@shahboura/harness 3.0.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (62) hide show
  1. package/.opencode/agents/developer.md +60 -0
  2. package/.opencode/agents/planner.md +51 -0
  3. package/.opencode/agents/reviewer.md +53 -0
  4. package/.opencode/commands/add-repo.md +26 -0
  5. package/.opencode/commands/dev-workflow.md +40 -0
  6. package/.opencode/commands/init-workspace.md +22 -0
  7. package/.opencode/commands/migrate-workspace.md +28 -0
  8. package/.opencode/commands/repo-map-refresh.md +23 -0
  9. package/.opencode/commands/story-workflow.md +24 -0
  10. package/.opencode/commands/workflow-status.md +23 -0
  11. package/.opencode/commands/workspace-config.md +27 -0
  12. package/.opencode/package.json +9 -0
  13. package/.opencode/plugins/harness-guards.ts +290 -0
  14. package/.opencode/skills/add-repo/SKILL.md +96 -0
  15. package/.opencode/skills/dev-workflow/SKILL.md +105 -0
  16. package/.opencode/skills/dev-workflow/shared/diagram-styling.md +65 -0
  17. package/.opencode/skills/dev-workflow/shared/engineering.md +14 -0
  18. package/.opencode/skills/dev-workflow/shared/status-block.md +29 -0
  19. package/.opencode/skills/dev-workflow/steps/analyze-comments.md +32 -0
  20. package/.opencode/skills/dev-workflow/steps/apply-fixes.md +24 -0
  21. package/.opencode/skills/dev-workflow/steps/comment-analysis.md +11 -0
  22. package/.opencode/skills/dev-workflow/steps/create-pr.md +39 -0
  23. package/.opencode/skills/dev-workflow/steps/develop-task.md +54 -0
  24. package/.opencode/skills/dev-workflow/steps/develop.md +60 -0
  25. package/.opencode/skills/dev-workflow/steps/fetch.md +34 -0
  26. package/.opencode/skills/dev-workflow/steps/fixup-task.md +12 -0
  27. package/.opencode/skills/dev-workflow/steps/gate.md +53 -0
  28. package/.opencode/skills/dev-workflow/steps/harden-task.md +12 -0
  29. package/.opencode/skills/dev-workflow/steps/harden.md +30 -0
  30. package/.opencode/skills/dev-workflow/steps/intake.md +52 -0
  31. package/.opencode/skills/dev-workflow/steps/metrics.md +21 -0
  32. package/.opencode/skills/dev-workflow/steps/plan-task.md +108 -0
  33. package/.opencode/skills/dev-workflow/steps/plan.md +80 -0
  34. package/.opencode/skills/dev-workflow/steps/pre-pr-fixes.md +16 -0
  35. package/.opencode/skills/dev-workflow/steps/pre-pr-review.md +14 -0
  36. package/.opencode/skills/dev-workflow/steps/pre-pr.md +14 -0
  37. package/.opencode/skills/dev-workflow/steps/preflight.md +32 -0
  38. package/.opencode/skills/dev-workflow/steps/quick-recheck.md +14 -0
  39. package/.opencode/skills/dev-workflow/steps/reconcile.md +27 -0
  40. package/.opencode/skills/dev-workflow/steps/review-task.md +32 -0
  41. package/.opencode/skills/dev-workflow/steps/security.md +18 -0
  42. package/.opencode/skills/dev-workflow/steps/triage-request.md +15 -0
  43. package/.opencode/skills/init-workspace/SKILL.md +155 -0
  44. package/.opencode/skills/migrate-workspace/SKILL.md +122 -0
  45. package/.opencode/skills/repo-map-refresh/SKILL.md +43 -0
  46. package/.opencode/skills/story-workflow/SKILL.md +78 -0
  47. package/.opencode/skills/story-workflow/commands/analyze.md +40 -0
  48. package/.opencode/skills/story-workflow/commands/groom.md +58 -0
  49. package/.opencode/skills/story-workflow/commands/improve.md +47 -0
  50. package/.opencode/skills/story-workflow/commands/refine.md +44 -0
