harness-mcp-v2 0.9.6 → 2.9.7

package/README.md

@@ -1,6 +1,6 @@
 ## Harness MCP Server 2.0
 
-An MCP (Model Context Protocol) server that gives AI agents full access to the Harness.io platform through 11 consolidated tools and 163 resource types.
+An MCP (Model Context Protocol) server that gives AI agents full access to the Harness.io platform through 11 consolidated tools and 167 resource types.
 
 ## Why Use This MCP Server
 
@@ -8,10 +8,10 @@ Most MCP servers map one tool per API endpoint. For a platform as broad as Harne
 
 This server is built differently:
 
-- **11 tools, 163 resource types.** A registry-based dispatch system routes `harness_list`, `harness_get`, `harness_create`, etc. to any Harness resource — pipelines, services, environments, orgs, projects, feature flags, cost data, and more. The LLM picks from 11 tools instead of hundreds.
-- **Full platform coverage.** 31 toolsets spanning CI/CD, GitOps, Feature Flags, Cloud Cost Management, Security Testing, Chaos Engineering, Internal Developer Portal, Software Supply Chain, Governance, Service Overrides, Visualizations, and more. Not just pipelines — the entire Harness platform.
+- **11 tools, 167 resource types.** A registry-based dispatch system routes `harness_list`, `harness_get`, `harness_create`, etc. to any Harness resource — pipelines, services, environments, orgs, projects, feature flags, cost data, and more. The LLM picks from 11 tools instead of hundreds.
+- **Full platform coverage.** 31 toolsets spanning CI/CD, GitOps, Feature Flags, Cloud Cost Management, Security Testing, Chaos Engineering, Database DevOps, Internal Developer Portal, Software Supply Chain, Governance, Service Overrides, Visualizations, and more. Not just pipelines — the entire Harness platform.
 - **Multi-project workflows out of the box.** Agents discover organizations and projects dynamically — no hardcoded env vars needed. Ask "show failed executions across all projects" and the agent can navigate the full account hierarchy.
-- **27 prompt templates.** Pre-built prompts for common workflows: build & deploy apps end-to-end, debug failed pipelines, review DORA metrics, triage vulnerabilities, optimize cloud costs, audit access control, plan feature flag rollouts, review pull requests, approve pending pipelines, and more.
+- **30 prompt templates.** Pre-built prompts for common workflows: build & deploy apps end-to-end, debug failed pipelines, review DORA metrics, triage vulnerabilities, optimize cloud costs, audit access control, plan feature flag rollouts, review pull requests, approve pending pipelines, and more.
 - **Works everywhere.** Stdio transport for local clients (Claude Desktop, Cursor, Windsurf), HTTP transport for remote/shared deployments, Docker and Kubernetes ready.
 - **Zero-config start.** Just provide a Harness API key. Account ID is auto-extracted from PAT tokens, org/project defaults are optional, and toolset filtering lets you expose only what you need.
 - **Extensible by design.** Adding a new Harness resource means adding a declarative data file — no new tool registration, no schema changes, no prompt updates.
@@ -72,7 +72,7 @@ For development or customization:
 
 ```bash
 git clone https://github.com/harness/mcp-server.git
-cd harness-mcp-v2
+cd mcp-server
 pnpm install
 pnpm build
 
@@ -84,7 +84,7 @@ pnpm inspect            # Test with MCP Inspector
 
 ### Anthropic MCP Directory bundle
 
-The MCPB bundle manifest lives in [`mcp-directory/`](mcp-directory/), and the bundle icon is tracked at [`icon.png`](icon.png) in the repository root. Copy `mcp-directory/manifest.json` to the bundle root after `pnpm build` so the generated archive contains root-level `manifest.json`, `icon.png`, `build/`, `package.json`, and production `node_modules/`.
+The MCPB bundle manifest lives in `[mcp-directory/](mcp-directory/)`, and the bundle icon is tracked at `[icon.png](icon.png)` in the repository root. Copy `mcp-directory/manifest.json` to the bundle root after `pnpm build` so the generated archive contains root-level `manifest.json`, `icon.png`, `build/`, `package.json`, and production `node_modules/`.
 
 To keep the archive small, build MCPB packages from a staging directory:
 
@@ -162,6 +162,8 @@ curl -X DELETE http://localhost:3000/mcp \
 Harness also supports a hosted MCP endpoint for accounts that have the managed service enabled. This is useful when you want a shared remote MCP endpoint instead of running `npx harness-mcp-v2` or self-hosting the HTTP transport yourself.
 
 > **Important:** Hosted MCP authentication uses **Harness Platform OAuth**. It does **not** use `HARNESS_API_KEY` in the client config. Hosted MCP availability is configured per Harness account, so you will need to work with **Harness Support** to enable/configure the setting before using it.
+>
+> The hosted endpoint `https://mcp.harness.io/mcp` is a managed service. Client-side MCP config in Claude, Cursor, or Cowork cannot override which Harness environment it routes to. For Harness0 or another private Harness SaaS environment, ask Harness Support to enable/configure hosted MCP for that environment, or run the local/self-hosted server and set `HARNESS_BASE_URL` to the target Harness host.
 
 **Hosted MCP example:**
 
@@ -243,8 +245,6 @@ npx (zero install)
 }
 ```
 
