@lannguyensi/harness 0.15.0 → 0.16.0

package/dist/cli/uninstall/snapshot.js

@@ -0,0 +1,34 @@
+// Snapshot file format + path helpers for `harness uninstall --apply`.
+//
+// Sibling of `src/cli/gate/snapshot.ts`. A snapshot captures one
+// uninstall invocation: which hook groups and which `mcpServers` entries
+// were removed from `~/.claude/settings.json`, the sha256 of settings.json
+// before/after, and the path the original was backed up to. Reading the
+// snapshot is enough to manually reverse the uninstall (or to drive a
+// future `harness reinstall` verb).
+//
+// The format mirrors `GateDisableSnapshot` shape but lives in its own
+// file: the two verbs have different scopes (gate-disable is matcher-
+// driven; uninstall is harness-ownership-driven) and storing them in the
+// same snapshot stream would mean every reader has to disambiguate via
+// `filter` or a discriminator. Cheaper to keep separate.
+import * as crypto from "node:crypto";
+import * as path from "node:path";
+export const SNAPSHOT_BASENAME_PREFIX = "harness.uninstall.";
+export const SNAPSHOT_BASENAME_SUFFIX = ".json";
+export const BACKUP_INFIX = ".bak.uninstall.";
+export const SNAPSHOT_VERSION = 1;
+export function sha256Hex(input) {
+    return crypto.createHash("sha256").update(input).digest("hex");
+}
+/** Build the snapshot file path for `settingsPath` at `now`. */
+export function snapshotPath(settingsPath, now) {
+    const stamp = now.toISOString().replace(/:/g, "-");
+    return path.join(path.dirname(settingsPath), `${SNAPSHOT_BASENAME_PREFIX}${stamp}${SNAPSHOT_BASENAME_SUFFIX}`);
+}
+/** Build the settings-backup file path for `settingsPath` at `now`. */
+export function backupPath(settingsPath, now) {
+    const stamp = now.toISOString().replace(/:/g, "-");
+    return `${settingsPath}${BACKUP_INFIX}${stamp}`;
+}
+//# sourceMappingURL=snapshot.js.map

package/dist/cli/uninstall/snapshot.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"snapshot.js","sourceRoot":"","sources":["../../../src/cli/uninstall/snapshot.ts"],"names":[],"mappings":"AAAA,uEAAuE;AACvE,EAAE;AACF,iEAAiE;AACjE,yEAAyE;AACzE,2EAA2E;AAC3E,wEAAwE;AACxE,sEAAsE;AACtE,oCAAoC;AACpC,EAAE;AACF,sEAAsE;AACtE,sEAAsE;AACtE,yEAAyE;AACzE,uEAAuE;AACvE,yDAAyD;AAEzD,OAAO,KAAK,MAAM,MAAM,aAAa,CAAC;AACtC,OAAO,KAAK,IAAI,MAAM,WAAW,CAAC;AAElC,MAAM,CAAC,MAAM,wBAAwB,GAAG,oBAAoB,CAAC;AAC7D,MAAM,CAAC,MAAM,wBAAwB,GAAG,OAAO,CAAC;AAChD,MAAM,CAAC,MAAM,YAAY,GAAG,iBAAiB,CAAC;AAC9C,MAAM,CAAC,MAAM,gBAAgB,GAAG,CAAU,CAAC;AAoC3C,MAAM,UAAU,SAAS,CAAC,KAAsB;IAC9C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC;AAED,gEAAgE;AAChE,MAAM,UAAU,YAAY,CAAC,YAAoB,EAAE,GAAS;IAC1D,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACnD,OAAO,IAAI,CAAC,IAAI,CACd,IAAI,CAAC,OAAO,CAAC,YAAY,CAAC,EAC1B,GAAG,wBAAwB,GAAG,KAAK,GAAG,wBAAwB,EAAE,CACjE,CAAC;AACJ,CAAC;AAED,uEAAuE;AACvE,MAAM,UAAU,UAAU,CAAC,YAAoB,EAAE,GAAS;IACxD,MAAM,KAAK,GAAG,GAAG,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;IACnD,OAAO,GAAG,YAAY,GAAG,YAAY,GAAG,KAAK,EAAE,CAAC;AAClD,CAAC"}