  51. package/.opencode/skills/story-workflow/shared/context.md +22 -0
  52. package/.opencode/skills/story-workflow/shared/provider-io.md +73 -0
  53. package/.opencode/skills/story-workflow/templates/readiness-report.md +57 -0
  54. package/.opencode/skills/story-workflow/templates/story-template.md +51 -0
  55. package/.opencode/skills/story-workflow/templates/technical-notes.md +48 -0
  56. package/.opencode/skills/workflow-status/SKILL.md +30 -0
  57. package/.opencode/skills/workspace-config/SKILL.md +97 -0
  58. package/.opencode/tsconfig.json +11 -0
  59. package/CHANGELOG.md +396 -0
  60. package/LICENSE +21 -0
  61. package/README.md +351 -0
  62. package/package.json +32 -0
@@ -0,0 +1,73 @@
1
+ # shared/provider-io.md — fetch a work item, post a result back
2
+
3
+ The configured work-item provider is resolved by the harness from
4
+ `.claude/context/provider.yaml`; you never name it. There are two transports,
5
+ and the recipe differs slightly between them. This file is the single source —
6
+ every command cites it.
7
+
8
+ ## Fetch a work item
9
+
10
+ Run:
11
+
12
+ ```
13
+ bin/harness provider --op work_item.fetch --id <id>
14
+ ```
15
+
16
+ **CLI / file transport** (`local-markdown`, `github`, `gitlab`, `ado`) prints
17
+ the normalized item directly:
18
+
19
+ ```
20
+ {"ok": true, "result": {"id": "...", "title": "...", "type": "...",
21
+ "state": "...", "description": "...", "acceptance_criteria": ["…", "…"],
22
+ "provider_ref": "…"}}
23
+ ```
24
+
25
+ Work from those fields. For `local-markdown`, `<id>` is the file **stem** inside
26
+ `provider.stories_dir` (`WORK-7`, not `stories/WORK-7.md`) — the harness refuses
27
+ an id that escapes the stories dir.
28
+
29
+ **MCP transport** (`ado-mcp`, `jira`, `zoho`): a script cannot call an MCP tool,
30
+ so the same command **exits non-zero** and prints the exact MCP tool + args to
31
+ invoke — that refusal *is* the instruction. Invoke that tool yourself, capture
32
+ its raw JSON, then normalize it to the shape above:
33
+
34
+ ```
35
+ printf '%s' '<raw-json>' | bin/harness provider-normalize --op work_item.fetch
36
+ ```
37
+
38
+ ⚠️ That refusal message ends by telling you to pipe the raw result into the
39
+ `--from-raw` bootstrap. That is the **/dev-workflow** path — it starts a dev run
40
+ and seeds `state.yaml`. story-workflow must never start a run, so ignore that
41
+ last line and use `provider-normalize` (above), which runs the identical
42
+ normalize with no run side-effects.
43
+
44
+ If the fetch fails or the item isn't found, tell the user plainly and stop.
45
+
46
+ ## Post a result back (only after the user approves)
47
+
48
+ Story-quality output goes back as a **comment** — never by editing the item's
49
+ Description or Acceptance-Criteria fields:
50
+
51
+ ```
52
+ bin/harness provider --op work_item.add_comment --id <id> --text '<markdown>'
53
+ ```
54
+
55
+ - **CLI / file transport** posts directly (`local-markdown` appends under a
56
+ `## Comments` section in the story file; ADO renders the markdown; GitHub and
57
+ GitLab post native markdown).
58
+ - **MCP transport**: as with fetch, the command exits non-zero and names the
59
+ comment tool + args — invoke that MCP tool yourself with the same `<text>`.
60
+
61
+ Always show the artifact in the conversation and get an explicit yes before
62
+ posting. If the user wants changes, iterate first, then post once.
