coding-agent-harness 1.0.6 → 1.0.8

package/dist/lib/preset-runner.mjs

@@ -0,0 +1,294 @@
+// @ts-nocheck
+// Generic preset entrypoint runner. Domain logic belongs in preset packages.
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import crypto from "node:crypto";
+import { spawnSync } from "node:child_process";
+import { normalizeTarget, readFileSafe, readJsonSafe, sanitizeDeep, toPosix, walkFiles, } from "./core-shared.mjs";
+import { beginGovernanceSync, commitGovernanceSync, releaseGovernanceSync } from "./governance-sync.mjs";
+import { parseTaskMetadata } from "./task-metadata.mjs";
+import { taskIdForDirectory } from "./task-scanner.mjs";
+import { resolveTaskDirectory } from "./task-lifecycle.mjs";
+import { evaluateTemplateValues, assertPresetWriteScope } from "./preset-engine.mjs";
+import { buildPresetAudit, readPresetPackage } from "./preset-registry.mjs";
+const materializationSchemaVersion = "preset-materialization/v1";
+const maxMaterializedFileBytes = 10 * 1024 * 1024;
+const maxMaterializedWrites = 500;
+export function runPresetEntrypoint(presetId, entrypointName, { taskRef = "", targetInput = ".", json = false } = {}) {
+    const target = normalizeTarget(targetInput);
+    const preset = readPresetPackage(presetId, { targetInput });
+    const entrypoint = preset.entrypoints?.[entrypointName];
+    if (!entrypoint)
+        throw new Error(`Preset ${preset.id} does not declare entrypoint: ${entrypointName}`);
+    if (!["script", "check"].includes(entrypoint.type))
+        throw new Error(`Preset entrypoint ${entrypointName} is not runnable by preset run`);
+    if (!taskRef)
+        throw new Error("preset run requires --task <task-id>");
+    const taskDir = resolveTaskDirectory(target, taskRef);
+    const taskPlan = readFileSafe(path.join(taskDir, "task_plan.md"));
+    const metadata = parseTaskMetadata(taskPlan);
+    if (metadata.preset !== preset.id)
+        throw new Error(`Task ${taskRef} was created by preset ${metadata.preset || "none"}, not ${preset.id}`);
+    const taskId = taskIdForDirectory(target, taskDir);
+    const resolvedInputs = readResolvedInputs(target, metadata);
+    const values = evaluateTemplateValues(preset, resolvedInputs, { taskId, taskTitle: taskId, moduleKey: "" });
+    const outputRoot = fs.mkdtempSync(path.join(os.tmpdir(), `harness-preset-${preset.id}-${entrypointName}-`));
+    const manifestPath = path.join(outputRoot, "materialization-manifest.json");
+    const contextPath = path.join(outputRoot, "preset-context.json");
+    const beforeSnapshot = targetSnapshot(target.projectRoot);
+    try {
+        const context = {
+            schemaVersion: "preset-run-context/v1",
+            preset: { id: preset.id, version: preset.version, source: preset.source },
+            entrypoint: entrypointName,
+            task: {
+                id: taskId,
+                ref: taskRef,
+                dir: toPosix(path.relative(target.projectRoot, taskDir)),
+                taskPlanPath: toPosix(path.relative(target.projectRoot, path.join(taskDir, "task_plan.md"))),
+            },
+            targetRoot: target.projectRoot,
+            targetRootPolicy: "read-only; direct target mutation before manifest materialization is a hard failure",
+            outputRoot,
+            materializationManifestPath: manifestPath,
+            inputs: sanitizeDeep(resolvedInputs),
+            values: sanitizeDeep(values),
+            audit: buildPresetAudit(preset, {
+                taskId,
+                targetRoot: target.projectRoot,
+                entrypoint: entrypointName,
+                writeScopes: entrypoint.writes,
+                resolvedInputs,
+            }),
+        };
+        fs.writeFileSync(contextPath, `${JSON.stringify(context, null, 2)}\n`);
+        const commandPath = path.join(preset.directory, entrypoint.command || "");
+        const script = spawnSync(process.execPath, [commandPath], {
+            cwd: outputRoot,
+            encoding: "utf8",
+            env: {
+                ...process.env,
+                HARNESS_PRESET_CONTEXT: contextPath,
+            },
+            timeout: 120000,
+            maxBuffer: 10 * 1024 * 1024,
+        });
+        if (script.error)
+            throw script.error;
+        if (script.status !== 0) {
+            throw new Error(`Preset entrypoint ${preset.id}.${entrypointName} failed with ${script.status}\n${script.stderr || script.stdout || ""}`.trim());
+        }
+        const afterScriptSnapshot = targetSnapshot(target.projectRoot);
+        assertSnapshotsEqual(beforeSnapshot, afterScriptSnapshot, "Preset script mutated target before materialization");
+        const manifest = readMaterializationManifest(manifestPath);
+        const materialization = validateMaterializationManifest(preset, entrypoint, manifest, { outputRoot, targetRoot: target.projectRoot });
