coding-agent-harness 1.0.7 → 1.0.8

package/CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## 1.0.8
+
+- Preserve the executable bit for the packaged `dist/harness.mjs` npm bin
+  entry during dist builds and prepack.
+- Extend release observation checks to fail if the packed or installed
+  `harness` bin is not executable.
+- Add `migrate-structure --plan` to the dist and installed-package command
+  smoke matrix.
+
+## 1.0.7
+
+- Generate `harness init --add-npm-scripts` commands with
+  `npx --yes coding-agent-harness ...` so target projects can run Harness
+  scripts without adding a project dependency or relying on a global install.
+- Isolate the dist observation command matrix from local ignored docs by using
+  the minimal target-project fixture for target-facing commands.
+- Preserve the executable bit on the committed `dist/harness.mjs` CLI entry.
+
+## 1.0.6
+
+- Bump the npm package version after the 1.0.5 publication so the TypeScript
+  runtime-source migration can be published again.
+
 ## 1.0.5
 
 - Relicense the public package from MIT to AGPL-3.0-or-later.

package/CONTRIBUTING.md

@@ -4,7 +4,7 @@ Thanks for helping improve Coding Agent Harness. This repository contains the pu
 
 ## Before You Start
 
-- Use Node.js 18 or newer. CI currently runs on Node.js 20.
+- Use Node.js 24 or newer. CI should run on the minimum supported line.
 - Install root dependencies with `npm install` from the repository root.
 - If you change `harness-gui`, also run `npm ci` inside `harness-gui/`.
 - Keep pull requests focused. Separate documentation, CLI/runtime, template, preset, and GUI work when the changes are independent.

package/dist/build-dist.mjs

@@ -43,6 +43,10 @@ export function buildRuntimeDist({ projectRoot = repoRoot, configPath = path.joi
         syncDirectory(buildOutDir, absoluteOutDir);
         fs.rmSync(buildOutDir, { recursive: true, force: true });
     }
+    restoreExecutableEntrypoints({
+        outDir: absoluteOutDir,
+        binRelativePaths: ["harness.mjs"],
+    });
     const files = collectFiles(absoluteOutDir).filter((file) => file.endsWith(".mjs")).sort();
     const relativeFiles = files.map((file) => toPosix(path.relative(absoluteOutDir, file)));
     const requiredFiles = [
@@ -126,6 +130,15 @@ function syncDirectory(sourceDir, targetDir) {
         fs.rmSync(path.join(targetDir, entry), { recursive: true, force: true });
     }
 }
+function restoreExecutableEntrypoints({ outDir, binRelativePaths }) {
+    for (const relativePath of binRelativePaths) {
+        const file = path.join(outDir, relativePath);
+        if (!fs.existsSync(file))
+            continue;
+        const stat = fs.statSync(file);
+        fs.chmodSync(file, stat.mode | 0o755);
+    }
+}
 function toPosix(value) {
     return value.split(path.sep).join("/");
 }

package/dist/check-dist-observation.mjs

@@ -48,7 +48,10 @@ export function checkDistObservation({ projectRoot = defaultProjectRoot, runPack
             failures.push({ code: "pack-dry-run-failed", message: `npm pack dry-run failed\nSTDOUT:\n${pack.stdout}\nSTDERR:\n${pack.stderr}` });
         }
         else {
-            const packed = JSON.parse(pack.stdout)[0].files.map((file) => file.path).sort();
+            const packedEntries = JSON.parse(pack.stdout)[0].files;
+            const packed = packedEntries.map((file) => file.path).sort();
+            const packedModeByPath = new Map(packedEntries.map((file) => [file.path, file.mode]));
+            const distHarnessMode = packedModeByPath.get("dist/harness.mjs");
             observations.package = {
                 entryCount: packed.length,
                 hasDistHarness: packed.includes("dist/harness.mjs"),
@@ -57,11 +60,16 @@ export function checkDistObservation({ projectRoot = defaultProjectRoot, runPack
                 hasScriptsHarness: packed.includes("scripts/harness.mjs"),
                 hasScripts: packed.some((file) => file.startsWith("scripts/")),
                 hasTests: packed.some((file) => file.startsWith("tests/")),
+                distHarnessMode,
+                distHarnessExecutable: typeof distHarnessMode === "number" && Boolean(distHarnessMode & 0o111),
             };
             for (const required of ["dist/harness.mjs", "dist/postinstall.mjs", "dist/check-dist-observation.mjs"]) {
                 if (!packed.includes(required))
                     failures.push({ code: "packed-file-missing", file: required, message: `package missing ${required}` });
             }
+            if (!observations.package.distHarnessExecutable) {
+                failures.push({ code: "packed-bin-not-executable", file: "dist/harness.mjs", mode: distHarnessMode, message: "package bin dist/harness.mjs must be executable" });
+            }
             if (observations.package.hasScripts)
                 failures.push({ code: "package-includes-scripts", message: "package must not include scripts/** after historical shim deletion" });
             if (observations.package.hasTests)
@@ -133,6 +141,7 @@ function runMatrix(root, failures, commandMatrix) {
         { id: "source-check", args: ["check", "--profile", "source-package", "."] },
         { id: "target-check", args: ["check", "--profile", "target-project", "examples/minimal-project"] },
         { id: "migrate-plan", args: ["migrate-plan", "--json", "--limit", "20", "examples/minimal-project"] },
+        { id: "migrate-structure-plan", args: ["migrate-structure", "--plan", "--json", "examples/minimal-project"] },
         { id: "dashboard", args: ["dashboard", "--out-dir", path.join("tmp", `pr-27-observation-dashboard-${process.pid}`), "examples/minimal-project"] },
     ];
     for (const entry of matrix) {
@@ -211,11 +220,15 @@ function runInstalledPackageSmoke(root, failures, observations) {
     if (!pkg)
         return;
     const binTarget = fs.existsSync(bin) ? fs.readlinkSync(bin) : "";
+    const installedBinFile = path.join(packageRoot, "dist/harness.mjs");
+    const installedBinMode = fs.existsSync(installedBinFile) ? fs.statSync(installedBinFile).mode : undefined;
     observations.installSmoke = {
         nodeVersion,
         tempRoot,
         binTarget,
         bin: pkg.bin?.harness,
+        binMode: installedBinMode,
+        binExecutable: typeof installedBinMode === "number" && Boolean(installedBinMode & 0o111),
         postinstall: pkg.scripts?.postinstall,
         observeDist: pkg.scripts?.["observe:dist"],
         hasTests: fs.existsSync(path.join(packageRoot, "tests")),
@@ -229,6 +242,9 @@ function runInstalledPackageSmoke(root, failures, observations) {
     if (!binTarget.includes("dist/harness.mjs")) {
         failures.push({ code: "installed-bin-link-not-dist", message: `installed bin link does not target dist/harness.mjs: ${binTarget}` });
     }
+    if (!observations.installSmoke.binExecutable) {
+        failures.push({ code: "installed-bin-not-executable", file: "dist/harness.mjs", mode: installedBinMode, message: "installed package bin dist/harness.mjs must be executable" });
+    }
     for (const relative of ["dist/harness.mjs", "dist/postinstall.mjs", "dist/check-dist-observation.mjs"]) {
         if (!fs.existsSync(path.join(packageRoot, relative)))
             failures.push({ code: "installed-file-missing", file: relative, message: `installed package missing ${relative}` });
@@ -278,6 +294,7 @@ function runInstalledMatrix(root, runtimeEnv, failures, steps) {
         { id: "installed-source-check", cwd: root, args: ["check", "--profile", "source-package", "."] },
         { id: "installed-target-check", cwd: root, args: ["check", "--profile", "target-project", "examples/minimal-project"] },
         { id: "installed-migrate-plan", cwd: root, args: ["migrate-plan", "--json", "--limit", "20", "examples/minimal-project"] },
+        { id: "installed-migrate-structure-plan", cwd: root, args: ["migrate-structure", "--plan", "--json", "examples/minimal-project"] },
         { id: "installed-dashboard", cwd: root, args: ["dashboard", "--out-dir", path.join("tmp", `pr-27-installed-observation-dashboard-${process.pid}`), "examples/minimal-project"] },
     ];
     for (const entry of matrix) {