-
-
 node (local install)
 
 ```bash
@@ -264,8 +264,6 @@ npm install -g harness-mcp-v2
 }
 ```
 
-
-
 #### Claude Code (via `claude mcp add`)
 
 npx (zero install)
@@ -274,8 +272,6 @@ npx (zero install)
 claude mcp add harness -- npx harness-mcp-v2
 ```
 
-
-
 node (local install)
 
 ```bash
@@ -283,8 +279,6 @@ npm install -g harness-mcp-v2
 claude mcp add harness -- harness-mcp-v2
 ```
 
-
-
 Then set `HARNESS_API_KEY` in your environment or `.env` file.
 
 #### Cursor (`.cursor/mcp.json`)
@@ -305,8 +299,6 @@ npx (zero install)
 }
 ```
 
-
-
 node (local install)
 
 ```bash
@@ -326,8 +318,6 @@ npm install -g harness-mcp-v2
 }
 ```
 
-
-
 #### Windsurf (`~/.windsurf/mcp.json`)
 
 npx (zero install)
@@ -346,8 +336,6 @@ npx (zero install)
 }
 ```
 
-
-
 node (local install)
 
 ```bash
@@ -367,8 +355,6 @@ npm install -g harness-mcp-v2
 }
 ```
 
-
-
 Using a local build from source?
 
 Replace the command with the path to your built `index.js`:
@@ -380,8 +366,6 @@ Replace the command with the path to your built `index.js`:
 }
 ```
 
-
-
 ### MCP Gateway
 
 The Harness MCP server is fully compatible with MCP Gateways — reverse proxies that provide centralized authentication, governance, tool routing, and observability across multiple MCP servers. Since the server implements the standard MCP protocol with both stdio and HTTP transports, it works behind any MCP-compliant gateway with no code changes.
@@ -507,25 +491,28 @@ The deployment runs 2 replicas with readiness/liveness probes, resource limits,
 
 The server automatically loads environment variables from a `.env` file in the project root if one exists. Copy `.env.example` to `.env` and fill in your values. Environment variables can also be set via your shell or MCP client config.
 