+        const governanceContext = beginGovernanceSync(target, {
+            operation: `preset-run ${preset.id}.${entrypointName}`,
+            allowDirtyWorktree: true,
+            allowedRelativePaths: materialization.map((item) => item.destination),
+        });
+        try {
+            materializeWrites(target.projectRoot, materialization);
+            const commit = commitGovernanceSync(governanceContext, materialization.map((item) => item.destination), {
+                message: `chore(harness): run preset ${preset.id} ${entrypointName}`,
+            });
+            return {
+                preset: preset.id,
+                entrypoint: entrypointName,
+                taskId,
+                status: manifest.status || (entrypoint.type === "check" ? "pass" : "ok"),
+                materialized: materialization.map((item) => ({
+                    source: item.source,
+                    destination: item.destination,
+                    type: item.type,
+                    sha256: item.sha256,
+                })),
+                governance: { commit },
+            };
+        }
+        finally {
+            releaseGovernanceSync(governanceContext);
+        }
+    }
+    finally {
+        fs.rmSync(outputRoot, { recursive: true, force: true });
+    }
+}
+function readResolvedInputs(target, metadata) {
+    const evidenceBundle = String(metadata.evidenceBundle || "").replace(/^TARGET:/, "").replace(/^\/+/, "");
+    if (!evidenceBundle)
+        return {};
+    const auditPath = path.join(target.projectRoot, evidenceBundle, "preset-audit.json");
+    const audit = readJsonSafe(auditPath, {});
+    return audit.resolvedInputs || {};
+}
+function readMaterializationManifest(manifestPath) {
+    if (!fs.existsSync(manifestPath))
+        throw new Error("Preset entrypoint did not emit materialization manifest");
+    const manifest = readJsonSafe(manifestPath, null);
+    if (!manifest || typeof manifest !== "object" || Array.isArray(manifest))
+        throw new Error("Invalid preset materialization manifest");
+    if (manifest.schemaVersion !== materializationSchemaVersion)
+        throw new Error(`Invalid preset materialization schema: ${manifest.schemaVersion || "(missing)"}`);
+    if (!Array.isArray(manifest.writes))
+        throw new Error("Preset materialization manifest writes must be an array");
+    if (manifest.writes.length > maxMaterializedWrites)
+        throw new Error(`Preset materialization manifest has too many writes: ${manifest.writes.length}`);
+    return manifest;
+}
+function validateMaterializationManifest(preset, entrypoint, manifest, { outputRoot, targetRoot }) {
+    const seenDestinations = new Set();
+    const writes = manifest.writes.map((write, index) => {
+        const source = normalizeManifestRelativePath(write.source, "Manifest source");
+        const destination = normalizeManifestRelativePath(write.destination, "Manifest destination");
+        if (seenDestinations.has(destination))
+            throw new Error(`Duplicate materialization destination: ${destination}`);
+        seenDestinations.add(destination);
+        assertEntrypointWriteScope(preset, entrypoint, destination);
+        const sourcePath = path.join(outputRoot, source);
+        assertOutputSource(outputRoot, sourcePath, source);
+        const stat = fs.lstatSync(sourcePath);
+        if (stat.size > maxMaterializedFileBytes)
+            throw new Error(`Manifest source exceeds size limit: ${source}`);
+        assertDestinationParent(targetRoot, destination);
+        return {
+            source,
+            sourcePath,
+            destination,
+            destinationPath: path.join(targetRoot, destination),
+            type: String(write.type || "text"),
+            visibility: String(write.visibility || ""),
+            sha256: sha256File(sourcePath),
+        };
+    });
+    enforcePublicRedaction(manifest, writes, { outputRoot });
+    return writes;
+}
+function normalizeManifestRelativePath(value, label) {
+    const raw = String(value || "").trim();
+    const normalized = toPosix(path.normalize(raw));
+    if (!raw || path.isAbsolute(raw) || normalized === "." || normalized === ".." || normalized.startsWith("../") || normalized.includes("/../")) {
+        throw new Error(`${label} escapes preset output root: ${raw || "(missing)"}`);
+    }
+    return normalized;
+}
+function assertOutputSource(outputRoot, sourcePath, source) {
+    if (!fs.existsSync(sourcePath))
+        throw new Error(`Manifest source missing: ${source}`);
+    const stat = fs.lstatSync(sourcePath);
+    if (stat.isSymbolicLink())
+        throw new Error(`Manifest source must not be a symlink: ${source}`);
+    if (!stat.isFile())
+        throw new Error(`Manifest source must be a file: ${source}`);
+    const realRoot = fs.realpathSync(outputRoot);
+    const realSource = fs.realpathSync(sourcePath);
+    if (!isInside(realRoot, realSource))