package/dist/check-no-ts-nocheck.mjs

@@ -0,0 +1,88 @@
+#!/usr/bin/env node
+import fs from "node:fs";
+import path from "node:path";
+import { fileURLToPath } from "node:url";
+const defaultRepoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
+const sourceRoots = ["scripts", "tests"];
+const tsNocheckPattern = /^\s*\/\/\s*@ts-nocheck\b/;
+export function checkNoTsNocheck({ repoRoot = defaultRepoRoot, allowlistPath = path.join(repoRoot, "scripts/ts-nocheck-allowlist.json"), } = {}) {
+    const files = collectMtsFiles(repoRoot);
+    const allowlist = readAllowlist(allowlistPath);
+    const violations = [];
+    const observed = new Set();
+    for (const file of files) {
+        const absolutePath = path.join(repoRoot, file);
+        const lines = fs.readFileSync(absolutePath, "utf8").split(/\r?\n/);
+        const lineIndex = lines.findIndex((line) => tsNocheckPattern.test(line));
+        if (lineIndex === -1)
+            continue;
+        observed.add(file);
+        if (!allowlist.has(file)) {
+            violations.push({
+                code: "unlisted-ts-nocheck",
+                file,
+                line: lineIndex + 1,
+                message: `${file}:${lineIndex + 1} has @ts-nocheck but is not in scripts/ts-nocheck-allowlist.json`,
+            });
+        }
+    }
+    for (const file of allowlist) {
+        if (!observed.has(file)) {
+            violations.push({
+                code: "stale-ts-nocheck-allowlist",
+                file,
+                message: `${file} is listed in scripts/ts-nocheck-allowlist.json but no longer has @ts-nocheck`,
+            });
+        }
+    }
+    return { ok: violations.length === 0, violations };
+}
+function collectMtsFiles(repoRoot) {
+    const files = [];
+    for (const root of sourceRoots) {
+        const absoluteRoot = path.join(repoRoot, root);
+        if (!fs.existsSync(absoluteRoot))
+            continue;
+        walk(absoluteRoot, files, repoRoot);
+    }
+    return files.sort();
+}
+function walk(current, files, repoRoot) {
+    const stat = fs.lstatSync(current);
+    if (stat.isSymbolicLink())
+        return;
+    if (stat.isDirectory()) {
+        const name = path.basename(current);
+        if (name === "node_modules" || name === ".worktrees" || name === "tmp")
+            return;
+        for (const entry of fs.readdirSync(current))
+            walk(path.join(current, entry), files, repoRoot);
+        return;
+    }
+    if (stat.isFile() && current.endsWith(".mts")) {
+        files.push(path.relative(repoRoot, current).split(path.sep).join("/"));
+    }
+}
+function readAllowlist(allowlistPath) {
+    if (!allowlistPath || !fs.existsSync(allowlistPath))
+        return new Set();
+    const parsed = JSON.parse(fs.readFileSync(allowlistPath, "utf8"));
+    const files = normalizeAllowlistFiles(parsed);
+    return new Set(files);
+}
+function normalizeAllowlistFiles(parsed) {
+    if (Array.isArray(parsed))
+        return parsed.filter((value) => typeof value === "string");
+    if (typeof parsed !== "object" || parsed === null)
+        return [];
+    const files = parsed.files;
+    return Array.isArray(files) ? files.filter((value) => typeof value === "string") : [];
+}
+if (process.argv[1] === fileURLToPath(import.meta.url)) {
+    const result = checkNoTsNocheck();
+    if (!result.ok) {
+        console.error(result.violations.map((violation) => violation.message).join("\n"));
+        process.exit(1);
+    }
+    console.log("No @ts-nocheck gate passed");
+}

package/dist/check-type-boundaries.mjs

@@ -6,24 +6,27 @@ import { fileURLToPath } from "node:url";
 const defaultRepoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
 const sourceRoots = ["scripts", "tests"];
 const importPattern = /\b(import|export)\s+(type\s+)?(?:[^'"]*?\s+from\s+)?["']([^"']+)["']|\bimport\s*\(\s*["']([^"']+)["']\s*\)/g;
-const tsEscapePattern = /@(ts-ignore|ts-expect-error)\b|(?:^|[^A-Za-z0-9_$])(?:as\s+any|:\s*any\b)/;
-export function checkTypeBoundaries({ repoRoot = defaultRepoRoot } = {}) {
+const tsEscapePattern = /@(ts-ignore|ts-expect-error)\b|\bas\s+unknown\s+as\b|\bRecord\s*<\s*string\s*,\s*any\s*>|(?:^|[^A-Za-z0-9_$])(?:as\s+any|:\s*any\b)/;
+export function checkTypeBoundaries({ repoRoot = defaultRepoRoot, escapeAllowlistPath = path.join(repoRoot, "scripts/type-escape-allowlist.json"), } = {}) {
     const files = collectSourceFiles(repoRoot);
     const violations = [];
+    const escapeAllowlist = readEscapeAllowlist(escapeAllowlistPath);
     for (const file of files) {
         const absolutePath = path.join(repoRoot, file);
         const content = fs.readFileSync(absolutePath, "utf8");
         const imports = parseImports(content);
-        if (file.endsWith(".ts")) {
+        if (file.endsWith(".ts") || file.endsWith(".mts")) {
             const lines = content.split(/\r?\n/);
             for (const [index, line] of lines.entries()) {
                 if (tsEscapePattern.test(line)) {
-                    violations.push({
+                    const violation = {
                         code: "ts-escape-hatch",
                         file,
                         line: index + 1,
                         message: `${file}:${index + 1} uses a TypeScript escape hatch that requires review`,
-                    });
+                    };
+                    if (!isEscapeAllowed(escapeAllowlist, violation))
+                        violations.push(violation);
                 }
             }
         }
@@ -127,7 +130,21 @@ function hasTypeScriptSourceExtension(filePath) {
     return typeof filePath === "string" && /\.(mts|ts)$/.test(filePath);
 }
 function isTypeOnlyTypeScriptImport(file, imported) {
-    return file.endsWith(".ts") && imported.kind === "import" && imported.typeOnly;
+    return (file.endsWith(".ts") || file.endsWith(".mts")) && imported.kind === "import" && imported.typeOnly;
+}
+function readEscapeAllowlist(allowlistPath) {
+    if (!allowlistPath || !fs.existsSync(allowlistPath))
+        return new Set();
+    const parsed = JSON.parse(fs.readFileSync(allowlistPath, "utf8"));
+    const entries = Array.isArray(parsed) ? parsed : parsed.escapes || [];
+    return new Set(entries.map((entry) => {
+        if (typeof entry === "string")
+            return entry;
+        return `${entry.file}:${entry.line}:${entry.code || "ts-escape-hatch"}`;
+    }));
+}
+function isEscapeAllowed(allowlist, violation) {
+    return allowlist.has(`${violation.file}:${violation.line}:${violation.code}`) || allowlist.has(`${violation.file}:${violation.line}`);
 }
 if (process.argv[1] === fileURLToPath(import.meta.url)) {
     const result = checkTypeBoundaries();