63
+
64
+ ## local-markdown: rewriting a story in place
65
+
66
+ `add_comment` is non-destructive (a comment bullet), which is exactly what
67
+ `analyze` and `groom` want. For `improve` / `refine`, the user may instead want
68
+ the refined story to **replace** the source file. That is the one sanctioned
69
+ direct write: with the user's explicit go-ahead, use the `Write` tool on the
70
+ story's `provider_ref` path (returned by the fetch) to overwrite it with the
71
+ refined markdown. If the user declines both a comment and an overwrite, leave
72
+ the output in the conversation for them to copy — never overwrite silently, and
73
+ never overwrite for `analyze` / `groom` (that would destroy the story).
@@ -0,0 +1,57 @@
1
+ # Readiness Report Template
2
+
3
+ The output format for `analyze`, and the internal rubric `improve` scores
4
+ against. A qualitative assessment of story readiness with actionable flags.
5
+
6
+ ```markdown
7
+ ## Story Readiness Report
8
+ **Work Item:** #[ID] — [Title]
9
+ **Assessed:** [date]
10
+
11
+ ### Flags
12
+
13
+ 🔴 **[Flag Name]**
14
+ [What's missing or problematic, with a specific suggestion for improvement.]
15
+
16
+ 🟡 **[Flag Name]**
17
+ [A concern that isn't blocking but should be addressed.]
18
+
19
+ 🟢 **[Flag Name]**
20
+ [Something done well — reinforces good practice.]
21
+
22
+ ### Suggested Improvements
23
+
24
+ [Concrete, story-specific suggestions — draft acceptance criteria, proposed
25
+ scope boundaries, or questions to raise in refinement. Not generic advice.]
26
+
27
+ ### Summary
28
+
29
+ [2–3 sentence overall assessment. Ready for a refinement discussion, or does it
30
+ need pre-work from the PO first?]
31
+ ```
32
+
33
+ ## Flag catalog
34
+
35
+ The readiness dimensions to evaluate. Not every flag applies to every story —
36
+ use judgment.
37
+
38
+ **Context & Motivation** — 🔴 Missing Context (no "why") · 🟡 Vague Context
39
+ (present but not tied to a business need) · 🟢 Clear Context.
40
+
41
+ **Description Quality** — 🔴 No User-Story Format (no persona/capability/outcome)
42
+ · 🟡 Ambiguous Persona ("as a user" is too generic) · 🟢 Well-Formed.
43
+
44
+ **Acceptance Criteria** — 🔴 Missing ACs · 🔴 Untestable ACs ("should work
45
+ well") · 🟡 Incomplete ACs (obvious error/edge cases missing) · 🟡 Too Many ACs
46
+ (>7 suggests a split) · 🟢 Solid ACs.
47
+
48
+ **Scope** — 🔴 Unbounded Scope · 🟡 Implicit Assumptions · 🟡 No Out-of-Scope ·
49
+ 🟢 Well-Bounded.
50
+
51
+ **Dependencies & Risks** — 🟡 Implicit Dependencies · 🟡 Cross-Team Dependency ·
52
+ 🟢 Self-Contained.
53
+
54
+ ## Tone
55
+
56
+ Constructive and specific. Every 🔴/🟡 carries a concrete fix. 🟢 flags matter
57
+ too — they reinforce what the PO and team are doing well.
@@ -0,0 +1,51 @@
1
+ # Story Template
2
+
3
+ The canonical format for user stories. All four commands produce output that
4
+ follows this structure.
5
+
6
+ ```markdown
7
+ ## Context
8
+ [Why does this story exist? What business problem or user need does it address?
9
+ Background that helps developers understand the motivation.]
10
+
11
+ ## Description
12
+ As a [persona], I want [capability], so that [outcome].
13
+
14
+ ## Acceptance Criteria
15
+ - [ ] Given [precondition], When [action], Then [expected result]
16
+ - [ ] Given [precondition], When [action], Then [expected result]
17
+ - [ ] ...