-| Variable | Required | Default | Description |
-|----------|----------|---------|-------------|
-| `HARNESS_API_KEY` | Yes | -- | Harness personal access token or service account token |
-| `HARNESS_ACCOUNT_ID` | No | *(from PAT)* | Harness account identifier. Auto-extracted from PAT tokens; only needed for non-PAT API keys |
-| `HARNESS_BASE_URL` | No | `https://app.harness.io` | Base URL (override for self-managed Harness) |
-| `HARNESS_ORG` | No | `default` | Organization ID. Used when `org_id` is not specified per tool call. Agents can also discover orgs dynamically via `harness_list(resource_type="organization")` |
-| `HARNESS_PROJECT` | No | -- | Project ID. Used when `project_id` is not specified per tool call. Agents can also discover projects dynamically via `harness_list(resource_type="project")` |
-| `HARNESS_API_TIMEOUT_MS` | No | `30000` | HTTP request timeout in milliseconds |
-| `HARNESS_MAX_RETRIES` | No | `3` | Retry count for transient failures (429, 5xx) |
-| `HARNESS_MAX_BODY_SIZE_MB` | No | `10` | Max HTTP request body size in MB for `http` transport |
-| `HARNESS_RATE_LIMIT_RPS` | No | `10` | Client-side request throttle (requests per second) to Harness APIs |
-| `LOG_LEVEL` | No | `info` | Log verbosity: `debug`, `info`, `warn`, `error` |
-| `HARNESS_TOOLSETS` | No | *(defaults)* | Comma-separated toolset list. Empty loads default toolsets and excludes opt-in toolsets such as `ai-evals`. Supports `+name` to add opt-in toolsets and `-name` to remove defaults (see [Toolset Filtering](#toolset-filtering)) |
-| `HARNESS_READ_ONLY` | No | `false` | Block all mutating operations (create, update, delete, execute). Only list and get are allowed. Useful for shared/demo environments |
-| `HARNESS_SKIP_ELICITATION` | No | `false` | Skip all elicitation confirmation prompts. When `true`, write and delete operations proceed without user approval — enabling fully autonomous agent workflows. See [Elicitation](#elicitation) |
-| `HARNESS_ALLOW_HTTP` | No | `false` | Allow non-HTTPS `HARNESS_BASE_URL`. By default, the server enforces HTTPS for security. Set to `true` only for local development against a non-TLS Harness instance |
-| `HARNESS_PIPELINE_VERSION` | No | `0` | **(Alpha)** Pipeline YAML version. `0` loads the `pipeline` resource type and excludes `pipeline_v1`; `1` loads `pipeline_v1` and excludes `pipeline`. HTTP sessions can override this at initialize time with `x-harness-pipeline-version: 0` or `1` |
-| `HARNESS_MCP_ALLOWED_HOSTS` | No | -- | Comma-separated hostnames allowed by HTTP transport Host-header validation. `mcp.harness.io` is allowed by default for localhost binds; add proxy/custom domains here |
-| `HARNESS_MCP_LOG_FILE` | No | `~/.claude/harness-mcp.log` | File used for stdio disconnect/crash diagnostics when stderr may no longer be available |
+
+| Variable                    | Required | Default                     | Description                                                                                                                                                                                                                                           |
+| --------------------------- | -------- | --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `HARNESS_API_KEY`           | Yes      | --                          | Harness personal access token or service account token                                                                                                                                                                                                |
+| `HARNESS_ACCOUNT_ID`        | No       | *(from PAT)*                | Harness account identifier. Auto-extracted from PAT tokens; only needed for non-PAT API keys                                                                                                                                                          |
+| `HARNESS_BASE_URL`          | No       | `https://app.harness.io`    | Harness API/UI base URL for local stdio or self-hosted HTTP deployments. Set this to environments such as `https://harness0.harness.io` when running the server yourself. It does not affect the managed `https://mcp.harness.io/mcp` hosted endpoint |
+| `HARNESS_ORG`               | No       | `default`                   | Organization ID. Used when `org_id` is not specified per tool call. Agents can also discover orgs dynamically via `harness_list(resource_type="organization")`                                                                                        |
+| `HARNESS_PROJECT`           | No       | --                          | Project ID. Used when `project_id` is not specified per tool call. Agents can also discover projects dynamically via `harness_list(resource_type="project")`                                                                                          |
+| `HARNESS_API_TIMEOUT_MS`    | No       | `30000`                     | HTTP request timeout in milliseconds                                                                                                                                                                                                                  |
+| `HARNESS_MAX_RETRIES`       | No       | `3`                         | Retry count for transient failures (429, 5xx)                                                                                                                                                                                                         |
+| `HARNESS_MAX_BODY_SIZE_MB`  | No       | `10`                        | Max HTTP request body size in MB for `http` transport                                                                                                                                                                                                 |
+| `HARNESS_RATE_LIMIT_RPS`    | No       | `10`                        | Client-side request throttle (requests per second) to Harness APIs                                                                                                                                                                                    |
+| `LOG_LEVEL`                 | No       | `info`                      | Log verbosity: `debug`, `info`, `warn`, `error`                                                                                                                                                                                                       |
+| `HARNESS_TOOLSETS`          | No       | *(defaults)*                | Comma-separated toolset list. Empty loads default toolsets and excludes opt-in toolsets such as `ai-evals`. Supports `+name` to add opt-in toolsets and `-name` to remove defaults (see [Toolset Filtering](#toolset-filtering))                      |
+| `HARNESS_READ_ONLY`         | No       | `false`                     | Block all mutating operations (create, update, delete, execute). Only list and get are allowed. Useful for shared/demo environments                                                                                                                   |
+| `HARNESS_AUTO_APPROVE_RISK` | No       | `none`                      | Risk-based auto-approve threshold for autonomous workflows. Operations at or below this risk proceed without confirmation. Values: `none`, `low_write`, `medium_write`, `high_write`, `all`. See [Elicitation](#elicitation)                          |
+| `HARNESS_SKIP_ELICITATION`  | No       | `false`                     | **Deprecated** — use `HARNESS_AUTO_APPROVE_RISK=all` instead. Kept for backward compatibility                                                                                                                                                         |
+| `HARNESS_ALLOW_HTTP`        | No       | `false`                     | Allow non-HTTPS `HARNESS_BASE_URL`. By default, the server enforces HTTPS for security. Set to `true` only for local development against a non-TLS Harness instance                                                                                   |
+| `HARNESS_PIPELINE_VERSION`  | No       | `0`                         | **(Alpha)** Pipeline YAML version. `0` loads the `pipeline` resource type and excludes `pipeline_v1`; `1` loads `pipeline_v1` and excludes `pipeline`. HTTP sessions can override this at initialize time with `x-harness-pipeline-version: 0` or `1` |
+| `HARNESS_MCP_ALLOWED_HOSTS` | No       | --                          | Comma-separated hostnames allowed by HTTP transport Host-header validation. `mcp.harness.io` is allowed by default for localhost binds; add proxy/custom domains here                                                                                 |
+| `HARNESS_MCP_LOG_FILE`      | No       | `~/.claude/harness-mcp.log` | File used for stdio disconnect/crash diagnostics when stderr may no longer be available                                                                                                                                                               |
+
 