package/dist/commands/preset-command.mjs

@@ -1,5 +1,5 @@
 // @ts-nocheck
-import { checkPresetPackage, inspectPresetPackage, installPresetPackage, listPresetPackages, seedBundledPresets, uninstallPresetPackage, } from "../lib/harness-core.mjs";
+import { checkPresetPackage, inspectPresetPackage, installPresetPackage, listPresetPackages, seedBundledPresets, runPresetEntrypoint, uninstallPresetPackage, } from "../lib/harness-core.mjs";
 export function runPresetCommand({ args, takeFlag, targetArg }) {
     const subcommand = args.shift() || "list";
     const json = takeFlag("--json");
@@ -80,6 +80,20 @@ export function runPresetCommand({ args, takeFlag, targetArg }) {
             else
                 console.log(`${result.removed ? "Removed" : "Preset not installed"}: ${result.id}`);
         }
+        else if (subcommand === "run") {
+            const taskRef = takeOptionFromArgs(args, "--task", "");
+            const id = args.shift();
+            const entrypoint = args.shift();
+            if (!id)
+                throw new Error("Missing preset id");
+            if (!entrypoint)
+                throw new Error("Missing preset entrypoint");
+            const result = runPresetEntrypoint(id, entrypoint, { taskRef, targetInput: targetArg(), json });
+            if (json)
+                console.log(JSON.stringify(result, null, 2));
+            else
+                console.log(`Preset run ${result.status}: ${result.preset}.${result.entrypoint} (${result.materialized.length} writes)`);
+        }
         else {
             throw new Error(`Unknown preset subcommand: ${subcommand}`);
         }
@@ -89,3 +103,11 @@ export function runPresetCommand({ args, takeFlag, targetArg }) {
         process.exit(1);
     }
 }
+function takeOptionFromArgs(args, name, fallback = "") {
+    const index = args.indexOf(name);
+    if (index < 0)
+        return fallback;
+    const value = args[index + 1] || fallback;
+    args.splice(index, 2);
+    return value;
+}

package/dist/commands/task-command.mjs

@@ -128,7 +128,8 @@ export function runTaskCommand(command, { args, takeFlag, takeOption, targetArg
         const lesson = takeOption("--lesson", "");
         const search = takeOption("--search", "");
         const missingMaterials = takeFlag("--missing-materials");
-        const result = listLifecycleTasks(targetArg(), { state, moduleKey, queue, preset, review, lesson, search, missingMaterials });
+        const includeArchived = takeFlag("--include-archived");
+        const result = listLifecycleTasks(targetArg(), { state, moduleKey, queue, preset, review, lesson, search, missingMaterials, includeArchived });
         if (json) {
             console.log(JSON.stringify(result, null, 2));
         }

package/dist/harness.mjs

@@ -90,6 +90,7 @@ Usage:
   harness preset install <folder|zip|builtin-id> [--project] [--force] [--json] [target]
   harness preset seed [--project] [--force] [--dry-run] [--json] [target]
   harness preset uninstall <id> [--project] [--json] [target]
+  harness preset run <id> <plan|scaffold|check> --task <task-id> [--json] [target]
   harness new-task [task-id] [--module key] [--budget simple|standard|complex] [--preset id] [--from-session session.json] [--long-running] [--title title] [--locale zh-CN|en-US] [--dry-run] [target]
   harness task-start <task-id> [--message text] [target]
   harness task-phase <task-id> <phase-id> [--state done] [--completion 100] [--evidence present] [target]
@@ -100,7 +101,7 @@ Usage:
   harness lesson-promote <task-id> <candidate-id> [--dry-run|--apply] [target]
   harness lesson-sediment <task-id> <candidate-id> [--dry-run] [--title title] [target]
   harness task-complete <task-id> [--message text] [target]
-  harness task-list [--json] [--state state] [--module key] [--queue queue] [--preset id] [--review status] [--lesson status] [--missing-materials] [--search text] [target]
+  harness task-list [--json] [--state state] [--module key] [--queue queue] [--preset id] [--review status] [--lesson status] [--missing-materials] [--include-archived] [--search text] [target]
   harness task-index [--json] [target]
   harness task-supersede <old-task-id> --by <new-task-id> [--reason text] [target]
   harness task-delete <task-id> --soft [--reason text] [target]

package/dist/lib/harness-core.mjs

@@ -10,6 +10,7 @@ export * from "./dashboard-workbench.mjs";
 export * from "./migration-planner.mjs";
 export * from "./structure-migration.mjs";
 export * from "./preset-registry.mjs";
+export * from "./preset-runner.mjs";
 export * from "./governance-index-generator.mjs";
 export * from "./task-lifecycle.mjs";
 export * from "./task-lesson-sedimentation.mjs";

package/dist/lib/preset-engine.mjs

@@ -94,6 +94,7 @@ export function buildPresetContext(preset, { target, taskDir, taskId, taskTitle,
         taskId,
         targetRoot: target.projectRoot,
         entrypoint: "newTask",
+        resolvedInputs,
     });
     const context = {
         kind: evaluatedValues.kind || preset.task?.kind || "general",

package/dist/lib/preset-registry.mjs

@@ -258,6 +258,9 @@ export function validatePresetPackage(preset) {
             if (!preset.writeScopes.some((scope) => scope.path === writeScope)) {
                 failures.push(`${name} writes undeclared scope: ${writeScope}`);
             }
+            if (name === "newTask" && !newTaskWriteScopeAllowed(writeScope)) {
+                failures.push("newTask entrypoint writes must stay under coding-agent-harness/planning/**");
+            }
         }
         if (["script", "check"].includes(entrypoint.type)) {
             const entryPath = path.join(preset.directory, entrypoint.command || "");
@@ -282,7 +285,7 @@ export function validatePresetPackage(preset) {
     }
     return { failures, warnings };
 }
-export function buildPresetAudit(preset, { taskId = "", targetRoot = "", entrypoint = "newTask", writeScopes = [] } = {}) {
+export function buildPresetAudit(preset, { taskId = "", targetRoot = "", entrypoint = "newTask", writeScopes = [], resolvedInputs = {} } = {}) {
     const entrypoints = {
         [entrypoint]: preset.entrypoints[entrypoint],
     };
@@ -294,6 +297,7 @@ export function buildPresetAudit(preset, { taskId = "", targetRoot = "", entrypo
         manifestSha256: preset.manifestSha256,
         entrypoints,
         writeScopes: scopes,
+        resolvedInputs,
         taskId,
         targetRoot,
         generatedAt: new Date().toISOString(),
@@ -526,6 +530,14 @@ function validateAuditEvidenceFiles(preset, failures) {
         }
     }
 }
+function newTaskWriteScopeAllowed(writeScope) {
+    const normalized = toPosix(path.normalize(String(writeScope || "")));
+    const legacyPlanningScope = ["docs", "09-PLANNING"].join("/");
+    return (normalized === "coding-agent-harness/planning/**" ||
+        normalized.startsWith("coding-agent-harness/planning/") ||
+        normalized === `${legacyPlanningScope}/**` ||
+        normalized.startsWith(`${legacyPlanningScope}/`));
+}
 function validatePresetPackageFile(preset, relativePath, label, failures) {
     const filePath = path.join(preset.directory, relativePath || "");
     if (!isInside(preset.directory, filePath)) {

