
+  process.exit(0);
+}
+
 const isPython = entry.script.endsWith('.py');
 const interpreter = isPython ? 'python3' : 'bash';
 const finalArgs = [scriptPath, ...entry.args, ...rest];
 
+// Per-command supervision: a hung gate hits its timeout and is killed (exit 124)
+// rather than blocking the pipeline. 0/unset = no timeout.
+const timeoutSec = Number(process.env.AUDIT_HARNESS_TIMEOUT) || 0;
+
 const child = spawn(interpreter, finalArgs, { stdio: 'inherit' });
+
+let timedOut = false;
+let timer = null;
+if (timeoutSec > 0) {
+  timer = setTimeout(() => {
+    timedOut = true;
+    child.kill('SIGTERM');
+    setTimeout(() => child.kill('SIGKILL'), 2000).unref();
+  }, timeoutSec * 1000);
+  timer.unref();
+}
+
 child.on('exit', (code, signal) => {
+  if (timer) clearTimeout(timer);
+  if (timedOut) {
+    console.error(`audit-harness: ${entry.script} exceeded AUDIT_HARNESS_TIMEOUT=${timeoutSec}s — killed (INDETERMINATE)`);
+    process.exit(124);
+  }
   if (signal) {
     console.error(`audit-harness: ${entry.script} killed by ${signal}`);
     process.exit(128);
@@ -100,6 +189,7 @@ child.on('exit', (code, signal) => {
   process.exit(code ?? 0);
 });
 child.on('error', (err) => {
+  if (timer) clearTimeout(timer);
   console.error(`audit-harness: failed to spawn ${interpreter}: ${err.message}`);
   process.exit(2);
 });

package/docs/gate-promotion.md

@@ -0,0 +1,45 @@
+# Gate promotion — advisory → blocking
+
+Every gate in the [dimension→gate registry](../schemas/audit-profile/registry.v1.json) ships `enforcement: advisory`. Advisory means: the gate runs, emits its `gate-result/v1` row, logs any finding — and **exits 0**. It never reddens a build. Blocking (`enforcement: blocking`, exit 1 on violation) is **earned**, not default.
+
+This is deliberate. A gate that blocks before its false-positive rate is known erodes trust, and trust-erosion ends one way: someone appends `|| true` and the gate is dead. Advisory-first + earned-promotion keeps every blocking gate credible.
+
+## The rule
+
+A gate may be promoted to `blocking` for a repo when **all** hold:
+
+1. **Measured FP-rate below the bar.** Run the [FP-rate harness](../scripts/fp-rate.py) over a labeled corpus and confirm the gate's false-positive rate is **≤ 5%** (the default bar). A false positive is a *clean* input the gate wrongly flags — the failure mode that destroys trust.
+
+   ```bash
+   audit-harness fp-rate                      # human-readable report
+   audit-harness fp-rate --json               # machine-readable
+   audit-harness fp-rate --max-fp-rate 0.05   # exit 1 if any gate exceeds the bar
+   ```
+