package/dist/policy-packs/builtin/branch-protection-runtime.d.ts

@@ -0,0 +1,47 @@
+import type { PolicyPack } from "../../schema/index.js";
+export declare const PACK_NAME = "branch-protection";
+/**
+ * Ledger tag written by the producer when the current branch is NOT in
+ * the operator's protected list. The blocker substring-matches this
+ * prefix; the trailing `:<branch>` is informational and keeps the
+ * ledger row self-describing for auditors.
+ */
+export declare const NON_PROTECTED_TAG_PREFIX = "branch:non-protected";
+/**
+ * Operator escape-hatch tag. Set via `mcp__agent-grounding__ledger_add`
+ * (Bash is gated by this very pack, so a shell-based override would be
+ * unreachable). The blocker substring-matches this prefix; the trailing
+ * `:<reason>` is a free-form note the operator types so a later audit
+ * can read WHY the override fired (e.g. `branch-protection-ack:hotfix
+ * for prod`).
+ */
+export declare const ACK_TAG_PREFIX = "branch-protection-ack";
+/**
+ * Freshness window for the producer tag. Five minutes lets a single
+ * branch-check satisfy a whole edit batch without re-running for every
+ * Write; longer than that and a branch switch in the middle of a
+ * session would silently keep the gate open against the new HEAD.
+ */
+export declare const PRODUCER_FRESHNESS_MS: number;
+/** Branches gated by default when no `config.protected_branches` is set. */
+export declare const DEFAULT_PROTECTED_BRANCHES: readonly string[];
+/**
+ * Parse the pack's `config.protected_branches` list. Falls back to the
+ * default allowlist when the operator hasn't customized it, OR when the
+ * provided value isn't a non-empty string array (the warning surfaces
+ * the type mismatch so the operator can fix it).
+ *
+ * Returns the resolved list plus a non-null warning message when the
+ * raw config was ill-formed. Caller appends the warning to the pack's
+ * `warnings` collection so it lands in apply output.
+ */
+export declare function resolveProtectedBranches(pack: PolicyPack): {
+    branches: string[];
+    warning: string | null;
+};
+/**
+ * True when `branch` is in the protected list. Empty branch (detached
+ * HEAD) is treated as protected, because we can't audit-by-name what
+ * the agent is about to commit to.
+ */
+export declare function isProtectedBranch(branch: string, protectedList: readonly string[]): boolean;