18
+
19
+ ## Out of Scope
20
+ [Explicitly what this story does NOT cover. Prevents scope creep and sets clear
21
+ boundaries for the implementation.]
22
+
23
+ ## Open Questions
24
+ [Anything unresolved, each prefixed with who answers it. Cleared during
25
+ refinement or grooming — remove items as they get answered.]
26
+
27
+ ## Technical Notes
28
+ [Added during or after grooming. Per-repo breakdown of affected components,
29
+ migration concerns, testing strategy, and risk flags. See technical-notes.md.]
30
+ ```
31
+
32
+ ## Section guidelines
33
+
34
+ **Context** — 2–4 sentences on the "why," not the "what." A developer reading
35
+ only this should understand the business motivation. No implementation detail.
36
+
37
+ **Description** — one sentence in user-story format. Needing multiple `As a…`
38
+ statements usually means the story is too large and should be split.
39
+
40
+ **Acceptance Criteria** — each AC independently testable, in Given/When/Then.
41
+ Aim for 3–7. Fewer than 3 usually means missing edge cases; more than 7 usually
42
+ means the story is too large.
43
+
44
+ **Out of Scope** — 1–3 items someone might reasonably assume are included but
45
+ aren't. If nothing is ambiguous, write "No explicit exclusions identified."
46
+
47
+ **Open Questions** — prefix each with `[PO]`, `[Tech]`, or `[Team]`. Example:
48
+ `[PO] Should existing users be migrated automatically or opt-in?`
49
+
50
+ **Technical Notes** — only populated during grooming; left empty or absent
51
+ before. See `technical-notes.md` for the per-repo format.
@@ -0,0 +1,48 @@
1
+ # Technical Notes Template
2
+
3
+ The output format for the Technical Notes produced by `groom` — a per-repo
4
+ breakdown of technical impact.
5
+
6
+ ```markdown
7
+ ## Technical Notes
8
+
9
+ ### [repo-name]
10
+ - **Affected Components:** [specific files, classes, services, or modules]
11
+ - **What Changes:** [brief description of the changes needed in this repo]
12
+ - **Database/Migration:** [schema changes / migrations, additive vs breaking; "None" if N/A]
13
+ - **API Contract:** [new/changed endpoints, request/response models; "None" if N/A]
14
+ - **Testing Strategy:** [test types + specific areas to cover]
15
+ - **Risk:** [Low / Medium / High — with a brief why]
16
+
17
+ ### [another-repo-name]
18
+ - ...
19
+
20
+ ### Cross-Repo Considerations
21
+ [Only when the story spans multiple repos: deployment order, shared contracts,
22
+ feature flags needed for safe independent rollout.]
23
+ ```
24
+
25
+ ## Guidelines
26
+
27
+ **Affected Components** — name the actual classes/services/config files.
28
+ `AuthenticationService.cs`, `SamlConfigurationProvider.cs` — not "the auth
29
+ module."
30
+
31
+ **What Changes** — 1–3 sentences on the nature of the change, not the
32
+ implementation steps. Developers work out the how; they need the what.
33
+
34
+ **Database/Migration** — note additive (safe to deploy independently) vs
35
+ breaking (needs coordinated deploy), and any data-migration concern.
36
+
37
+ **API Contract** — new endpoint, modified contract (breaking vs non-breaking),
38
+ or deprecation.
39
+
40
+ **Testing Strategy** — specific, not "add unit tests." e.g. "Unit-test the new
41
+ validation; integration-test the full feature flow against the test env."
42
+
43
+ **Risk** — Low = straightforward, well-understood. Medium = some complexity or
44
+ uncertainty. High = significant regression/data/cross-system risk. Always
45
+ explain the rating.
46
+
47
+ **Cross-Repo Considerations** — deployment order, shared models/contracts to
48
+ align, feature flags for independent deploys.