+        throw new Error(`Manifest source escapes preset output root: ${source}`);
+}
+function assertDestinationParent(targetRoot, destination) {
+    let parent = path.dirname(path.join(targetRoot, destination));
+    const realTarget = fs.realpathSync(targetRoot);
+    while (!fs.existsSync(parent) && parent !== targetRoot && parent !== path.dirname(parent))
+        parent = path.dirname(parent);
+    if (fs.existsSync(parent)) {
+        const stat = fs.lstatSync(parent);
+        if (stat.isSymbolicLink())
+            throw new Error(`Manifest destination parent must not be a symlink: ${destination}`);
+        const realParent = fs.realpathSync(parent);
+        if (!isInside(realTarget, realParent))
+            throw new Error(`Manifest destination parent escapes target root: ${destination}`);
+    }
+}
+function assertEntrypointWriteScope(preset, entrypoint, destination) {
+    assertPresetWriteScope(preset, destination);
+    if (!entrypoint.writes.some((scope) => matchesScope(scope, destination))) {
+        throw new Error(`Preset write scope violation for ${destination}`);
+    }
+}
+function matchesScope(scope, relativePath) {
+    const normalizedScope = toPosix(path.normalize(String(scope || "")));
+    if (normalizedScope.endsWith("/**")) {
+        const prefix = normalizedScope.slice(0, -3);
+        return relativePath === prefix || relativePath.startsWith(`${prefix}/`);
+    }
+    return relativePath === normalizedScope;
+}
+function enforcePublicRedaction(manifest, writes, { outputRoot }) {
+    const publicWrites = writes.filter((write) => write.visibility === "public" || write.destination.startsWith("docs-release/"));
+    if (publicWrites.length === 0)
+        return;
+    const reportSource = normalizeManifestRelativePath(manifest.publicRedactionReport?.source || "", "Public redaction report source");
+    const reportPath = path.join(outputRoot, reportSource);
+    assertOutputSource(outputRoot, reportPath, reportSource);
+    const report = readJsonSafe(reportPath, null);
+    if (!report || report.status !== "pass")
+        throw new Error("Public materialization requires a passing public redaction report");
+}
+function materializeWrites(targetRoot, writes) {
+    const backups = [];
+    try {
+        for (const write of writes) {
+            const destinationPath = write.destinationPath;
+            fs.mkdirSync(path.dirname(destinationPath), { recursive: true });
+            const existed = fs.existsSync(destinationPath);
+            const backupPath = existed ? `${destinationPath}.backup-${process.pid}-${crypto.randomBytes(4).toString("hex")}` : "";
+            if (existed) {
+                fs.copyFileSync(destinationPath, backupPath);
+                backups.push({ destinationPath, backupPath, existed });
+            }
+            else {
+                backups.push({ destinationPath, backupPath: "", existed });
+            }
+            const tempPath = `${destinationPath}.tmp-${process.pid}-${crypto.randomBytes(4).toString("hex")}`;
+            fs.copyFileSync(write.sourcePath, tempPath);
+            fs.renameSync(tempPath, destinationPath);
+        }
+        for (const backup of backups) {
+            if (backup.backupPath)
+                fs.rmSync(backup.backupPath, { force: true });
+        }
+    }
+    catch (error) {
+        for (const backup of backups.reverse()) {
+            try {
+                if (backup.existed && backup.backupPath && fs.existsSync(backup.backupPath))
+                    fs.renameSync(backup.backupPath, backup.destinationPath);
+                else if (!backup.existed)
+                    fs.rmSync(backup.destinationPath, { force: true });
+            }
+            catch {
+                // Preserve the original materialization failure.
+            }
+        }
+        throw error;
+    }
+}
+function targetSnapshot(root) {
+    const entries = new Map();
+    for (const filePath of walkFiles(root)) {
+        const relative = toPosix(path.relative(root, filePath));
+        if (relative.startsWith(".harness/locks/"))
+            continue;
+        const stat = fs.lstatSync(filePath);
+        entries.set(relative, `${stat.size}:${sha256File(filePath)}`);
+    }
+    return entries;
+}
+function assertSnapshotsEqual(before, after, message) {
+    const changed = [];
+    const paths = new Set([...before.keys(), ...after.keys()]);
+    for (const item of paths) {
+        if (before.get(item) !== after.get(item))
+            changed.push(item);
+    }
+    if (changed.length)
+        throw new Error(`${message}: ${changed.slice(0, 12).join(", ")}`);
+}
+function sha256File(filePath) {
+    return crypto.createHash("sha256").update(fs.readFileSync(filePath)).digest("hex");
+}
+function isInside(root, candidate) {
+    const relative = path.relative(root, candidate);
+    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}