package/dist/lib/preset-runner.mjs

@@ -0,0 +1,294 @@
+// @ts-nocheck
+// Generic preset entrypoint runner. Domain logic belongs in preset packages.
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import crypto from "node:crypto";
+import { spawnSync } from "node:child_process";
+import { normalizeTarget, readFileSafe, readJsonSafe, sanitizeDeep, toPosix, walkFiles, } from "./core-shared.mjs";
+import { beginGovernanceSync, commitGovernanceSync, releaseGovernanceSync } from "./governance-sync.mjs";
+import { parseTaskMetadata } from "./task-metadata.mjs";
+import { taskIdForDirectory } from "./task-scanner.mjs";
+import { resolveTaskDirectory } from "./task-lifecycle.mjs";
+import { evaluateTemplateValues, assertPresetWriteScope } from "./preset-engine.mjs";
+import { buildPresetAudit, readPresetPackage } from "./preset-registry.mjs";
+const materializationSchemaVersion = "preset-materialization/v1";
+const maxMaterializedFileBytes = 10 * 1024 * 1024;
+const maxMaterializedWrites = 500;
+export function runPresetEntrypoint(presetId, entrypointName, { taskRef = "", targetInput = ".", json = false } = {}) {
+    const target = normalizeTarget(targetInput);
+    const preset = readPresetPackage(presetId, { targetInput });
+    const entrypoint = preset.entrypoints?.[entrypointName];
+    if (!entrypoint)
+        throw new Error(`Preset ${preset.id} does not declare entrypoint: ${entrypointName}`);
+    if (!["script", "check"].includes(entrypoint.type))
+        throw new Error(`Preset entrypoint ${entrypointName} is not runnable by preset run`);
+    if (!taskRef)
+        throw new Error("preset run requires --task <task-id>");
+    const taskDir = resolveTaskDirectory(target, taskRef);
+    const taskPlan = readFileSafe(path.join(taskDir, "task_plan.md"));
+    const metadata = parseTaskMetadata(taskPlan);
+    if (metadata.preset !== preset.id)
+        throw new Error(`Task ${taskRef} was created by preset ${metadata.preset || "none"}, not ${preset.id}`);
+    const taskId = taskIdForDirectory(target, taskDir);
+    const resolvedInputs = readResolvedInputs(target, metadata);
+    const values = evaluateTemplateValues(preset, resolvedInputs, { taskId, taskTitle: taskId, moduleKey: "" });
+    const outputRoot = fs.mkdtempSync(path.join(os.tmpdir(), `harness-preset-${preset.id}-${entrypointName}-`));
+    const manifestPath = path.join(outputRoot, "materialization-manifest.json");
+    const contextPath = path.join(outputRoot, "preset-context.json");
+    const beforeSnapshot = targetSnapshot(target.projectRoot);
+    try {
+        const context = {
+            schemaVersion: "preset-run-context/v1",
+            preset: { id: preset.id, version: preset.version, source: preset.source },
+            entrypoint: entrypointName,
+            task: {
+                id: taskId,
+                ref: taskRef,
+                dir: toPosix(path.relative(target.projectRoot, taskDir)),
+                taskPlanPath: toPosix(path.relative(target.projectRoot, path.join(taskDir, "task_plan.md"))),
+            },
+            targetRoot: target.projectRoot,
+            targetRootPolicy: "read-only; direct target mutation before manifest materialization is a hard failure",
+            outputRoot,
+            materializationManifestPath: manifestPath,
+            inputs: sanitizeDeep(resolvedInputs),
+            values: sanitizeDeep(values),
+            audit: buildPresetAudit(preset, {
+                taskId,
+                targetRoot: target.projectRoot,
+                entrypoint: entrypointName,
+                writeScopes: entrypoint.writes,
+                resolvedInputs,
+            }),
+        };
+        fs.writeFileSync(contextPath, `${JSON.stringify(context, null, 2)}\n`);
+        const commandPath = path.join(preset.directory, entrypoint.command || "");
+        const script = spawnSync(process.execPath, [commandPath], {
+            cwd: outputRoot,
+            encoding: "utf8",
+            env: {
+                ...process.env,
+                HARNESS_PRESET_CONTEXT: contextPath,
+            },
+            timeout: 120000,
+            maxBuffer: 10 * 1024 * 1024,
+        });
+        if (script.error)
+            throw script.error;
+        if (script.status !== 0) {
+            throw new Error(`Preset entrypoint ${preset.id}.${entrypointName} failed with ${script.status}\n${script.stderr || script.stdout || ""}`.trim());
+        }
+        const afterScriptSnapshot = targetSnapshot(target.projectRoot);
+        assertSnapshotsEqual(beforeSnapshot, afterScriptSnapshot, "Preset script mutated target before materialization");
+        const manifest = readMaterializationManifest(manifestPath);
+        const materialization = validateMaterializationManifest(preset, entrypoint, manifest, { outputRoot, targetRoot: target.projectRoot });
+        const governanceContext = beginGovernanceSync(target, {
+            operation: `preset-run ${preset.id}.${entrypointName}`,
+            allowDirtyWorktree: true,
+            allowedRelativePaths: materialization.map((item) => item.destination),
+        });
+        try {
+            materializeWrites(target.projectRoot, materialization);
+            const commit = commitGovernanceSync(governanceContext, materialization.map((item) => item.destination), {
+                message: `chore(harness): run preset ${preset.id} ${entrypointName}`,
+            });
+            return {
+                preset: preset.id,
+                entrypoint: entrypointName,
+                taskId,
+                status: manifest.status || (entrypoint.type === "check" ? "pass" : "ok"),
+                materialized: materialization.map((item) => ({
+                    source: item.source,
+                    destination: item.destination,
+                    type: item.type,
+                    sha256: item.sha256,
+                })),
+                governance: { commit },
+            };
+        }
+        finally {
+            releaseGovernanceSync(governanceContext);
+        }
+    }
+    finally {
+        fs.rmSync(outputRoot, { recursive: true, force: true });
+    }
+}
+function readResolvedInputs(target, metadata) {
+    const evidenceBundle = String(metadata.evidenceBundle || "").replace(/^TARGET:/, "").replace(/^\/+/, "");
+    if (!evidenceBundle)
+        return {};
+    const auditPath = path.join(target.projectRoot, evidenceBundle, "preset-audit.json");
+    const audit = readJsonSafe(auditPath, {});
+    return audit.resolvedInputs || {};
+}
+function readMaterializationManifest(manifestPath) {
+    if (!fs.existsSync(manifestPath))
+        throw new Error("Preset entrypoint did not emit materialization manifest");
+    const manifest = readJsonSafe(manifestPath, null);
+    if (!manifest || typeof manifest !== "object" || Array.isArray(manifest))
+        throw new Error("Invalid preset materialization manifest");
+    if (manifest.schemaVersion !== materializationSchemaVersion)
+        throw new Error(`Invalid preset materialization schema: ${manifest.schemaVersion || "(missing)"}`);
+    if (!Array.isArray(manifest.writes))
+        throw new Error("Preset materialization manifest writes must be an array");
+    if (manifest.writes.length > maxMaterializedWrites)
+        throw new Error(`Preset materialization manifest has too many writes: ${manifest.writes.length}`);
+    return manifest;
+}
+function validateMaterializationManifest(preset, entrypoint, manifest, { outputRoot, targetRoot }) {
+    const seenDestinations = new Set();
+    const writes = manifest.writes.map((write, index) => {
+        const source = normalizeManifestRelativePath(write.source, "Manifest source");
+        const destination = normalizeManifestRelativePath(write.destination, "Manifest destination");
+        if (seenDestinations.has(destination))
+            throw new Error(`Duplicate materialization destination: ${destination}`);
+        seenDestinations.add(destination);
+        assertEntrypointWriteScope(preset, entrypoint, destination);
+        const sourcePath = path.join(outputRoot, source);
+        assertOutputSource(outputRoot, sourcePath, source);
+        const stat = fs.lstatSync(sourcePath);
+        if (stat.size > maxMaterializedFileBytes)
+            throw new Error(`Manifest source exceeds size limit: ${source}`);
+        assertDestinationParent(targetRoot, destination);
+        return {
+            source,
+            sourcePath,
+            destination,
+            destinationPath: path.join(targetRoot, destination),
+            type: String(write.type || "text"),
+            visibility: String(write.visibility || ""),
+            sha256: sha256File(sourcePath),
+        };
+    });
+    enforcePublicRedaction(manifest, writes, { outputRoot });
+    return writes;
+}
+function normalizeManifestRelativePath(value, label) {
+    const raw = String(value || "").trim();
+    const normalized = toPosix(path.normalize(raw));
+    if (!raw || path.isAbsolute(raw) || normalized === "." || normalized === ".." || normalized.startsWith("../") || normalized.includes("/../")) {
+        throw new Error(`${label} escapes preset output root: ${raw || "(missing)"}`);
+    }
+    return normalized;
+}
+function assertOutputSource(outputRoot, sourcePath, source) {
+    if (!fs.existsSync(sourcePath))
+        throw new Error(`Manifest source missing: ${source}`);
+    const stat = fs.lstatSync(sourcePath);
+    if (stat.isSymbolicLink())
+        throw new Error(`Manifest source must not be a symlink: ${source}`);
+    if (!stat.isFile())
+        throw new Error(`Manifest source must be a file: ${source}`);
+    const realRoot = fs.realpathSync(outputRoot);
+    const realSource = fs.realpathSync(sourcePath);
+    if (!isInside(realRoot, realSource))
+        throw new Error(`Manifest source escapes preset output root: ${source}`);
+}
+function assertDestinationParent(targetRoot, destination) {
+    let parent = path.dirname(path.join(targetRoot, destination));
+    const realTarget = fs.realpathSync(targetRoot);
+    while (!fs.existsSync(parent) && parent !== targetRoot && parent !== path.dirname(parent))
+        parent = path.dirname(parent);
+    if (fs.existsSync(parent)) {
+        const stat = fs.lstatSync(parent);
+        if (stat.isSymbolicLink())
+            throw new Error(`Manifest destination parent must not be a symlink: ${destination}`);
+        const realParent = fs.realpathSync(parent);
+        if (!isInside(realTarget, realParent))
+            throw new Error(`Manifest destination parent escapes target root: ${destination}`);
+    }
+}
+function assertEntrypointWriteScope(preset, entrypoint, destination) {
+    assertPresetWriteScope(preset, destination);
+    if (!entrypoint.writes.some((scope) => matchesScope(scope, destination))) {
+        throw new Error(`Preset write scope violation for ${destination}`);
+    }
+}
+function matchesScope(scope, relativePath) {
+    const normalizedScope = toPosix(path.normalize(String(scope || "")));
+    if (normalizedScope.endsWith("/**")) {
+        const prefix = normalizedScope.slice(0, -3);
+        return relativePath === prefix || relativePath.startsWith(`${prefix}/`);
+    }
+    return relativePath === normalizedScope;
+}
+function enforcePublicRedaction(manifest, writes, { outputRoot }) {
+    const publicWrites = writes.filter((write) => write.visibility === "public" || write.destination.startsWith("docs-release/"));
+    if (publicWrites.length === 0)
+        return;
+    const reportSource = normalizeManifestRelativePath(manifest.publicRedactionReport?.source || "", "Public redaction report source");
+    const reportPath = path.join(outputRoot, reportSource);
+    assertOutputSource(outputRoot, reportPath, reportSource);
+    const report = readJsonSafe(reportPath, null);
+    if (!report || report.status !== "pass")
+        throw new Error("Public materialization requires a passing public redaction report");
+}
+function materializeWrites(targetRoot, writes) {
+    const backups = [];
+    try {
+        for (const write of writes) {
+            const destinationPath = write.destinationPath;
+            fs.mkdirSync(path.dirname(destinationPath), { recursive: true });
+            const existed = fs.existsSync(destinationPath);
+            const backupPath = existed ? `${destinationPath}.backup-${process.pid}-${crypto.randomBytes(4).toString("hex")}` : "";
+            if (existed) {
+                fs.copyFileSync(destinationPath, backupPath);
+                backups.push({ destinationPath, backupPath, existed });
+            }
+            else {
+                backups.push({ destinationPath, backupPath: "", existed });
+            }
+            const tempPath = `${destinationPath}.tmp-${process.pid}-${crypto.randomBytes(4).toString("hex")}`;
+            fs.copyFileSync(write.sourcePath, tempPath);
+            fs.renameSync(tempPath, destinationPath);
+        }
+        for (const backup of backups) {
+            if (backup.backupPath)
+                fs.rmSync(backup.backupPath, { force: true });
+        }
+    }
+    catch (error) {
+        for (const backup of backups.reverse()) {
+            try {
+                if (backup.existed && backup.backupPath && fs.existsSync(backup.backupPath))
+                    fs.renameSync(backup.backupPath, backup.destinationPath);
+                else if (!backup.existed)
+                    fs.rmSync(backup.destinationPath, { force: true });
+            }
+            catch {
+                // Preserve the original materialization failure.
+            }
+        }
+        throw error;
+    }
+}
+function targetSnapshot(root) {
+    const entries = new Map();
+    for (const filePath of walkFiles(root)) {
+        const relative = toPosix(path.relative(root, filePath));
+        if (relative.startsWith(".harness/locks/"))
+            continue;
+        const stat = fs.lstatSync(filePath);
+        entries.set(relative, `${stat.size}:${sha256File(filePath)}`);
+    }
+    return entries;
+}
+function assertSnapshotsEqual(before, after, message) {
+    const changed = [];
+    const paths = new Set([...before.keys(), ...after.keys()]);
+    for (const item of paths) {
+        if (before.get(item) !== after.get(item))
+            changed.push(item);
+    }
+    if (changed.length)
+        throw new Error(`${message}: ${changed.slice(0, 12).join(", ")}`);
+}
+function sha256File(filePath) {
+    return crypto.createHash("sha256").update(fs.readFileSync(filePath)).digest("hex");
+}
+function isInside(root, candidate) {
+    const relative = path.relative(root, candidate);
+    return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
+}