@@ -0,0 +1,30 @@
1
+ ---
2
+ name: workflow-status
3
+ version: "3.0.0"
4
+ author: "Mostafa Ashraf"
5
+ description: >
6
+ Read-only dashboard of ai-sdlc-harness runs in this workspace. USER-ENTRY —
7
+ invoke only when the user explicitly runs /workflow-status; never
8
+ ---
9
+
10
+
11
+ # workflow-status (read-only)
12
+
13
+ 1. `bin/harness status` — every run: cursor, mode, work item, task statuses,
14
+ decided gates, flagged-event count. An `aborted` field marks a run ended
15
+ by the abort verb (terminal); an `error` field marks a run whose state
16
+ failed integrity verification (its `remediation` names the reseal
17
+ command) — the rest of the dashboard still renders.
18
+ 2. Render it as a compact table for the user; for a run they ask about,
19
+ drill in with `bin/harness show --run <run>` plus the ledgers
20
+ (`events.ndjson` — the "what happened" trail; `tokens.ndjson` — spend)
21
+ and compose the per-task timeline: status + review rounds + stalls +
22
+ flagged events + gate evidence.
23
+ 3. Offer `bin/harness metrics --run <run>` — regenerates
24
+ `reports/metrics.md`, the human-readable table view of the same ledgers
25
+ (timings, tasks, verdicts, aggregated tokens, flagged events). Works at
26
+ any live step, not just the terminal metrics step; it's a deterministic
27
+ projection, so regenerating is always safe.
28
+ 4. Otherwise STRICTLY read-only: no state changes, no cursor moves, no
29
+ ledger writes — the report above is the one derived, regenerable output;
30
+ everything else only reads what the authority already records.
@@ -0,0 +1,97 @@
1
+ ---
2
+ name: workspace-config
3
+ version: "3.0.0"
4
+ author: "Mostafa Ashraf"
5
+ description: >
6
+ Change one config section (overrides / provider / language / repos) on an
7
+ already-bootstrapped workspace, without re-running the full /init-workspace
8
+ interview. USER-ENTRY — invoke only when the user explicitly runs
9
+ /workspace-config; never autonomously, never from a subagent
10
+ ---
11
+
12
+
13
+ # workspace-config
14
+
15
+ Every command below is `bin/harness <verb> …` — run it
16
+ yourself via Bash. Never ask the user to type a `harness` command; the user
17
+ only answers the questions below.
18
+
19
+ Not this skill's job: **registering a brand-new repo** (that's `/add-repo` —
20
+ discovery, duplicate-name/path refusal, permission-allowlist refresh; this
21
+ skill only *changes* an already-registered repo's path/name/`test_cmd`), and
22
+ **first-time setup** (`/init-workspace`'s interview).
23
+
24
+ ## 0 · Confirm the workspace is actually bootstrapped
25
+
26
+ Read `.claude/context/overrides.yaml`. Missing, or no `bootstrap_completed`
27
+ key: `/init-workspace` never finished — stop and send the user there.
28
+ Proceeding anyway reports "the change is live," and the user only learns
29
+ otherwise later, at a confusing `bootstrap incomplete` refusal the next
30
+ time `/dev-workflow` runs.
31
+
32
+ ## 1 · Ask which section, and what's changing
33
+
34
+ - `overrides` — any top-level key in `config/defaults/*.yaml` other than
35
+ `provider`/`repos`/`language` (`status_mapping`, `subagent_models`,
36
+ `quick_mode`, `naming` + `change_types`, `review_rounds`, `stall`,
37
+ `repo_map` staleness N, `review_policy`, `security.scan_cmd`/
38
+ `severity_order`, …). Most single-setting changes land here.
39
+ - `provider` — work-item/git provider + specifics (`stories_dir`,
40
+ `github_repo`, `ado_org`, `ado_project`, …).
41
+ - `language` — per-repo `test_cmd`, under `language.repos.<name>` (not the
42
+ whole-workspace `test_paths`/`test_closure`).