package/dist/policy-packs/builtin/branch-protection-runtime.js

@@ -0,0 +1,92 @@
+// Shared runtime constants + helpers for the `branch-protection` policy pack.
+//
+// The pack itself (`branch-protection.ts`) only emits hooks + the
+// audit-copy instructions. The actual enforcement lives in two CLI verbs
+// — `harness session-start branch-check` (producer) and `harness pack
+// hook branch-protection` (blocker) — both under `src/cli/`. This module
+// is the small shared surface they pull from: tag formats, default
+// protected list, config parsing.
+export const PACK_NAME = "branch-protection";
+/**
+ * Ledger tag written by the producer when the current branch is NOT in
+ * the operator's protected list. The blocker substring-matches this
+ * prefix; the trailing `:<branch>` is informational and keeps the
+ * ledger row self-describing for auditors.
+ */
+export const NON_PROTECTED_TAG_PREFIX = "branch:non-protected";
+/**
+ * Operator escape-hatch tag. Set via `mcp__agent-grounding__ledger_add`
+ * (Bash is gated by this very pack, so a shell-based override would be
+ * unreachable). The blocker substring-matches this prefix; the trailing
+ * `:<reason>` is a free-form note the operator types so a later audit
+ * can read WHY the override fired (e.g. `branch-protection-ack:hotfix
+ * for prod`).
+ */
+export const ACK_TAG_PREFIX = "branch-protection-ack";
+/**
+ * Freshness window for the producer tag. Five minutes lets a single
+ * branch-check satisfy a whole edit batch without re-running for every
+ * Write; longer than that and a branch switch in the middle of a
+ * session would silently keep the gate open against the new HEAD.
+ */
+export const PRODUCER_FRESHNESS_MS = 5 * 60 * 1000;
+/** Branches gated by default when no `config.protected_branches` is set. */
+export const DEFAULT_PROTECTED_BRANCHES = [
+    "master",
+    "main",
+    "develop",
+];
+/**
+ * Parse the pack's `config.protected_branches` list. Falls back to the
+ * default allowlist when the operator hasn't customized it, OR when the
+ * provided value isn't a non-empty string array (the warning surfaces
+ * the type mismatch so the operator can fix it).
+ *
+ * Returns the resolved list plus a non-null warning message when the
+ * raw config was ill-formed. Caller appends the warning to the pack's
+ * `warnings` collection so it lands in apply output.
+ */
+export function resolveProtectedBranches(pack) {
+    const raw = pack.config["protected_branches"];
+    if (raw === undefined) {
+        return { branches: [...DEFAULT_PROTECTED_BRANCHES], warning: null };
+    }
+    if (!Array.isArray(raw)) {
+        return {
+            branches: [...DEFAULT_PROTECTED_BRANCHES],
+            warning: `policy_packs[${pack.name}].config.protected_branches: expected an array of strings, got ${typeof raw}; falling back to defaults (${DEFAULT_PROTECTED_BRANCHES.join(", ")}).`,
+        };
+    }
+    const ok = [];
+    const bad = [];
+    for (const entry of raw) {
+        if (typeof entry === "string" && entry.length > 0)
+            ok.push(entry);
+        else
+            bad.push(entry);
+    }
+    if (ok.length === 0) {
+        return {
+            branches: [...DEFAULT_PROTECTED_BRANCHES],
+            warning: `policy_packs[${pack.name}].config.protected_branches: every entry was rejected (need non-empty strings); falling back to defaults (${DEFAULT_PROTECTED_BRANCHES.join(", ")}).`,
+        };
+    }
+    if (bad.length > 0) {
+        return {
+            branches: ok,
+            warning: `policy_packs[${pack.name}].config.protected_branches: skipped ${bad.length} non-string entr${bad.length === 1 ? "y" : "ies"}; using ${ok.length} valid one${ok.length === 1 ? "" : "s"} (${ok.join(", ")}).`,
+        };
+    }
+    return { branches: ok, warning: null };
+}
+/**
+ * True when `branch` is in the protected list. Empty branch (detached
+ * HEAD) is treated as protected, because we can't audit-by-name what
+ * the agent is about to commit to.
+ */
+export function isProtectedBranch(branch, protectedList) {
+    if (branch.length === 0)
+        return true;
+    return protectedList.includes(branch);
+}
+//# sourceMappingURL=branch-protection-runtime.js.map