 ### HTTPS Enforcement
 
@@ -680,6 +667,49 @@ The server exposes 11 MCP tools. Most API tools accept `org_id` and `project_id`
 { "org_id": "default", "project_id": "my-project", "limit": 5 }
 ```
 
+**List database schemas filtered by migration type:**
+
+```json
+{ "resource_type": "database_schema", "migration_type": "Liquibase" }
+```
+
+**List database instances for a schema:**
+
+```json
+{ "resource_type": "database_instance", "dbschema_id": "my_schema" }
+```
+
+**Get the resolved LLM authoring pipeline for a schema and instance:**
+
+```json
+{ "resource_type": "database_llm_authoring_pipeline", "resource_id": "my_schema", "dbinstance_id": "prod_db" }
+```
+
+**List snapshot object names (e.g. tables) for a schema instance:**
+
+```json
+{
+  "resource_type": "database_snapshot_object",
+  "dbschema_id": "my_schema",
+  "dbinstance_id": "prod_db",
+  "object_type": "Table"
+}
+```
+
+**Get full snapshot metadata for specific named objects:**
+
+```json
+{
+  "resource_type": "database_snapshot_object",
+  "resource_id": "prod_db",
+  "params": {
+    "dbschema_id": "my_schema",
+    "object_type": "Table",
+    "object_names": ["users", "orders"]
+  }
+}
+```
+
 ### Pipeline Run Workflow (Recommended)
 
 Use this sequence to reduce execution-time input errors:
@@ -924,7 +954,7 @@ Harness pipelines can be stored in three ways:
 
 ## Resource Types
 
-163 resource types organized across 31 toolsets. Each resource type supports a subset of CRUD operations and optional execute actions.
+167 resource types organized across 31 toolsets. Each resource type supports a subset of CRUD operations and optional execute actions.
 
 ### Platform
 
@@ -1069,6 +1099,17 @@ Only one pipeline YAML resource type is loaded at startup. By default `HARNESS_P
 | `dashboard_data` |      | x   |        |        |        |                 |
 
 
+### Database DevOps
+
+
+| Resource Type                     | List | Get | Create | Update | Delete | Execute Actions |
+| --------------------------------- | ---- | --- | ------ | ------ | ------ | --------------- |
+| `database_schema`                 | x    | x   |        |        |        |                 |
+| `database_instance`               | x    | x   |        |        |        |                 |
+| `database_snapshot_object`        | x    | x   |        |        |        |                 |
+| `database_llm_authoring_pipeline` |      | x   |        |        |        |                 |
+
+
 ### Internal Developer Portal (IDP)
 
 
@@ -1359,7 +1400,7 @@ Inline PNG chart visualizations rendered from Harness data. These are metadata-o
 
 ## Toolset Filtering
 
-By default, 30 of 31 toolsets are enabled. One toolset (`ai-evals`) is opt-in — excluded by default to avoid polluting the resource list for users who don't need it.
+By default, 31 of 32 toolsets are enabled. One toolset (`ai-evals`) is opt-in — excluded by default to avoid polluting the resource list for users who don't need it.
 
 ### Enabling opt-in toolsets
 
@@ -1397,40 +1438,43 @@ HARNESS_TOOLSETS=pipelines,services,connectors
 
 Available toolset names:
 
-| Toolset | Resource Types |
-|---------|---------------|
-| `platform` | organization, project |
-| `pipelines` | pipeline, pipeline_v1, execution, trigger, pipeline_summary, input_set, approval_instance |
-| `agents` | agent, agent_run |
-| `services` | service |
-| `environments` | environment |
-| `connectors` | connector, connector_catalogue |
-| `infrastructure` | infrastructure |
-| `secrets` | secret |
-| `logs` | execution_log |
-| `audit` | audit_event |
-| `delegates` | delegate, delegate_token |
-| `repositories` | repository, branch, commit, file_content, tag, repo_rule, space_rule |
-| `registries` | registry, artifact, artifact_version, artifact_file |
-| `templates` | template |
-| `dashboards` | dashboard, dashboard_data |
-| `idp` | idp_entity, scorecard, scorecard_check, scorecard_stats, scorecard_check_stats, idp_score, idp_workflow, idp_tech_doc |
-| `pull-requests` | pull_request, pr_reviewer, pr_comment, pr_check, pr_activity |
-| `feature-flags` | fme_workspace, fme_environment, fme_feature_flag, fme_feature_flag_definition, fme_rollout_status, fme_rule_based_segment, fme_rule_based_segment_definition, feature_flag |
-| `gitops` | gitops_agent, gitops_application, gitops_cluster, gitops_repository, gitops_applicationset, gitops_repo_credential, gitops_app_event, gitops_pod_log, gitops_managed_resource, gitops_resource_action, gitops_dashboard, gitops_app_resource_tree |
-| `chaos` | chaos_experiment, chaos_probe, chaos_experiment_template, chaos_infrastructure, chaos_experiment_variable, chaos_experiment_run, chaos_loadtest, chaos_k8s_infrastructure, chaos_hub, chaos_fault, chaos_network_map, chaos_guard_condition, chaos_guard_rule, chaos_recommendation, chaos_risk |
-| `ccm` | cost_perspective, cost_breakdown, cost_timeseries, cost_summary, cost_recommendation, cost_anomaly, cost_anomaly_summary, cost_category, cost_account_overview, cost_filter_value, cost_recommendation_stats, cost_recommendation_detail, cost_commitment |
-| `sei` | sei_metric, sei_productivity_metric, sei_dora_metric, sei_team, sei_team_detail, sei_org_tree, sei_org_tree_detail, sei_business_alignment, sei_ai_usage, sei_ai_adoption, sei_ai_impact, sei_ai_raw_metric |
-| `scs` | scs_artifact_source, artifact_security, scs_artifact_component, scs_artifact_remediation, scs_chain_of_custody, scs_compliance_result, code_repo_security, scs_sbom |
-| `sto` | security_issue, security_issue_filter, security_exemption |
-| `access_control` | user, user_group, service_account, role, role_assignment, resource_group, permission |
-| `governance` | policy, policy_set, policy_evaluation |
-| `freeze` | freeze_window, global_freeze |
-| `overrides` | service_override |
-| `settings` | setting |
-| `visualizations` | visual_timeline, visual_stage_flow, visual_health_dashboard, visual_pie_chart, visual_bar_chart, visual_timeseries, visual_architecture |
+
+| Toolset                 | Resource Types                                                                                                                                                                                                                                                                                  |
+| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `platform`              | organization, project                                                                                                                                                                                                                                                                           |
+| `pipelines`             | pipeline, pipeline_v1, execution, trigger, pipeline_summary, input_set, approval_instance                                                                                                                                                                                                       |
+| `agents`                | agent, agent_run                                                                                                                                                                                                                                                                                |
+| `services`              | service                                                                                                                                                                                                                                                                                         |
+| `environments`          | environment                                                                                                                                                                                                                                                                                     |
+| `connectors`            | connector, connector_catalogue                                                                                                                                                                                                                                                                  |