+   The labeled corpus is `tests/fixtures/conform/{valid,malformed}/` (extend it: a gate is only as trustworthy as the corpus it was measured on — `valid/` inputs must stay clean, `malformed/` inputs must get flagged).
+
+2. **Engineer-pinned in the repo's policy.** Promotion is an engineer decision recorded in the target repo's hash-pinned `tests/TESTING.md` — never inferred by a tool, never proposed by an AI. The classifier reads the per-gate `enforcement` override from the engineer-owned `.audit-harness.yml` (`advisory:` / `disable_gates:` lists) and the policy in `tests/TESTING.md`; the registry default stays `advisory`.
+
+3. **Re-pinned manifest.** After editing the policy, re-init the hash manifest so the change travels with the code and `escape-scan` won't REFUSE a later legitimate edit:
+
+   ```bash
+   audit-harness init                         # re-pin after an engineer-reviewed policy edit
+   git add .harness-hash tests/TESTING.md     # commit policy + manifest together
+   ```
+
+## Why FP-rate, not FN-rate, is the promotion gate
+
+A false **negative** (a real problem the gate misses) is a coverage gap — annoying, but advisory output still surfaces it elsewhere and the gate can tighten over time. A false **positive** on a blocking gate halts a correct build, and the human response is to route around the gate permanently. So promotion is gated on FP-rate; FN-rate is reported for visibility but does not block promotion.
+
+## Demotion / kill-switch
+
+Promotion is reversible without ceremony:
+
+- Per-gate, per-repo: list the `gate_id` under `advisory:` or `disable_gates:` in `.audit-harness.yml`.
+- Whole-repo break-glass: `AUDIT_HARNESS_DISABLE=1` (gates no-op; `classify` emits an all-disabled profile; `conform` emits `[]`).
+
+A blocking gate that starts throwing false positives in the field should be demoted to advisory immediately, then re-measured before re-promotion.
+
+## Provenance
+
+Each emitted `gate-result/v1` row records the `policy_hash` (sha256 of the policy/schema the gate evaluated against), so any promotion decision is auditable back to the exact policy version that produced the measurement.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@intentsolutions/audit-harness",
-  "version": "1.1.5",
+  "version": "1.1.7",
   "description": "Deterministic test-enforcement harness — escape-scan, hash-pinning, CRAP, architecture checks, bias detection, Gherkin lint. Companion to the audit-tests and implement-tests Claude Code skills.",
   "license": "Apache-2.0",
   "author": "Jeremy Longshore <jeremy@intentsolutions.io>",
@@ -31,6 +31,8 @@
   "files": [
     "bin",
     "scripts",
+    "schemas",
+    "docs",
     "README.md",
     "LICENSE",
     "NOTICE",