package/dist/lib/task-index.mjs

@@ -56,6 +56,7 @@ export function buildTaskIndex(targetInput) {
             supersedes: task.supersedes || [],
             supersededBy: task.supersededBy || "",
             deletionState: task.deletionState || "active",
+            archiveMetadata: task.archiveMetadata || {},
             hiddenByDefault: task.hiddenByDefault === true,
             repairPrompt: task.repairPrompt || "",
             repairActions: repairActions(task),

package/dist/lib/task-lifecycle.mjs

@@ -570,9 +570,11 @@ export function updateModuleStep(targetInput, moduleKey, stepId, { state = "" }
         releaseGovernanceSync(governanceContext);
     }
 }
-export function listLifecycleTasks(targetInput, { state = "", moduleKey = "", queue = "", preset = "", review = "", lesson = "", search = "", missingMaterials = false } = {}) {
+export function listLifecycleTasks(targetInput, { state = "", moduleKey = "", queue = "", preset = "", review = "", lesson = "", search = "", missingMaterials = false, includeArchived = false } = {}) {
     const target = normalizeTarget(targetInput);
     let tasks = collectTasks(target);
+    if (!includeArchived)
+        tasks = tasks.filter((task) => task.deletionState === "active" && task.hiddenByDefault !== true);
     if (state)
         tasks = tasks.filter((task) => task.state === String(state).toLowerCase().replaceAll("-", "_"));
     if (moduleKey)

package/dist/lib/task-review-model.mjs

@@ -58,6 +58,7 @@ export function parseTaskTombstone(taskPlanContent) {
             supersededBy: "",
             supersedes: topLevelSupersedes,
             deleteReason: "",
+            archiveMetadata: {},
             hiddenByDefault: false,
             reopenEligible: false,
             archiveEligible: false,
@@ -71,6 +72,7 @@ export function parseTaskTombstone(taskPlanContent) {
         supersededBy: fields.get("superseded by") || fields.get("替代任务") || "",
         supersedes: [...new Set([...topLevelSupersedes, ...splitList(fields.get("supersedes") || fields.get("合并自") || "")])],
         deleteReason: fields.get("reason") || fields.get("原因") || "",
+        archiveMetadata: Object.fromEntries([...fields.entries()].filter(([key]) => !["state", "状态", "superseded by", "替代任务", "supersedes", "合并自", "reason", "原因", "reopen eligible", "可重新打开", "archive eligible", "可归档"].includes(key))),
         hiddenByDefault: true,
         reopenEligible: parseTombstoneBooleanLike(fields.get("reopen eligible") || fields.get("可重新打开")),
         archiveEligible: parseTombstoneBooleanLike(fields.get("archive eligible") || fields.get("可归档")),

package/dist/lib/task-scanner.mjs

@@ -344,6 +344,7 @@ export function collectTasks(target, { requireGeneratedScaffoldProvenance = fals
             supersededBy: tombstone.supersededBy,
             supersedes: tombstone.supersedes,
             deleteReason: tombstone.deleteReason,
+            archiveMetadata: tombstone.archiveMetadata || {},
             hiddenByDefault: tombstone.hiddenByDefault,
             reopenEligible: tombstone.reopenEligible,
             archiveEligible: tombstone.archiveEligible,