package/dist/policy-packs/builtin/branch-protection-runtime.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"branch-protection-runtime.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection-runtime.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,EAAE;AACF,kEAAkE;AAClE,yEAAyE;AACzE,sEAAsE;AACtE,yEAAyE;AACzE,mEAAmE;AACnE,kCAAkC;AAIlC,MAAM,CAAC,MAAM,SAAS,GAAG,mBAAmB,CAAC;AAE7C;;;;;GAKG;AACH,MAAM,CAAC,MAAM,wBAAwB,GAAG,sBAAsB,CAAC;AAE/D;;;;;;;GAOG;AACH,MAAM,CAAC,MAAM,cAAc,GAAG,uBAAuB,CAAC;AAEtD;;;;;GAKG;AACH,MAAM,CAAC,MAAM,qBAAqB,GAAG,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC;AAEnD,4EAA4E;AAC5E,MAAM,CAAC,MAAM,0BAA0B,GAAsB;IAC3D,QAAQ;IACR,MAAM;IACN,SAAS;CACV,CAAC;AAEF;;;;;;;;;GASG;AACH,MAAM,UAAU,wBAAwB,CAAC,IAAgB;IAIvD,MAAM,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,oBAAoB,CAAC,CAAC;IAC9C,IAAI,GAAG,KAAK,SAAS,EAAE,CAAC;QACtB,OAAO,EAAE,QAAQ,EAAE,CAAC,GAAG,0BAA0B,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;IACtE,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC;QACxB,OAAO;YACL,QAAQ,EAAE,CAAC,GAAG,0BAA0B,CAAC;YACzC,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,kEAAkE,OAAO,GAAG,+BAA+B,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SACvL,CAAC;IACJ,CAAC;IACD,MAAM,EAAE,GAAa,EAAE,CAAC;IACxB,MAAM,GAAG,GAAc,EAAE,CAAC;IAC1B,KAAK,MAAM,KAAK,IAAI,GAAG,EAAE,CAAC;QACxB,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;YAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;;YAC7D,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IACvB,CAAC;IACD,IAAI,EAAE,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACpB,OAAO;YACL,QAAQ,EAAE,CAAC,GAAG,0BAA0B,CAAC;YACzC,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,6GAA6G,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SACzL,CAAC;IACJ,CAAC;IACD,IAAI,GAAG,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACnB,OAAO;YACL,QAAQ,EAAE,EAAE;YACZ,OAAO,EAAE,gBAAgB,IAAI,CAAC,IAAI,wCAAwC,GAAG,CAAC,MAAM,mBAAmB,GAAG,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,WAAW,EAAE,CAAC,MAAM,aAAa,EAAE,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,KAAK,EAAE,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI;SACvN,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC;AACzC,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc,EAAE,aAAgC;IAChF,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACrC,OAAO,aAAa,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AACxC,CAAC"}

package/dist/policy-packs/builtin/branch-protection.d.ts

@@ -0,0 +1,9 @@
+import type { PolicyPack } from "../../schema/index.js";
+import { type Runtime } from "../runtime.js";
+import type { PackContribution } from "../types.js";
+import { PACK_NAME } from "./branch-protection-runtime.js";
+export { PACK_NAME };
+export declare function resolve(pack: PolicyPack, runtime?: Runtime): {
+    contribution: PackContribution;
+    warnings: string[];
+};