+| `infrastructure`        | infrastructure                                                                                                                                                                                                                                                                                  |
+| `secrets`               | secret                                                                                                                                                                                                                                                                                          |
+| `logs`                  | execution_log                                                                                                                                                                                                                                                                                   |
+| `audit`                 | audit_event                                                                                                                                                                                                                                                                                     |
+| `delegates`             | delegate, delegate_token                                                                                                                                                                                                                                                                        |
+| `repositories`          | repository, branch, commit, file_content, tag, repo_rule, space_rule                                                                                                                                                                                                                            |
+| `registries`            | registry, artifact, artifact_version, artifact_file                                                                                                                                                                                                                                             |
+| `templates`             | template                                                                                                                                                                                                                                                                                        |
+| `dashboards`            | dashboard, dashboard_data                                                                                                                                                                                                                                                                       |
+| `idp`                   | idp_entity, scorecard, scorecard_check, scorecard_stats, scorecard_check_stats, idp_score, idp_workflow, idp_tech_doc                                                                                                                                                                           |
+| `pull-requests`         | pull_request, pr_reviewer, pr_comment, pr_check, pr_activity                                                                                                                                                                                                                                    |
+| `feature-flags`         | fme_workspace, fme_environment, fme_feature_flag, fme_feature_flag_definition, fme_rollout_status, fme_rule_based_segment, fme_rule_based_segment_definition, feature_flag                                                                                                                      |
+| `gitops`                | gitops_agent, gitops_application, gitops_cluster, gitops_repository, gitops_applicationset, gitops_repo_credential, gitops_app_event, gitops_pod_log, gitops_managed_resource, gitops_resource_action, gitops_dashboard, gitops_app_resource_tree                                               |
+| `chaos`                 | chaos_experiment, chaos_probe, chaos_experiment_template, chaos_infrastructure, chaos_experiment_variable, chaos_experiment_run, chaos_loadtest, chaos_k8s_infrastructure, chaos_hub, chaos_fault, chaos_network_map, chaos_guard_condition, chaos_guard_rule, chaos_recommendation, chaos_risk |
+| `ccm`                   | cost_perspective, cost_breakdown, cost_timeseries, cost_summary, cost_recommendation, cost_anomaly, cost_anomaly_summary, cost_category, cost_account_overview, cost_filter_value, cost_recommendation_stats, cost_recommendation_detail, cost_commitment                                       |
+| `sei`                   | sei_metric, sei_productivity_metric, sei_dora_metric, sei_team, sei_team_detail, sei_org_tree, sei_org_tree_detail, sei_business_alignment, sei_ai_usage, sei_ai_adoption, sei_ai_impact, sei_ai_raw_metric                                                                                     |
+| `scs`                   | scs_artifact_source, artifact_security, scs_artifact_component, scs_artifact_remediation, scs_chain_of_custody, scs_compliance_result, code_repo_security, scs_sbom                                                                                                                             |
+| `sto`                   | security_issue, security_issue_filter, security_exemption                                                                                                                                                                                                                                       |
+| `dbops`                 | database_schema, database_instance, database_snapshot_object, database_llm_authoring_pipeline                                                                                                                                                                                                   |
+| `access_control`        | user, user_group, service_account, role, role_assignment, resource_group, permission                                                                                                                                                                                                            |
+| `governance`            | policy, policy_set, policy_evaluation                                                                                                                                                                                                                                                           |
+| `freeze`                | freeze_window, global_freeze                                                                                                                                                                                                                                                                    |
+| `overrides`             | service_override                                                                                                                                                                                                                                                                                |
+| `settings`              | setting                                                                                                                                                                                                                                                                                         |
+| `visualizations`        | visual_timeline, visual_stage_flow, visual_health_dashboard, visual_pie_chart, visual_bar_chart, visual_timeseries, visual_architecture                                                                                                                                                         |
 | `ai-evals` **(opt-in)** | eval_dataset, eval_dataset_item, evaluation, eval_run, eval_run_item, eval_run_by_eval, eval_metric, eval_metric_set, eval_metric_set_entry, eval_suite, eval_suite_evaluation, eval_suite_run, eval_target, eval_model, eval_annotation, eval_analytics, eval_git_settings, eval_registry_item |
 
+
 ## Architecture
 