package/schemas/audit-profile/layer-applicability.md

@@ -0,0 +1,146 @@
+# Layer Applicability — GENERATED from `registry.v1.json`
+
+> ⚠️ **GENERATED FILE — do not edit by hand.**
+> Source of truth: [`registry.v1.json`](registry.v1.json) (the canonical dimension→gate datum; `classify` resolves against it).
+> Regenerate: `audit-harness gen-layer-applicability --write` (or `python3 scripts/gen-layer-applicability.py --write`).
+> CI gate `layer-applicability-drift` fails the build if this file drifts from the registry.
+>
+> registry `sha256:ffbc75700fb5eb501cb47f1e4038f47ab95ae1fba534b38095e1fe7820c80ed1`
+
+THE canonical dimension-to-gate registry: the single datum that answers 'which gates apply to repo-type X, in which dimension, at what applicability'. layer-applicability.md and each repo's TESTING.md are PROJECTIONS of this datum. `classify` resolves the UNION of a repo's detected classifications against this registry and records its sha256 as the audit-profile's registry_hash. Every gate defaults to enforcement=advisory; blocking is earned (engineer-pinned in TESTING.md, FP-rate-gated). applicability mirrors the matrix glyphs: required(✅) recommended(⭕) conditional(⚠) waived(❌).
+
+**Legend (applicability):** ✅ required · ⭕ recommended · ⚠ conditional · ❌ waived
+
+Every gate defaults to `enforcement: advisory`. Blocking is **earned** — engineer-pinned in the target repo's `tests/TESTING.md`, FP-rate-gated (see [`gate-promotion.md`](../../docs/gate-promotion.md)).
+
+## Base gates (apply to every repo)
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:hygiene-links` | hygiene | ⭕ recommended | advisory | `lychee` |
+| `audit-harness:local:hygiene-markdown` | hygiene | ⭕ recommended | advisory | `markdownlint` |
+| `audit-harness:local:hygiene-readme` | hygiene | ⭕ recommended | advisory | — |
+| `audit-harness:ci:cve-osv` | security | ⭕ recommended | advisory | `osv-scanner` |
+| `audit-harness:ci:secrets-gitleaks` | security | ⭕ recommended | advisory | `gitleaks` |
+
+## By classification
+
+A repo carries the **UNION** of every classification it matches (`classify` never picks a single winner). Gates dedup by `gate_id`, keeping the highest applicability.
+
+### `action`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-action` | conformance | ✅ required | advisory | `yamllint` |
+| `audit-harness:ci:smoke` | testing-depth | ⭕ recommended | advisory | — |
+
+### `agent`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-agent` | conformance | ✅ required | advisory | `validate-agent` |
+
+### `api`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-openapi` | conformance | ✅ required | advisory | `spectral` |
+| `audit-harness:ci:sast` | security | ✅ required | advisory | `semgrep` |
+| `audit-harness:ci:contract` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:crap-score` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:integration` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:unit` | testing-depth | ✅ required | advisory | — |
+
+### `cli`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:ci:crap-score` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:smoke` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:unit` | testing-depth | ✅ required | advisory | — |
+
+### `embedded`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:ci:fuzz` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:sanitizers` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:unit` | testing-depth | ✅ required | advisory | — |
+
+### `frontend`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:ci:a11y` | testing-depth | ✅ required | advisory | `axe` |
+| `audit-harness:ci:contract` | testing-depth | ⚠ conditional | advisory | — |
+| `audit-harness:ci:crap-score` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:e2e` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:unit` | testing-depth | ✅ required | advisory | — |
+
+### `hook`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-hook` | conformance | ✅ required | advisory | `validate-hook` |
+
+### `library`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:ci:cve-osv` | security | ✅ required | advisory | `osv-scanner` |
+| `audit-harness:ci:crap-score` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:property-based` | testing-depth | ⭕ recommended | advisory | — |
+| `audit-harness:ci:unit` | testing-depth | ✅ required | advisory | — |
+
+### `marketplace`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-marketplace` | conformance | ✅ required | advisory | `validate-marketplace` |
+
+### `mcp`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-mcp` | conformance | ✅ required | advisory | `validate-mcp` |
+
+### `monorepo`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:per-package-classify` | testing-depth | ✅ required | advisory | — |
+
+### `plugin`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-plugin` | conformance | ✅ required | advisory | `validate-plugin` |
+| `audit-harness:server:skill-behavioral` | skill-quality | ⭕ recommended | advisory | `j-rig` |
+
+### `service`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:ci:sast` | security | ✅ required | advisory | `semgrep` |
+| `audit-harness:ci:sbom-syft` | security | ⭕ recommended | advisory | `syft` |
+| `audit-harness:ci:contract` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:crap-score` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:integration` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:migration` | testing-depth | ✅ required | advisory | — |
+| `audit-harness:ci:perf` | testing-depth | ⭕ recommended | advisory | — |
+| `audit-harness:ci:unit` | testing-depth | ✅ required | advisory | — |
+
+### `skill`
+
+| Gate | Dimension | Applicability | Enforcement | Tool |
+|---|---|---|---|---|
+| `audit-harness:local:conform-skillmd` | conformance | ✅ required | advisory | `validate-skillmd` |
+| `audit-harness:server:skill-behavioral` | skill-quality | ⭕ recommended | advisory | `j-rig` |
+
+## Overlays
+
+### `regulated`
+
+Compliance overlay (HIPAA/SOX/PCI-DSS/SOC2/GDPR/FedRAMP markers). Promotes recommended security + conformance gates to required and escalates uncovered SHOULD requirements.
+
+Promotes to **required**: `security`, `conformance`.