43
+ - `repos` — repointing or renaming an *existing* entry's path.
44
+
45
+ ## 2 · Read the current section before writing it
46
+
47
+ `overrides` deep-merges — a call only needs the keys actually changing:
48
+ `init-section --section overrides --json '{"quick_mode": {"loc_max": 50}}'`.
49
+ Exception: a **list**-valued key (`review_policy` is the only shipped one)
50
+ still replaces wholesale — dicts recurse, list items don't — so resend the
51
+ whole list, including entries you're not changing, or one silently vanishes.
52
+
53
+ `provider`/`language`/`repos` are full-**replace**: the write IS the whole
54
+ file. Read `.claude/context/<section>.yaml` first (Read tool, never a Bash
55
+ one-liner), splice in the change, resend the **complete** set — a partial
56
+ payload, or a forgotten self-nesting (`{"repos": {...}}` — `overrides` is
57
+ the one flat, non-nested exception), silently drops every entry you didn't
58
+ restate. For `repos`/`language` this is NOT caught by `init-verify` if it
59
+ zeroes the whole map (step 4 covers what verify does check).
60
+
61
+ **Known gap**: `overrides` only adds/updates keys, never unsets — removing
62
+ one needs a direct edit to `overrides.yaml`; say so rather than improvising.
63
+
64
+ ## 3 · Confirm a `test_cmd` change by running it, and mind two risks
65
+
66
+ Confirm any `test_cmd` change by actually running it in that repo — same
67
+ rule `/add-repo`/`/init-workspace` follow, never accept it unconfirmed.
68
+
69
+ **Known risks**: (1) `init-section --section repos` has none of `/add-repo`'s
70
+ collision checks — a duplicate name (case-insensitive: collides on-disk on
71
+ a case-insensitive filesystem) or a path under two names (misattributes
72
+ `test_cmd`/`scan_cmd`) writes cleanly; check the full map yourself before
73
+ sending it. Renaming also orphans `language.repos.<old-name>`,
74
+ `security.scan_cmd.<old-name>`, and `.claude/context/repo-map/<old-name>/`
75
+ — carry them to the new name or tell the user to. (2) Avoid repointing a
76
+ path or changing a `test_cmd` while a `/dev-workflow` run has in-flight
77
+ tasks against that repo — resolution is by exact registered path, so a
78
+ run mid-flight can start failing with a confusing "no test command" error.
79
+
80
+ ## 4 · Re-verify if the section could affect verify or permissions
81
+
82
+ `init-verify` covers `provider`, `repos` (≥1 registered, each a real git
83
+ checkout), and `language` (`test_cmd` runnability) — **not** `overrides`.
84
+
85
+ - `provider` only: re-run `init-verify`, fix any failure.
86
+ - `repos` (a path) or `language` (a `test_cmd` binary): re-run `init-verify`,
87
+ **then** `init-finalize` too — that's what refreshes the permission
88
+ allowlist (`Read` on the repo path, `Bash` on the `test_cmd` binary) to
89
+ the new value; skip it and the OLD path/binary stays allow-listed while
90
+ the new one doesn't, so a background/`mode:auto` run hits an unprompted
91
+ permission stall the first time it touches the changed repo.
92
+ - `overrides` only: no re-verify/re-finalize needed.
93
+
94
+ ## 5 · Tell the user what changed
95
+
96
+ State the section, the exact keys written, and (if re-verified/re-finalized)
97
+ the result.
@@ -0,0 +1,11 @@
1
+ {
2
+ "compilerOptions": {
3
+ "target": "ESNext",
4
+ "module": "ESNext",
5
+ "moduleResolution": "bundler",
6
+ "types": ["@opencode-ai/plugin", "node"],
7
+ "strict": true,
8
+ "noEmit": true
9
+ },
10
+ "include": ["plugins/**/*.ts"]
11
+ }