package/dist/lib/task-index.mjs

@@ -56,6 +56,7 @@ export function buildTaskIndex(targetInput) {
             supersedes: task.supersedes || [],
             supersededBy: task.supersededBy || "",
             deletionState: task.deletionState || "active",
+            archiveMetadata: task.archiveMetadata || {},
             hiddenByDefault: task.hiddenByDefault === true,
             repairPrompt: task.repairPrompt || "",
             repairActions: repairActions(task),

package/dist/lib/task-lifecycle.mjs

@@ -570,9 +570,11 @@ export function updateModuleStep(targetInput, moduleKey, stepId, { state = "" }
         releaseGovernanceSync(governanceContext);
     }
 }
-export function listLifecycleTasks(targetInput, { state = "", moduleKey = "", queue = "", preset = "", review = "", lesson = "", search = "", missingMaterials = false } = {}) {
+export function listLifecycleTasks(targetInput, { state = "", moduleKey = "", queue = "", preset = "", review = "", lesson = "", search = "", missingMaterials = false, includeArchived = false } = {}) {
     const target = normalizeTarget(targetInput);
     let tasks = collectTasks(target);
+    if (!includeArchived)
+        tasks = tasks.filter((task) => task.deletionState === "active" && task.hiddenByDefault !== true);
     if (state)
         tasks = tasks.filter((task) => task.state === String(state).toLowerCase().replaceAll("-", "_"));
     if (moduleKey)

package/dist/lib/task-review-model.mjs

@@ -58,6 +58,7 @@ export function parseTaskTombstone(taskPlanContent) {
             supersededBy: "",
             supersedes: topLevelSupersedes,
             deleteReason: "",
+            archiveMetadata: {},
             hiddenByDefault: false,
             reopenEligible: false,
             archiveEligible: false,
@@ -71,6 +72,7 @@ export function parseTaskTombstone(taskPlanContent) {
         supersededBy: fields.get("superseded by") || fields.get("替代任务") || "",
         supersedes: [...new Set([...topLevelSupersedes, ...splitList(fields.get("supersedes") || fields.get("合并自") || "")])],
         deleteReason: fields.get("reason") || fields.get("原因") || "",
+        archiveMetadata: Object.fromEntries([...fields.entries()].filter(([key]) => !["state", "状态", "superseded by", "替代任务", "supersedes", "合并自", "reason", "原因", "reopen eligible", "可重新打开", "archive eligible", "可归档"].includes(key))),
         hiddenByDefault: true,
         reopenEligible: parseTombstoneBooleanLike(fields.get("reopen eligible") || fields.get("可重新打开")),
         archiveEligible: parseTombstoneBooleanLike(fields.get("archive eligible") || fields.get("可归档")),

package/dist/lib/task-scanner.mjs

@@ -344,6 +344,7 @@ export function collectTasks(target, { requireGeneratedScaffoldProvenance = fals
             supersededBy: tombstone.supersededBy,
             supersedes: tombstone.supersedes,
             deleteReason: tombstone.deleteReason,
+            archiveMetadata: tombstone.archiveMetadata || {},
             hiddenByDefault: tombstone.hiddenByDefault,
             reopenEligible: tombstone.reopenEligible,
             archiveEligible: tombstone.archiveEligible,