package/dist/lib/task-tombstone-commands.mjs

@@ -40,6 +40,7 @@ export function softDeleteTask(targetInput, taskRef, { reason = "" } = {}) {
 export function archiveTask(targetInput, taskRef, { reason = "" } = {}) {
     const target = normalizeTarget(targetInput);
     const task = resolveTask(target, taskRef);
+    assertArchiveEligible(task);
     return writeDeletionState(target, task, "archived", reason || "archive", "task-archive");
 }
 export function reopenTask(targetInput, taskRef, { reason = "" } = {}) {
@@ -100,6 +101,17 @@ function resolveTask(target, ref) {
         throw new Error(`Ambiguous task reference: ${ref}`);
     throw new Error(`Task not found: ${ref}`);
 }
+function assertArchiveEligible(task) {
+    if (task.state === "blocked" || (task.taskQueues || []).includes("blocked")) {
+        throw new Error("blocked tasks cannot be archived without an explicit human waiver");
+    }
+    const blockingRisks = (task.risks || []).filter((risk) => risk.open !== "no" && (risk.blocksRelease === "yes" || ["P0", "P1", "P2"].includes(risk.severity)));
+    if (blockingRisks.length)
+        throw new Error("tasks with open blocking review findings cannot be archived without an explicit human waiver");
+    if (task.materialsReady === false && task.reviewStatus !== "confirmed") {
+        throw new Error("tasks with incomplete closeout materials cannot be archived without an explicit human waiver");
+    }
+}
 function writeTombstone(target, task, fields) {
     const taskPlanPath = path.join(target.projectRoot, task.taskPlanPath.replace(/^TARGET:/, ""));
     const content = readFileSafe(taskPlanPath).replace(/\n##\s*(?:Task Tombstone|任务墓碑)\s*$[\s\S]*?(?=^##\s+|(?![\s\S]))/im, "");

package/docs-release/README.md

@@ -71,7 +71,7 @@ Not every document is written for the same reader.
 - `guides/migration-playbook.md` / `guides/migration-playbook.en-US.md` — smooth migration guide for existing legacy harness projects. 旧 Harness 项目的平滑迁移指南。
 - `guides/legacy-migration-agent-prompt.md` / `guides/legacy-migration-agent-prompt.zh-CN.md` — prompt contract for agents running baseline or full legacy migration. 给迁移 Agent 使用的执行合同。
 - `guides/full-legacy-migration-subagent-strategy.md` / `guides/full-legacy-migration-subagent-strategy.zh-CN.md` — full readable cutover strategy with subagent roles, adversarial review, and dashboard/CLI proof gates. 完整可读迁移的 subagent 分工、对抗审查和 Dashboard/CLI 证据门禁。
-- `guides/typescript-runtime-migration-closeout.md` — public closeout for the TypeScript runtime source-twin migration and the remaining `.mjs` shim policy. TypeScript runtime source twin 迁移收口和剩余 `.mjs` shim 策略。
+- `guides/typescript-runtime-migration-closeout.md` — public closeout for the TypeScript runtime source-twin migration and the documented preset/dashboard JavaScript exceptions. TypeScript runtime source twin 迁移收口和已记录的 preset/dashboard JavaScript 例外。
 
 ## Repository Operating Models / 仓库运行模式
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coding-agent-harness",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "Document governance kernel for long-running coding agents.",
   "type": "module",
   "keywords": [
@@ -31,7 +31,8 @@
     "build:runtime": "node scripts/build-dist.mts",
     "prepack": "node scripts/build-dist.mts --quiet",
     "typecheck": "npm exec --yes --package typescript@5.9.3 -- tsc -p tsconfig.json",
-    "typecheck:guards": "node dist/check-type-boundaries.mjs",
+    "typecheck:guards": "node dist/check-type-boundaries.mjs && node dist/check-no-ts-nocheck.mjs",
+    "check:nocheck": "node dist/check-no-ts-nocheck.mjs",
     "status": "node dist/harness.mjs status --json .",
     "dashboard": "node dist/harness.mjs dashboard --out tmp/harness-dashboard.html examples/minimal-project",
     "dashboard:folder": "node dist/harness.mjs dashboard --out-dir tmp/harness-dashboard examples/minimal-project",
@@ -62,6 +63,9 @@
     "docs-release/",
     "examples/"
   ],
+  "devDependencies": {
+    "@types/node": "24"
+  },
   "engines": {
     "node": ">=24"
   },

package/presets/release-closeout/checks/check-release-package.mjs

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import path from "node:path";
+
+const context = JSON.parse(fs.readFileSync(process.env.HARNESS_PRESET_CONTEXT, "utf8"));
+const release = String(context.inputs.release || "").trim();
+const releaseRoot = path.join(context.targetRoot, "coding-agent-harness/governance/releases", release);
+const required = ["INDEX.md", "task-aggregate.json", "task-archive-plan.md", "public-summary.md", "public-redaction-report.json"];
+const missing = required.filter((file) => !fs.existsSync(path.join(releaseRoot, file)));
+if (missing.length) {
+  console.error(`release package missing files: ${missing.join(", ")}`);
+  process.exit(2);
+}
+const redaction = JSON.parse(fs.readFileSync(path.join(releaseRoot, "public-redaction-report.json"), "utf8"));
+if (redaction.status !== "pass") {
+  console.error("release public redaction report is not passing");
+  process.exit(3);
+}
+fs.writeFileSync(context.materializationManifestPath, `${JSON.stringify({
+  schemaVersion: "preset-materialization/v1",
+  status: "pass",
+  writes: [],
+}, null, 2)}\n`);

package/presets/release-closeout/preset.yaml

@@ -0,0 +1,100 @@
+id: release-closeout
+version: 1
+purpose: Create and run a release closeout task that aggregates version tasks into an auditable release package
+compatibleBudgets: [complex]
+localeSupport: [en-US, zh-CN]
+task:
+  kind: release-closeout
+  defaultTaskId: release-closeout
+  defaultOutcome: Produce a release closeout task whose runner entrypoints generate the version package, archive plan, and public summary.
+  projectLevelOnly: true
+inputs:
+  release:
+    type: text
+    flag: --release
+    required: true
+  previousRelease:
+    type: text
+    flag: --previous-release
+    required: false
+  nextRelease:
+    type: text
+    flag: --next-release
+    required: false
+  taskQuery:
+    type: text
+    flag: --task-query
+    required: false
+  taskList:
+    type: json-file
+    flag: --task-list
+    required: false
+  publicSummary:
+    type: flag
+    flag: --public-summary
+    required: false
+templateValues:
+  release:
+    from: inputs.release
+  previousRelease:
+    from: inputs.previousRelease
+  nextRelease:
+    from: inputs.nextRelease
+  taskQuery:
+    from: inputs.taskQuery
+  taskId:
+    from: task.id
+entrypoints:
+  newTask:
+    type: template
+    writes: [coding-agent-harness/planning/tasks/**]
+    audit: true
+    templates:
+      taskPlanAppend: templates/task_plan.append.md
+      executionStrategyAppend: templates/execution_strategy.append.md
+      findingsSeed: templates/findings.seed.md
+      reviewSeed: templates/review.seed.md
+  plan:
+    type: script
+    command: scripts/generate-release-package.mjs
+    writes: [coding-agent-harness/governance/releases/**]
+    reads: [coding-agent-harness/planning/tasks/**]
+    audit: true
+  scaffold:
+    type: script
+    command: scripts/generate-release-package.mjs
+    writes: [coding-agent-harness/governance/releases/**]
+    reads: [coding-agent-harness/planning/tasks/**]
+    audit: true
+  check:
+    type: check
+    command: checks/check-release-package.mjs
+    writes: [coding-agent-harness/governance/releases/**]
+    reads: [coding-agent-harness/governance/releases/**, coding-agent-harness/planning/tasks/**]
+    audit: true
+evidence:
+  bundleDir: artifacts/preset
+  files:
+    release:
+      path: release.txt
+      type: text
+      value: inputs.release
+    presetAudit:
+      path: preset-audit.json
+      type: preset-audit
+    presetManifest:
+      path: preset-manifest.json
+      type: preset-manifest
+    writeScope:
+      path: write-scope.json
+      type: write-scope
+audit:
+  manifestRequired: true
+  evidenceFiles: [preset-audit.json, preset-manifest.json, write-scope.json]
+writeScopes:
+  taskDocs:
+    path: coding-agent-harness/planning/tasks/**
+    access: write
+  releasePackage:
+    path: coding-agent-harness/governance/releases/**
+    access: write