 ```
@@ -1446,8 +1490,8 @@ Available toolset names:
                           |
                  +--------v---------+
                 |    Registry       |  <-- Declarative resource definitions
-                |  31 Toolsets      |      (data files, not code)
-                |  163 Resource Types|
+                |  32 Toolsets      |      (data files, not code)
+                |  167 Resource Types|
                  +--------+---------+
                           |
                  +--------v---------+
@@ -1637,20 +1681,29 @@ Write tools (`harness_create`, `harness_update`, `harness_delete`, `harness_exec
 | MCP Inspector     | Yes                 |
 
 
-Elicitation behavior varies by operation severity when client support is missing:
-For clients that don't support elicitation:
+Elicitation behavior varies by operation risk when client support is missing:
+
 
-- `harness_create`, `harness_update`, and `harness_execute` proceed without a dialog (best effort).
-- Destructive operations are blocked if confirmation cannot be obtained (`harness_delete`).
+| Risk Level                                    | Client supports elicitation | Behavior                                          |
+| --------------------------------------------- | --------------------------- | ------------------------------------------------- |
+| `read`, `low_write`                           | any                         | Proceed silently (no confirmation needed)         |
+| `medium_write`, `high_write`, `destructive`   | Yes                         | Prompt user — proceed on accept, block on decline |
+| `medium_write`, `high_write`, `destructive`   | No                          | **BLOCK** (return error)                          |
+| any (at or below `HARNESS_AUTO_APPROVE_RISK`) | any                         | Auto-approve without prompting                    |
 
-If elicitation fails at runtime, the same rules apply: non-destructive writes continue, destructive writes are blocked.
 