package/dist/lib/task-tombstone-commands.mjs

@@ -40,6 +40,7 @@ export function softDeleteTask(targetInput, taskRef, { reason = "" } = {}) {
 export function archiveTask(targetInput, taskRef, { reason = "" } = {}) {
     const target = normalizeTarget(targetInput);
     const task = resolveTask(target, taskRef);
+    assertArchiveEligible(task);
     return writeDeletionState(target, task, "archived", reason || "archive", "task-archive");
 }
 export function reopenTask(targetInput, taskRef, { reason = "" } = {}) {
@@ -100,6 +101,17 @@ function resolveTask(target, ref) {
         throw new Error(`Ambiguous task reference: ${ref}`);
     throw new Error(`Task not found: ${ref}`);
 }
+function assertArchiveEligible(task) {
+    if (task.state === "blocked" || (task.taskQueues || []).includes("blocked")) {
+        throw new Error("blocked tasks cannot be archived without an explicit human waiver");
+    }
+    const blockingRisks = (task.risks || []).filter((risk) => risk.open !== "no" && (risk.blocksRelease === "yes" || ["P0", "P1", "P2"].includes(risk.severity)));
+    if (blockingRisks.length)
+        throw new Error("tasks with open blocking review findings cannot be archived without an explicit human waiver");
+    if (task.materialsReady === false && task.reviewStatus !== "confirmed") {
+        throw new Error("tasks with incomplete closeout materials cannot be archived without an explicit human waiver");
+    }
+}
 function writeTombstone(target, task, fields) {
     const taskPlanPath = path.join(target.projectRoot, task.taskPlanPath.replace(/^TARGET:/, ""));
     const content = readFileSafe(taskPlanPath).replace(/\n##\s*(?:Task Tombstone|任务墓碑)\s*$[\s\S]*?(?=^##\s+|(?![\s\S]))/im, "");

package/docs-release/README.md

@@ -71,7 +71,7 @@ Not every document is written for the same reader.
 - `guides/migration-playbook.md` / `guides/migration-playbook.en-US.md` — smooth migration guide for existing legacy harness projects. 旧 Harness 项目的平滑迁移指南。
 - `guides/legacy-migration-agent-prompt.md` / `guides/legacy-migration-agent-prompt.zh-CN.md` — prompt contract for agents running baseline or full legacy migration. 给迁移 Agent 使用的执行合同。
 - `guides/full-legacy-migration-subagent-strategy.md` / `guides/full-legacy-migration-subagent-strategy.zh-CN.md` — full readable cutover strategy with subagent roles, adversarial review, and dashboard/CLI proof gates. 完整可读迁移的 subagent 分工、对抗审查和 Dashboard/CLI 证据门禁。
-- `guides/typescript-runtime-migration-closeout.md` — public closeout for the TypeScript runtime source-twin migration and the remaining `.mjs` shim policy. TypeScript runtime source twin 迁移收口和剩余 `.mjs` shim 策略。
+- `guides/typescript-runtime-migration-closeout.md` — public closeout for the TypeScript runtime source-twin migration and the documented preset/dashboard JavaScript exceptions. TypeScript runtime source twin 迁移收口和已记录的 preset/dashboard JavaScript 例外。
 
 ## Repository Operating Models / 仓库运行模式
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coding-agent-harness",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "Document governance kernel for long-running coding agents.",
   "type": "module",
   "keywords": [
@@ -31,7 +31,8 @@
     "build:runtime": "node scripts/build-dist.mts",
     "prepack": "node scripts/build-dist.mts --quiet",
     "typecheck": "npm exec --yes --package typescript@5.9.3 -- tsc -p tsconfig.json",
-    "typecheck:guards": "node dist/check-type-boundaries.mjs",
+    "typecheck:guards": "node dist/check-type-boundaries.mjs && node dist/check-no-ts-nocheck.mjs",
+    "check:nocheck": "node dist/check-no-ts-nocheck.mjs",
     "status": "node dist/harness.mjs status --json .",
     "dashboard": "node dist/harness.mjs dashboard --out tmp/harness-dashboard.html examples/minimal-project",
     "dashboard:folder": "node dist/harness.mjs dashboard --out-dir tmp/harness-dashboard examples/minimal-project",
@@ -62,6 +63,9 @@
     "docs-release/",
     "examples/"
   ],
+  "devDependencies": {
+    "@types/node": "24"
+  },
   "engines": {
     "node": ">=24"
   },