package/dist/policy-packs/builtin/branch-protection.js

@@ -0,0 +1,146 @@
+// Builtin Policy Pack: `branch-protection`.
+//
+// Blocks Write/Edit (and the codex `apply_patch` equivalent) when the
+// agent is on a protected branch (default: master, main, develop). The
+// gate fires at the FIRST source mutation, complementing the existing
+// `preflight-before-push` gate which fires at the LAST reversible step.
+//
+// Mechanics, mirroring `understanding-before-execution`:
+//
+//   1. SessionStart producer (`harness session-start branch-check`) reads
+//      `.git/HEAD` for the cwd and, if the branch is NOT protected,
+//      writes a `branch:non-protected:<branch>` fact to the evidence
+//      ledger for the current session.
+//
+//   2. PreToolUse blocker (`harness pack hook branch-protection`)
+//      consults the ledger on every Write/Edit (or `apply_patch`) and
+//      emits a Claude Code deny envelope unless either:
+//        - a fresh (<5m) `branch:non-protected` tag exists, OR
+//        - a `branch-protection-ack:` override tag exists (any age,
+//          written by the operator via `mcp__agent-grounding__ledger_add`
+//          since Bash is gated by this same pack).
+//
+// The producer is also runnable on-demand from the operator's `!` shell
+// — same CLI verb, no SessionStart event piped on stdin — so an agent
+// that just branched can refresh the gate without restarting the
+// session.
+//
+// Pack is OFF by default: it must be enabled per-installation via
+// `harness pack add branch-protection`. The `full` init template does
+// NOT wire it (revisit after one cycle of operator feedback).
+import { DEFAULT_RUNTIME } from "../runtime.js";
+import { ACK_TAG_PREFIX, DEFAULT_PROTECTED_BRANCHES, NON_PROTECTED_TAG_PREFIX, PACK_NAME, PRODUCER_FRESHNESS_MS, resolveProtectedBranches, } from "./branch-protection-runtime.js";
+export { PACK_NAME };
+const HOOK_NAME_PREFIX = `policy-pack:${PACK_NAME}`;
+const PRE_TOOL_USE_MATCH_CLAUDE = "Write|Edit";
+const PRE_TOOL_USE_MATCH_CODEX = "apply_patch";
+const PRODUCER_COMMAND = "harness session-start branch-check";
+const BLOCKER_COMMAND = "harness pack hook branch-protection";
+function buildHooks(runtime) {
+    const isCodex = runtime === "codex";
+    const blockerMatch = isCodex ? PRE_TOOL_USE_MATCH_CODEX : PRE_TOOL_USE_MATCH_CLAUDE;
+    return [
+        {
+            name: `${HOOK_NAME_PREFIX}:session-start`,
+            event: "SessionStart",
+            command: PRODUCER_COMMAND,
+            blocking: false,
+            budget_ms: 5000,
+            description: "Producer: write `branch:non-protected:<branch>` to the evidence ledger when the session opens on a non-protected branch. Non-blocking; failures leave the gate closed.",
+        },
+        {
+            name: `${HOOK_NAME_PREFIX}:pre-tool-use`,
+            event: "PreToolUse",
+            match: blockerMatch,
+            command: BLOCKER_COMMAND,
+            blocking: "hard",
+            budget_ms: 5000,
+            description: `Blocker: deny ${blockerMatch} on protected branches unless a fresh branch:non-protected tag or a branch-protection-ack override exists in the ledger.`,
+        },
+    ];
+}
+function buildInstructions(pack, branches, runtime) {