-### Skipping Elicitation for Autonomous Workflows
+If elicitation fails at runtime, operations at `medium_write` or above are blocked.
 
-For fully autonomous agent workflows (CI/CD bots, headless agents, batch automation), elicitation prompts can be disabled entirely:
+### Auto-Approve for Autonomous Workflows
+
+For CI/CD bots, headless agents, or batch automation, use `HARNESS_AUTO_APPROVE_RISK` to auto-approve operations up to a given risk level:
 
 ```bash
-HARNESS_SKIP_ELICITATION=true
+# Auto-approve everything (equivalent to old HARNESS_SKIP_ELICITATION=true)
+HARNESS_AUTO_APPROVE_RISK=all
+
+# Auto-approve only low-risk writes, still prompt for medium+
+HARNESS_AUTO_APPROVE_RISK=low_write
 ```
 
 Or in your MCP client config:
@@ -1663,20 +1716,22 @@ Or in your MCP client config:
       "args": ["harness-mcp-v2"],
       "env": {
         "HARNESS_API_KEY": "pat.xxx.xxx.xxx",
-        "HARNESS_SKIP_ELICITATION": "true"
+        "HARNESS_AUTO_APPROVE_RISK": "all"
       }
     }
   }
 }
 ```
 
-When enabled, **all** write and delete operations proceed without user confirmation — including destructive operations like `harness_delete`. Use with caution and consider pairing with `HARNESS_TOOLSETS` to restrict which resource types are available.
+> **Migration note:** `HARNESS_SKIP_ELICITATION=true` is still supported and maps to `HARNESS_AUTO_APPROVE_RISK=all`. A deprecation warning is logged to stderr. If both are set, `HARNESS_AUTO_APPROVE_RISK` takes precedence.
+
+When set to `all`, **all** write and delete operations proceed without user confirmation — including destructive operations like `harness_delete`. Use with caution and consider pairing with `HARNESS_TOOLSETS` to restrict which resource types are available.
 
 ## Safety
 
 - **Secrets are never exposed.** The `secret` resource type returns metadata only (name, type, scope) — secret values are never included in any response.
 - **Write operations use elicitation when available.** `harness_create`, `harness_update`, `harness_delete`, and `harness_execute` attempt MCP elicitation before proceeding (see [Elicitation](#elicitation)).
-- **Destructive writes fail closed.** If confirmation cannot be obtained, `harness_delete` is blocked instead of executing blindly. Override with `HARNESS_SKIP_ELICITATION=true` for autonomous workflows.
+- **Medium-risk and above fail closed.** If confirmation cannot be obtained for `medium_write`, `high_write`, or `destructive` operations, they are blocked instead of executing blindly. Override with `HARNESS_AUTO_APPROVE_RISK` for autonomous workflows.
 - **CORS restricted to same-origin.** The HTTP transport only allows same-origin requests, preventing CSRF attacks from malicious websites targeting the MCP server on localhost.
 - **HTTP rate limiting.** The HTTP transport enforces 60 requests per minute per IP to prevent request flooding.
 - **API rate limiting.** The Harness API client enforces a 10 requests/second limit to avoid hitting upstream rate limits.

package/build/audit/index.d.ts

@@ -0,0 +1,14 @@
+import type { Config } from "../config.js";
+import { AuditManager } from "./manager.js";
+export { AuditManager } from "./manager.js";
+export type { AuditEvent, AuditContext, AuditSink, ConfirmationMethod } from "./types.js";
+/**
+ * Create an AuditManager with sinks enabled based on configuration.
+ *
+ * - StderrSink is always active
+ * - JsonlFileSink activates when HARNESS_AUDIT_FILE is set
+ * - WebhookSink activates when HARNESS_AUDIT_WEBHOOK_URL is set
+ * - OTelSink activates when @opentelemetry/api is importable + OTEL endpoint is set
+ */
+export declare function createAuditManager(config: Config): AuditManager;
+//# sourceMappingURL=index.d.ts.map

package/build/audit/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,cAAc,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAO5C,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,YAAY,EAAE,UAAU,EAAE,YAAY,EAAE,SAAS,EAAE,kBAAkB,EAAE,MAAM,YAAY,CAAC;AAI1F;;;;;;;GAOG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,MAAM,GAAG,YAAY,CAoC/D"}