package/presets/release-closeout/checks/check-release-package.mjs

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import path from "node:path";
+
+const context = JSON.parse(fs.readFileSync(process.env.HARNESS_PRESET_CONTEXT, "utf8"));
+const release = String(context.inputs.release || "").trim();
+const releaseRoot = path.join(context.targetRoot, "coding-agent-harness/governance/releases", release);
+const required = ["INDEX.md", "task-aggregate.json", "task-archive-plan.md", "public-summary.md", "public-redaction-report.json"];
+const missing = required.filter((file) => !fs.existsSync(path.join(releaseRoot, file)));
+if (missing.length) {
+  console.error(`release package missing files: ${missing.join(", ")}`);
+  process.exit(2);
+}
+const redaction = JSON.parse(fs.readFileSync(path.join(releaseRoot, "public-redaction-report.json"), "utf8"));
+if (redaction.status !== "pass") {
+  console.error("release public redaction report is not passing");
+  process.exit(3);
+}
+fs.writeFileSync(context.materializationManifestPath, `${JSON.stringify({
+  schemaVersion: "preset-materialization/v1",
+  status: "pass",
+  writes: [],
+}, null, 2)}\n`);

package/presets/release-closeout/preset.yaml

@@ -0,0 +1,100 @@
+id: release-closeout
+version: 1
+purpose: Create and run a release closeout task that aggregates version tasks into an auditable release package
+compatibleBudgets: [complex]
+localeSupport: [en-US, zh-CN]
+task:
+  kind: release-closeout
+  defaultTaskId: release-closeout
+  defaultOutcome: Produce a release closeout task whose runner entrypoints generate the version package, archive plan, and public summary.
+  projectLevelOnly: true
+inputs:
+  release:
+    type: text
+    flag: --release
+    required: true
+  previousRelease:
+    type: text
+    flag: --previous-release
+    required: false
+  nextRelease:
+    type: text
+    flag: --next-release
+    required: false
+  taskQuery:
+    type: text
+    flag: --task-query
+    required: false
+  taskList:
+    type: json-file
+    flag: --task-list
+    required: false
+  publicSummary:
+    type: flag
+    flag: --public-summary
+    required: false
+templateValues:
+  release:
+    from: inputs.release
+  previousRelease:
+    from: inputs.previousRelease
+  nextRelease:
+    from: inputs.nextRelease
+  taskQuery:
+    from: inputs.taskQuery
+  taskId:
+    from: task.id
+entrypoints:
+  newTask:
+    type: template
+    writes: [coding-agent-harness/planning/tasks/**]
+    audit: true
+    templates:
+      taskPlanAppend: templates/task_plan.append.md
+      executionStrategyAppend: templates/execution_strategy.append.md
+      findingsSeed: templates/findings.seed.md
+      reviewSeed: templates/review.seed.md
+  plan:
+    type: script
+    command: scripts/generate-release-package.mjs
+    writes: [coding-agent-harness/governance/releases/**]
+    reads: [coding-agent-harness/planning/tasks/**]
+    audit: true
+  scaffold:
+    type: script
+    command: scripts/generate-release-package.mjs
+    writes: [coding-agent-harness/governance/releases/**]
+    reads: [coding-agent-harness/planning/tasks/**]
+    audit: true
+  check:
+    type: check
+    command: checks/check-release-package.mjs
+    writes: [coding-agent-harness/governance/releases/**]
+    reads: [coding-agent-harness/governance/releases/**, coding-agent-harness/planning/tasks/**]
+    audit: true
+evidence:
+  bundleDir: artifacts/preset
+  files:
+    release:
+      path: release.txt
+      type: text
+      value: inputs.release
+    presetAudit:
+      path: preset-audit.json
+      type: preset-audit
+    presetManifest:
+      path: preset-manifest.json
+      type: preset-manifest
+    writeScope:
+      path: write-scope.json
+      type: write-scope
+audit:
+  manifestRequired: true
+  evidenceFiles: [preset-audit.json, preset-manifest.json, write-scope.json]
+writeScopes:
+  taskDocs:
+    path: coding-agent-harness/planning/tasks/**
+    access: write
+  releasePackage:
+    path: coding-agent-harness/governance/releases/**
+    access: write