+    const description = pack.description?.trim() ?? "";
+    const isCodex = runtime === "codex";
+    const blockerMatch = isCodex ? PRE_TOOL_USE_MATCH_CODEX : PRE_TOOL_USE_MATCH_CLAUDE;
+    const settingsArtefact = isCodex
+        ? "`harness.generated/codex/config.toml`"
+        : "harness-managed `settings.json`";
+    const minutes = Math.round(PRODUCER_FRESHNESS_MS / 60000);
+    return `# Policy Pack: ${PACK_NAME}
+
+> Operator audit copy. This pack blocks source-mutating tool calls when
+> the agent is on a protected branch, closing the loop on the
+> "edit-on-master" incident pattern.
+
+## Runtime
+
+${runtime}
+
+## Protected branches
+
+${branches.map((b) => `- \`${b}\``).join("\n")}
+
+Set \`config.protected_branches\` in your manifest to override.
+
+## Effect
+
+While this pack is enabled, hooks are wired into the ${settingsArtefact}:
+
+1. \`SessionStart\` producer (\`${PRODUCER_COMMAND}\`, blocking: false):
+   reads the cwd's \`.git/HEAD\`. If the branch is NOT in the protected
+   list, writes \`${NON_PROTECTED_TAG_PREFIX}:<branch>\` to the evidence
+   ledger for the current session.
+
+2. \`PreToolUse\` blocker (\`${BLOCKER_COMMAND}\`, blocking: hard) on
+   \`${blockerMatch}\`: refuses the tool call unless EITHER
+   - a \`${NON_PROTECTED_TAG_PREFIX}\` tag exists in the ledger from
+     within the last ${minutes} minutes, OR
+   - a \`${ACK_TAG_PREFIX}:<reason>\` override tag exists (any age).
+
+## Escape hatches
+
+- **Refresh after branching**: the producer is runnable on demand from
+  the operator's \`!\` shell as \`${PRODUCER_COMMAND}\`. The agent's Bash
+  is gated by the Understanding Gate but the producer command is itself
+  a \`harness ...\` invocation that the gate's allowlist accepts.
+
+- **Explicit override** (any age, lasts the session): write the ack tag
+  via \`mcp__agent-grounding__ledger_add\` with
+  \`content: "${ACK_TAG_PREFIX}:<reason>"\`. Use this when you have a
+  deliberate reason to edit a protected branch — version bumps, CI
+  workflow patches, etc. The override survives session restarts only as
+  long as the ledger row does.
+
+## Out of scope (v1)
+
+- Locking down \`git\` itself (would create false-positive churn on
+  read-only commands like \`git status\`).
+- Auto-branching on Write attempt (silent autocorrect is wrong; the
+  agent should be the one who notices and branches).
+- Path-allowlist for safe-on-master files (CHANGELOG.md, version
+  bumps). Open for v2 if operators report friction.
+
+## Pack metadata
+${description ? `\n> ${description.replace(/\n/g, "\n> ")}\n` : ""}
+- Source: \`builtin\`
+- Pack: \`${PACK_NAME}\`
+- Runtime: \`${runtime}\`
+- Defaults: ${DEFAULT_PROTECTED_BRANCHES.join(", ")}
+`;
+}
+export function resolve(pack, runtime = DEFAULT_RUNTIME) {
+    const { branches, warning } = resolveProtectedBranches(pack);
+    const hooks = buildHooks(runtime);
+    const files = [
+        {
+            relativePath: `policy-packs/${PACK_NAME}/instructions.md`,
+            content: buildInstructions(pack, branches, runtime),
+        },
+    ];
+    const warnings = [];
+    if (warning)
+        warnings.push(warning);
+    return { contribution: { hooks, files }, warnings };
+}
+//# sourceMappingURL=branch-protection.js.map