package/schemas/audit-profile/registry.v1.json

@@ -0,0 +1,87 @@
+{
+  "registry_version": "audit-profile-registry/v1",
+  "description": "THE canonical dimension-to-gate registry: the single datum that answers 'which gates apply to repo-type X, in which dimension, at what applicability'. layer-applicability.md and each repo's TESTING.md are PROJECTIONS of this datum. `classify` resolves the UNION of a repo's detected classifications against this registry and records its sha256 as the audit-profile's registry_hash. Every gate defaults to enforcement=advisory; blocking is earned (engineer-pinned in TESTING.md, FP-rate-gated). applicability mirrors the matrix glyphs: required(✅) recommended(⭕) conditional(⚠) waived(❌).",
+  "base": [
+    { "gate_id": "audit-harness:local:hygiene-readme", "dimension": "hygiene", "applicability": "recommended", "enforcement": "advisory", "result_class_default": "PASS" },
+    { "gate_id": "audit-harness:local:hygiene-links", "dimension": "hygiene", "applicability": "recommended", "enforcement": "advisory", "tool": "lychee", "result_class_default": "INDETERMINATE" },
+    { "gate_id": "audit-harness:local:hygiene-markdown", "dimension": "hygiene", "applicability": "recommended", "enforcement": "advisory", "tool": "markdownlint" },
+    { "gate_id": "audit-harness:ci:secrets-gitleaks", "dimension": "security", "applicability": "recommended", "enforcement": "advisory", "tool": "gitleaks", "result_class_default": "INDETERMINATE" },
+    { "gate_id": "audit-harness:ci:cve-osv", "dimension": "security", "applicability": "recommended", "enforcement": "advisory", "tool": "osv-scanner", "result_class_default": "INDETERMINATE" }
+  ],
+  "classifications": {
+    "service": [
+      { "gate_id": "audit-harness:ci:unit", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:crap-score", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:integration", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:contract", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:migration", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:sast", "dimension": "security", "applicability": "required", "enforcement": "advisory", "tool": "semgrep" },
+      { "gate_id": "audit-harness:ci:sbom-syft", "dimension": "security", "applicability": "recommended", "enforcement": "advisory", "tool": "syft" },
+      { "gate_id": "audit-harness:ci:perf", "dimension": "testing-depth", "applicability": "recommended", "enforcement": "advisory" }
+    ],
+    "api": [
+      { "gate_id": "audit-harness:ci:unit", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:crap-score", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:integration", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:contract", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:local:conform-openapi", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "spectral" },
+      { "gate_id": "audit-harness:ci:sast", "dimension": "security", "applicability": "required", "enforcement": "advisory", "tool": "semgrep" }
+    ],
+    "frontend": [
+      { "gate_id": "audit-harness:ci:unit", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:crap-score", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:e2e", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:a11y", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory", "tool": "axe" },
+      { "gate_id": "audit-harness:ci:contract", "dimension": "testing-depth", "applicability": "conditional", "enforcement": "advisory" }
+    ],
+    "cli": [
+      { "gate_id": "audit-harness:ci:unit", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:crap-score", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:smoke", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" }
+    ],
+    "library": [
+      { "gate_id": "audit-harness:ci:unit", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:crap-score", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:property-based", "dimension": "testing-depth", "applicability": "recommended", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:cve-osv", "dimension": "security", "applicability": "required", "enforcement": "advisory", "tool": "osv-scanner", "result_class_default": "INDETERMINATE" }
+    ],
+    "embedded": [
+      { "gate_id": "audit-harness:ci:unit", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:fuzz", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" },
+      { "gate_id": "audit-harness:ci:sanitizers", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" }
+    ],
+    "monorepo": [
+      { "gate_id": "audit-harness:local:per-package-classify", "dimension": "testing-depth", "applicability": "required", "enforcement": "advisory" }
+    ],
+    "skill": [
+      { "gate_id": "audit-harness:local:conform-skillmd", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "validate-skillmd" },
+      { "gate_id": "audit-harness:server:skill-behavioral", "dimension": "skill-quality", "applicability": "recommended", "enforcement": "advisory", "tool": "j-rig" }
+    ],
+    "agent": [
+      { "gate_id": "audit-harness:local:conform-agent", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "validate-agent" }
+    ],
+    "hook": [
+      { "gate_id": "audit-harness:local:conform-hook", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "validate-hook" }
+    ],
+    "mcp": [
+      { "gate_id": "audit-harness:local:conform-mcp", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "validate-mcp" }
+    ],
+    "plugin": [
+      { "gate_id": "audit-harness:local:conform-plugin", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "validate-plugin" },
+      { "gate_id": "audit-harness:server:skill-behavioral", "dimension": "skill-quality", "applicability": "recommended", "enforcement": "advisory", "tool": "j-rig" }
+    ],
+    "marketplace": [
+      { "gate_id": "audit-harness:local:conform-marketplace", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "validate-marketplace" }
+    ],
+    "action": [
+      { "gate_id": "audit-harness:local:conform-action", "dimension": "conformance", "applicability": "required", "enforcement": "advisory", "tool": "yamllint" },
+      { "gate_id": "audit-harness:ci:smoke", "dimension": "testing-depth", "applicability": "recommended", "enforcement": "advisory" }
+    ]
+  },
+  "overlays": {
+    "regulated": {
+      "description": "Compliance overlay (HIPAA/SOX/PCI-DSS/SOC2/GDPR/FedRAMP markers). Promotes recommended security + conformance gates to required and escalates uncovered SHOULD requirements.",
+      "promote_to_required": ["security", "conformance"]
+    }
+  }
+}