package/presets/release-closeout/scripts/generate-release-package.mjs

@@ -0,0 +1,210 @@
+#!/usr/bin/env node
+
+import fs from "node:fs";
+import path from "node:path";
+
+const context = JSON.parse(fs.readFileSync(process.env.HARNESS_PRESET_CONTEXT, "utf8"));
+const release = safeRelease(context.inputs.release);
+if (!release) {
+  console.error("release-closeout requires inputs.release");
+  process.exit(2);
+}
+
+const tasksRoot = path.join(context.targetRoot, "coding-agent-harness/planning/tasks");
+const releaseRoot = path.join(context.outputRoot, "release");
+fs.mkdirSync(releaseRoot, { recursive: true });
+
+const tasks = collectTasks(tasksRoot)
+  .filter((task) => task.id !== context.task.id && task.preset !== "release-closeout")
+  .sort((a, b) => a.id.localeCompare(b.id));
+const eligibleArchive = tasks.filter((task) => task.state === "done" && task.deletionState !== "superseded");
+const blockedArchive = tasks.filter((task) => task.state === "blocked" || task.queue === "blocked");
+
+const aggregate = {
+  schemaVersion: "release-closeout-aggregate/v1",
+  release,
+  generatedAt: new Date().toISOString(),
+  summary: {
+    totalTasks: tasks.length,
+    doneTasks: tasks.filter((task) => task.state === "done").length,
+    blockedTasks: tasks.filter((task) => task.state === "blocked").length,
+    archiveEligibleTasks: eligibleArchive.length,
+  },
+  tasks: tasks.map((task) => ({
+    id: task.id,
+    title: task.title,
+    state: task.state,
+    preset: task.preset || "none",
+    deletionState: task.deletionState,
+    archiveEligible: eligibleArchive.some((candidate) => candidate.id === task.id),
+    archiveBlockedReason: task.state === "blocked" ? "blocked tasks cannot be archived" : "",
+  })),
+};
+
+const index = `# Release Closeout Package: ${release}
+
+Generated by \`presets/release-closeout\` through the generic preset runner.
+
+| Document | Purpose |
+| --- | --- |
+| \`task-aggregate.json\` | Machine-readable task inventory for this release closeout. |
+| \`task-archive-plan.md\` | Preset-owned archive eligibility plan. |
+| \`public-summary.md\` | Redacted public-facing summary. |
+| \`public-redaction-report.json\` | Redaction evidence for public materialization. |
+
+## Summary
+
+- Total tasks: ${aggregate.summary.totalTasks}
+- Done tasks: ${aggregate.summary.doneTasks}
+- Blocked tasks: ${aggregate.summary.blockedTasks}
+- Archive eligible tasks: ${aggregate.summary.archiveEligibleTasks}
+`;
+
+const archivePlan = `# Release ${release} Task Archive Plan
+
+This plan is generated by the release-closeout preset. It does not archive tasks by itself.
+
+## Eligible Tasks
+
+${eligibleArchive.length ? eligibleArchive.map((task) => `- ${task.id} - ${task.title}`).join("\n") : "- none"}
+
+## Not Eligible
+
+${blockedArchive.length ? blockedArchive.map((task) => `- ${task.id} - blocked tasks cannot be archived`).join("\n") : "- none"}
+`;
+
+const publicSummaryRaw = `# Release ${release} Public Summary
+
+This release closeout aggregates ${aggregate.summary.totalTasks} tasks, including ${aggregate.summary.doneTasks} done tasks and ${aggregate.summary.blockedTasks} blocked tasks.
+
+Recent evidence snippets:
+
+${tasks.slice(0, 20).map((task) => `- ${task.id}: ${task.evidenceSnippet || "no evidence snippet"}`).join("\n")}
+`;
+const publicSummary = redactPublic(publicSummaryRaw);
+const redactionReport = {
+  schemaVersion: "public-redaction-report/v1",
+  status: leaksLocalPath(publicSummary) ? "fail" : "pass",
+  rules: ["local-absolute-paths", "file-urls"],
+  checkedFiles: ["public-summary.md"],
+  findings: leaksLocalPath(publicSummary) ? ["public-summary contains local absolute path"] : [],
+  generatedAt: new Date().toISOString(),
+};
+if (redactionReport.status !== "pass") {
+  console.error("public redaction failed");
+  process.exit(3);
+}
+
+write("INDEX.md", index);
+write("task-archive-plan.md", archivePlan);
+write("task-aggregate.json", `${JSON.stringify(aggregate, null, 2)}\n`);
+write("public-summary.md", publicSummary);
+write("public-redaction-report.json", `${JSON.stringify(redactionReport, null, 2)}\n`);
+
+const destinationRoot = `coding-agent-harness/governance/releases/${release}`;
+fs.writeFileSync(context.materializationManifestPath, `${JSON.stringify({
+  schemaVersion: "preset-materialization/v1",
+  status: "ok",
+  publicRedactionReport: { source: "release/public-redaction-report.json" },
+  writes: [
+    { source: "release/INDEX.md", destination: `${destinationRoot}/INDEX.md`, type: "text" },
+    { source: "release/task-archive-plan.md", destination: `${destinationRoot}/task-archive-plan.md`, type: "text" },
+    { source: "release/task-aggregate.json", destination: `${destinationRoot}/task-aggregate.json`, type: "json" },
+    { source: "release/public-summary.md", destination: `${destinationRoot}/public-summary.md`, type: "text", visibility: "public" },
+    { source: "release/public-redaction-report.json", destination: `${destinationRoot}/public-redaction-report.json`, type: "json" },
+  ],
+}, null, 2)}\n`);
+
+function write(name, content) {
+  fs.writeFileSync(path.join(releaseRoot, name), content.endsWith("\n") ? content : `${content}\n`);
+}
+
+function collectTasks(root) {
+  if (!fs.existsSync(root)) return [];
+  const taskPlans = walk(root).filter((file) => path.basename(file) === "task_plan.md");
+  return taskPlans.map((taskPlanPath) => {
+    const taskDir = path.dirname(taskPlanPath);
+    const taskPlan = read(taskPlanPath);
+    const progress = read(path.join(taskDir, "progress.md"));
+    const tombstone = parseTombstone(taskPlan);
+    return {
+      id: path.basename(taskDir),
+      title: titleFrom(taskPlan, path.basename(taskDir)),
+      preset: metadataLine(taskPlan, ["Task Preset", "Preset"]).toLowerCase(),
+      state: parseState(progress),
+      deletionState: tombstone.state || "active",
+      queue: parseState(progress) === "blocked" ? "blocked" : "active",
+      evidenceSnippet: progress.split(/\r?\n/).find((line) => /\/Users\/|\/Volumes\/|file:\/\//.test(line)) || "",
+      tombstone,
+    };
+  });
+}
+
+function walk(root) {
+  const files = [];
+  for (const entry of fs.readdirSync(root, { withFileTypes: true })) {
+    const full = path.join(root, entry.name);
+    if (entry.isDirectory()) files.push(...walk(full));
+    else if (entry.isFile()) files.push(full);
+  }
+  return files;
+}
+
+function read(filePath) {
+  try {
+    return fs.readFileSync(filePath, "utf8");
+  } catch {
+    return "";
+  }
+}
+
+function titleFrom(content, fallback) {
+  const match = String(content || "").match(/^#\s+(.+)$/m);
+  return match ? match[1].trim() : fallback;
+}
+
+function metadataLine(content, labels) {
+  const escaped = labels.map((label) => label.replace(/[.*+?^${}()|[\]\\]/g, "\\$&")).join("|");
+  const match = String(content || "").match(new RegExp(`^(?:${escaped})\\s*[:：]\\s*([^\\n]+)`, "im"));
+  return match ? match[1].replace(/`/g, "").trim() : "";
+}
+
+function parseState(progress) {
+  const match = String(progress || "").match(/^##\s*(?:Current Status|Status|状态)\s*[:：]?\s*(?:\n\s*)?([^\n]+)/im);
+  const raw = (match ? match[1] : "").trim().toLowerCase().replaceAll("-", "_").replaceAll(" ", "_");
+  return ["not_started", "planned", "in_progress", "review", "blocked", "done"].includes(raw) ? raw : "unknown";
+}
+
+function parseTombstone(content) {
+  const match = String(content || "").match(/^##\s*(?:Task Tombstone|任务墓碑)\s*$([\s\S]*?)(?=^##\s+|(?![\s\S]))/im);
+  if (!match) return { state: "active", fields: {} };
+  const fields = {};
+  for (const line of match[1].split(/\r?\n/)) {
+    const row = line.trim();
+    if (!row.startsWith("|") || /---/.test(row) || /Field\s*\|\s*Value/i.test(row)) continue;
+    const cells = row.slice(1, -1).split("|").map((cell) => cell.trim().toLowerCase());
+    if (cells.length >= 2) fields[cells[0]] = cells.slice(1).join("|").trim();
+  }
+  return { state: fields.state || "soft-deleted", fields };
+}
+
+function safeRelease(value) {
+  const release = String(value || "").trim();
+  return /^[A-Za-z0-9][A-Za-z0-9._-]{0,63}$/.test(release) ? release : "";
+}
+
+function redactPublic(value) {
+  return String(value || "")
+    .replace(/file:\/\/\/[^\s)"'`<>\]]+/g, "LOCAL_FILE_URL_REDACTED")
+    .replaceAll("file://", "LOCAL_FILE_URL_REDACTED")
+    .replace(/\/Users\/[^/\s)"'`<>\]]+(?:\/[^\s)"'`<>\]]*)*/g, "LOCAL_PATH_REDACTED")
+    .replace(/\/Volumes\/[^\s)"'`<>\]]+(?:\/[^\s)"'`<>\]]*)*/g, "LOCAL_PATH_REDACTED")
+    .replace(/\/(?:private\/)?tmp\/[^\s)"'`<>\]]+(?:\/[^\s)"'`<>\]]*)*/g, "LOCAL_PATH_REDACTED")
+    .replace(/\/var\/folders\/[^\s)"'`<>\]]+(?:\/[^\s)"'`<>\]]*)*/g, "LOCAL_PATH_REDACTED")
+    .replace(/\/home\/[^/\s)"'`<>\]]+(?:\/[^\s)"'`<>\]]*)*/g, "LOCAL_PATH_REDACTED")
+    .replace(/[A-Za-z]:\\[^\s)"'`<>\]]+(?:\\[^\s)"'`<>\]]*)*/g, "LOCAL_PATH_REDACTED");
+}
+
+function leaksLocalPath(value) {
+  return /(?:^|[\s"'(])(?:\/Users\/|\/Volumes\/|\/tmp\/|\/private\/tmp\/|\/var\/folders\/|\/home\/|[A-Za-z]:\\|file:\/\/)/.test(String(value || ""));
+}