package/dist/policy-packs/builtin/branch-protection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"branch-protection.js","sourceRoot":"","sources":["../../../src/policy-packs/builtin/branch-protection.ts"],"names":[],"mappings":"AAAA,4CAA4C;AAC5C,EAAE;AACF,sEAAsE;AACtE,uEAAuE;AACvE,sEAAsE;AACtE,wEAAwE;AACxE,EAAE;AACF,yDAAyD;AACzD,EAAE;AACF,0EAA0E;AAC1E,oEAAoE;AACpE,qEAAqE;AACrE,uCAAuC;AACvC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,wDAAwD;AACxD,+DAA+D;AAC/D,oEAAoE;AACpE,0EAA0E;AAC1E,mDAAmD;AACnD,EAAE;AACF,wEAAwE;AACxE,sEAAsE;AACtE,iEAAiE;AACjE,WAAW;AACX,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,8DAA8D;AAG9D,OAAO,EAAE,eAAe,EAAgB,MAAM,eAAe,CAAC;AAE9D,OAAO,EACL,cAAc,EACd,0BAA0B,EAC1B,wBAAwB,EACxB,SAAS,EACT,qBAAqB,EACrB,wBAAwB,GACzB,MAAM,gCAAgC,CAAC;AAExC,OAAO,EAAE,SAAS,EAAE,CAAC;AAErB,MAAM,gBAAgB,GAAG,eAAe,SAAS,EAAE,CAAC;AAEpD,MAAM,yBAAyB,GAAG,YAAY,CAAC;AAC/C,MAAM,wBAAwB,GAAG,aAAa,CAAC;AAE/C,MAAM,gBAAgB,GAAG,oCAAoC,CAAC;AAC9D,MAAM,eAAe,GAAG,qCAAqC,CAAC;AAE9D,SAAS,UAAU,CAAC,OAAgB;IAClC,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,OAAO;QACL;YACE,IAAI,EAAE,GAAG,gBAAgB,gBAAgB;YACzC,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,gBAAgB;YACzB,QAAQ,EAAE,KAAK;YACf,SAAS,EAAE,IAAI;YACf,WAAW,EACT,wKAAwK;SAC3K;QACD;YACE,IAAI,EAAE,GAAG,gBAAgB,eAAe;YACxC,KAAK,EAAE,YAAY;YACnB,KAAK,EAAE,YAAY;YACnB,OAAO,EAAE,eAAe;YACxB,QAAQ,EAAE,MAAM;YAChB,SAAS,EAAE,IAAI;YACf,WAAW,EAAE,iBAAiB,YAAY,0HAA0H;SACrK;KACF,CAAC;AACJ,CAAC;AAED,SAAS,iBAAiB,CAAC,IAAgB,EAAE,QAA2B,EAAE,OAAgB;IACxF,MAAM,WAAW,GAAG,IAAI,CAAC,WAAW,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,OAAO,KAAK,OAAO,CAAC;IACpC,MAAM,YAAY,GAAG,OAAO,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,yBAAyB,CAAC;IACpF,MAAM,gBAAgB,GAAG,OAAO;QAC9B,CAAC,CAAC,uCAAuC;QACzC,CAAC,CAAC,iCAAiC,CAAC;IACtC,MAAM,OAAO,GAAG,IAAI,CAAC,KAAK,CAAC,qBAAqB,GAAG,KAAK,CAAC,CAAC;IAC1D,OAAO,kBAAkB,SAAS;;;;;;;;EAQlC,OAAO;;;;EAIP,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;;;;uDAMS,gBAAgB;;kCAErC,gBAAgB;;oBAE9B,wBAAwB;;;+BAGb,eAAe;OACvC,YAAY;WACR,wBAAwB;uBACZ,OAAO;WACnB,cAAc;;;;;oCAKW,gBAAgB;;;;;;gBAMpC,cAAc;;;;;;;;;;;;;;;EAe5B,WAAW,CAAC,CAAC,CAAC,OAAO,WAAW,CAAC,OAAO,CAAC,KAAK,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE;;YAEtD,SAAS;eACN,OAAO;cACR,0BAA0B,CAAC,IAAI,CAAC,IAAI,CAAC;CAClD,CAAC;AACF,CAAC;AAED,MAAM,UAAU,OAAO,CACrB,IAAgB,EAChB,UAAmB,eAAe;IAElC,MAAM,EAAE,QAAQ,EAAE,OAAO,EAAE,GAAG,wBAAwB,CAAC,IAAI,CAAC,CAAC;IAC7D,MAAM,KAAK,GAAG,UAAU,CAAC,OAAO,CAAC,CAAC;IAClC,MAAM,KAAK,GAA2B;QACpC;YACE,YAAY,EAAE,gBAAgB,SAAS,kBAAkB;YACzD,OAAO,EAAE,iBAAiB,CAAC,IAAI,EAAE,QAAQ,EAAE,OAAO,CAAC;SACpD;KACF,CAAC;IACF,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,OAAO;QAAE,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpC,OAAO,EAAE,YAAY,EAAE,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,QAAQ,EAAE,CAAC;AACtD,CAAC"}

package/dist/policy-packs/registry.d.ts

@@ -2,7 +2,7 @@ import type { PolicyPack } from "../schema/index.js";
 import { type ResolvePackOptions } from "./builtin/understanding-before-execution.js";
 import { type Runtime } from "./runtime.js";
 import type { PackContribution } from "./types.js";
-export declare const KNOWN_BUILTIN_PACKS: readonly ["understanding-before-execution"];
+export declare const KNOWN_BUILTIN_PACKS: readonly ["understanding-before-execution", "branch-protection"];
 export type BuiltinPackName = (typeof KNOWN_BUILTIN_PACKS)[number];
 export declare function isBuiltinPackName(name: string): name is BuiltinPackName;
 export interface ResolveBuiltinResult {

package/dist/policy-packs/registry.js

@@ -1,11 +1,16 @@
 // Registry of builtin policy-pack names.
 //
-// Phase 6 #2 ships exactly one builtin: `understanding-before-execution`.
-// Future builtins are added here. Non-builtin sources (path/npm/git) are
+// Phase 6 #2 shipped `understanding-before-execution`; subsequent
+// builtins are added by appending to `KNOWN_BUILTIN_PACKS` and a case
+// arm in `resolveBuiltin()`. Non-builtin sources (path/npm/git) are
 // out of scope for v1; their resolution lands in a later sub-task.
+import { PACK_NAME as BRANCH_PROTECTION, resolve as resolveBranchProtection, } from "./builtin/branch-protection.js";
 import { PACK_NAME as UNDERSTANDING_BEFORE_EXECUTION, resolve as resolveUnderstandingBeforeExecution, } from "./builtin/understanding-before-execution.js";
 import { DEFAULT_RUNTIME } from "./runtime.js";
-export const KNOWN_BUILTIN_PACKS = [UNDERSTANDING_BEFORE_EXECUTION];
+export const KNOWN_BUILTIN_PACKS = [
+    UNDERSTANDING_BEFORE_EXECUTION,
+    BRANCH_PROTECTION,
+];
 export function isBuiltinPackName(name) {
     return KNOWN_BUILTIN_PACKS.includes(name);
 }
@@ -15,6 +20,8 @@ export function resolveBuiltin(pack, runtime = DEFAULT_RUNTIME, opts = {}) {
     switch (pack.name) {
         case UNDERSTANDING_BEFORE_EXECUTION:
             return resolveUnderstandingBeforeExecution(pack, runtime, opts);
+        case BRANCH_PROTECTION:
+            return resolveBranchProtection(pack, runtime);
     }
 }
 //# sourceMappingURL=registry.js.map

package/dist/policy-packs/registry.js.map

@@ -1 +1 @@
-{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,0EAA0E;AAC1E,yEAAyE;AACzE,mEAAmE;AAGnE,OAAO,EACL,SAAS,IAAI,8BAA8B,EAC3C,OAAO,IAAI,mCAAmC,GAE/C,MAAM,6CAA6C,CAAC;AACrD,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAG7D,MAAM,CAAC,MAAM,mBAAmB,GAAG,CAAC,8BAA8B,CAAU,CAAC;AAG7E,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAQ,mBAAyC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAOD,MAAM,UAAU,cAAc,CAC5B,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,QAAQ,IAAI,CAAC,IAAuB,EAAE,CAAC;QACrC,KAAK,8BAA8B;YACjC,OAAO,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;IACpE,CAAC;AACH,CAAC"}
+{"version":3,"file":"registry.js","sourceRoot":"","sources":["../../src/policy-packs/registry.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,EAAE;AACF,kEAAkE;AAClE,sEAAsE;AACtE,oEAAoE;AACpE,mEAAmE;AAGnE,OAAO,EACL,SAAS,IAAI,iBAAiB,EAC9B,OAAO,IAAI,uBAAuB,GACnC,MAAM,gCAAgC,CAAC;AACxC,OAAO,EACL,SAAS,IAAI,8BAA8B,EAC3C,OAAO,IAAI,mCAAmC,GAE/C,MAAM,6CAA6C,CAAC;AACrD,OAAO,EAAE,eAAe,EAAgB,MAAM,cAAc,CAAC;AAG7D,MAAM,CAAC,MAAM,mBAAmB,GAAG;IACjC,8BAA8B;IAC9B,iBAAiB;CACT,CAAC;AAGX,MAAM,UAAU,iBAAiB,CAAC,IAAY;IAC5C,OAAQ,mBAAyC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACnE,CAAC;AAOD,MAAM,UAAU,cAAc,CAC5B,IAAgB,EAChB,UAAmB,eAAe,EAClC,OAA2B,EAAE;IAE7B,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAC/C,QAAQ,IAAI,CAAC,IAAuB,EAAE,CAAC;QACrC,KAAK,8BAA8B;YACjC,OAAO,mCAAmC,CAAC,IAAI,EAAE,OAAO,EAAE,IAAI,CAAC,CAAC;QAClE,KAAK,iBAAiB;YACpB,OAAO,uBAAuB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAClD,CAAC;AACH,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lannguyensi/harness",
-  "version": "0.15.0",
+  "version": "0.16.0",
   "description": "Declarative control plane for agent harnesses — one YAML for grounding, tools, memory, and hooks.",
   "license": "MIT",
   "homepage": "https://github.com/LanNguyenSi/harness",
@@ -37,6 +37,7 @@
     "test:watch": "vitest",
     "test:cov": "vitest run --coverage",
     "typecheck": "tsc --noEmit",
+    "check:ug-schema-drift": "node scripts/check-ug-schema-drift.mjs",
     "prepublishOnly": "npm run build"
   },
   "dependencies": {