package/presets/release-closeout/templates/execution_strategy.append.md

@@ -0,0 +1,7 @@
+## Release Closeout Strategy
+
+| Phase ID | Depends On | State | Completion | Output | Required Evidence | Evidence Status | Blocking Risk | Owner / Handoff |
+| --- | --- | --- | ---: | --- | --- | --- | --- | --- |
+| RC-PLAN | none | planned | 0 | Release task inventory and archive eligibility plan | `harness preset run release-closeout plan --task {{taskId}} .` | missing | none | coordinator |
+| RC-SCAFFOLD | RC-PLAN | planned | 0 | Version package materialized under governance releases | `harness preset run release-closeout scaffold --task {{taskId}} .` | missing | none | coordinator |
+| RC-CHECK | RC-SCAFFOLD | planned | 0 | Release package validation report | `harness preset run release-closeout check --task {{taskId}} .` | missing | none | coordinator |

package/presets/release-closeout/templates/findings.seed.md

@@ -0,0 +1,5 @@
+## Release Closeout Findings
+
+| Severity | Finding | Open | Blocks Release | Disposition | Waiver By |
+| --- | --- | --- | --- | --- | --- |
+| P2 | Release package has not been generated yet. | yes | no | pending `release-closeout scaffold` | n/a |

package/presets/release-closeout/templates/review.seed.md

@@ -0,0 +1,3 @@
+## Release Closeout Review
+
+Review the generated release package, archive plan, and public redaction report before marking this task complete.

package/presets/release-closeout/templates/task_plan.append.md

@@ -0,0 +1,24 @@
+## Release Closeout
+
+Release Version: {{release}}
+Previous Release: {{previousRelease}}
+Next Release: {{nextRelease}}
+Task Query: {{taskQuery}}
+
+## Release Package Workflow
+
+Run these preset entrypoints from the target root. The task scaffold only records the release intent; version package files are generated by the generic preset runner.
+
+1. `harness preset run release-closeout plan --task {{taskId}} .`
+2. `harness preset run release-closeout scaffold --task {{taskId}} .`
+3. `harness preset run release-closeout check --task {{taskId}} .`
+
+## Release Package Outputs
+
+| Output | Owner |
+| --- | --- |
+| `coding-agent-harness/governance/releases/{{release}}/INDEX.md` | `presets/release-closeout` |
+| `coding-agent-harness/governance/releases/{{release}}/task-aggregate.json` | `presets/release-closeout` |
+| `coding-agent-harness/governance/releases/{{release}}/task-archive-plan.md` | `presets/release-closeout` |
+| `coding-agent-harness/governance/releases/{{release}}/public-summary.md` | `presets/release-closeout` |
+| `coding-agent-harness/governance/releases/{{release}}/public-redaction-report.json` | `presets/release-closeout` |

package/references/pull-request-standard.md

@@ -25,8 +25,8 @@ The PR body must include:
 
 ## Content Rules
 
-- State the target version explicitly. If `package.json` changes from `1.0.3`
-  to `1.0.4`, say so in Version Impact.
+- State the target version explicitly. If `package.json` changes from one
+  version to another, say so in Version Impact.
 - List changed surfaces by user-visible area or module, not by dumping every
   file path.
 - Verification must name the real commands, browser checks, CI runs, or

package/templates/reference/pull-request-standard.md

@@ -25,8 +25,8 @@ then the localized section follows after the English section.
 
 ## Content Rules
 
-- State the target version explicitly. If `package.json` changes from `1.0.3`
-  to `1.0.4`, say so in Version Impact.
+- State the target version explicitly. If `package.json` changes from one
+  version to another, say so in Version Impact.
 - List changed surfaces by user-visible area or module, not by dumping every
   file path.
 - Verification must name the real commands, browser checks, CI runs, or

package/templates-zh-CN/reference/pull-request-standard.md

@@ -20,7 +20,7 @@ PR body 必须包含：
 
 ## 内容规则
 
-- 必须明确目标版本。如果 `package.json` 从 `1.0.2` 变为 `1.0.3`，就在版本影响里写清楚。
+- 必须明确目标版本。如果 `package.json` 从一个版本变为另一个版本，就在版本影响里写清楚。
 - 改动内容按用户可见面或模块总结，不要只堆文件路径。
 - 验证必须列真实命令、浏览器检查、CI run 或证据产物。没有跑的检查必须说明原因。
 - 审查证据必须说明自查、subagent 审查、人工审查或代码质量审查状态。release-blocking finding 必须在 merge 前关闭或路由。