package/build/audit/index.js

@@ -0,0 +1,50 @@
+import { AuditManager } from "./manager.js";
+import { StderrSink } from "./sinks/stderr.js";
+import { JsonlFileSink } from "./sinks/jsonl-file.js";
+import { WebhookSink } from "./sinks/webhook.js";
+import { OTelSink } from "./sinks/otel.js";
+import { createLogger } from "../utils/logger.js";
+export { AuditManager } from "./manager.js";
+const log = createLogger("audit");
+/**
+ * Create an AuditManager with sinks enabled based on configuration.
+ *
+ * - StderrSink is always active
+ * - JsonlFileSink activates when HARNESS_AUDIT_FILE is set
+ * - WebhookSink activates when HARNESS_AUDIT_WEBHOOK_URL is set
+ * - OTelSink activates when @opentelemetry/api is importable + OTEL endpoint is set
+ */
+export function createAuditManager(config) {
+    const manager = new AuditManager();
+    manager.addSink(new StderrSink());
+    const auditFile = config.HARNESS_AUDIT_FILE;
+    if (auditFile) {
+        manager.addSink(new JsonlFileSink(auditFile));
+        log.info("JSONL audit file sink enabled", { path: auditFile });
+    }
+    const webhookUrl = config.HARNESS_AUDIT_WEBHOOK_URL;
+    if (webhookUrl) {
+        const token = config.HARNESS_AUDIT_WEBHOOK_TOKEN;
+        const batchSize = config.HARNESS_AUDIT_WEBHOOK_BATCH_SIZE;
+        const flushMs = config.HARNESS_AUDIT_WEBHOOK_FLUSH_MS;
+        manager.addSink(new WebhookSink({
+            url: webhookUrl,
+            token,
+            batchSize,
+            flushIntervalMs: flushMs,
+        }));
+        try {
+            const origin = new URL(webhookUrl).origin;
+            log.info("Webhook audit sink enabled", { host: origin });
+        }
+        catch {
+            log.info("Webhook audit sink enabled");
+        }
+    }
+    if (process.env.OTEL_EXPORTER_OTLP_ENDPOINT) {
+        manager.addSink(new OTelSink());
+        log.info("OTel audit sink enabled (pending @opentelemetry/api availability)");
+    }
+    return manager;
+}
+//# sourceMappingURL=index.js.map

package/build/audit/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/audit/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAC5C,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,uBAAuB,CAAC;AACtD,OAAO,EAAE,WAAW,EAAE,MAAM,oBAAoB,CAAC;AACjD,OAAO,EAAE,QAAQ,EAAE,MAAM,iBAAiB,CAAC;AAC3C,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAG5C,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC;AAElC;;;;;;;GAOG;AACH,MAAM,UAAU,kBAAkB,CAAC,MAAc;IAC/C,MAAM,OAAO,GAAG,IAAI,YAAY,EAAE,CAAC;IAEnC,OAAO,CAAC,OAAO,CAAC,IAAI,UAAU,EAAE,CAAC,CAAC;IAElC,MAAM,SAAS,GAAI,MAAkC,CAAC,kBAAwC,CAAC;IAC/F,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC;QAC9C,GAAG,CAAC,IAAI,CAAC,+BAA+B,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,UAAU,GAAI,MAAkC,CAAC,yBAA+C,CAAC;IACvG,IAAI,UAAU,EAAE,CAAC;QACf,MAAM,KAAK,GAAI,MAAkC,CAAC,2BAAiD,CAAC;QACpG,MAAM,SAAS,GAAI,MAAkC,CAAC,gCAAsD,CAAC;QAC7G,MAAM,OAAO,GAAI,MAAkC,CAAC,8BAAoD,CAAC;QACzG,OAAO,CAAC,OAAO,CAAC,IAAI,WAAW,CAAC;YAC9B,GAAG,EAAE,UAAU;YACf,KAAK;YACL,SAAS;YACT,eAAe,EAAE,OAAO;SACzB,CAAC,CAAC,CAAC;QACJ,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC,MAAM,CAAC;YAC1C,GAAG,CAAC,IAAI,CAAC,4BAA4B,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC3D,CAAC;QAAC,MAAM,CAAC;YACP,GAAG,CAAC,IAAI,CAAC,4BAA4B,CAAC,CAAC;QACzC,CAAC;IACH,CAAC;IAED,IAAI,OAAO,CAAC,GAAG,CAAC,2BAA2B,EAAE,CAAC;QAC5C,OAAO,CAAC,OAAO,CAAC,IAAI,QAAQ,EAAE,CAAC,CAAC;QAChC,GAAG,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IAChF,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC"}

package/build/audit/manager.d.ts

@@ -0,0 +1,14 @@
+import type { AuditEvent, AuditSink } from "./types.js";
+/**
+ * Fan-out orchestrator for audit events.
+ * Distributes each event to all registered sinks. Sink failures are
+ * logged but never propagate — audit must never break tool execution.
+ */
+export declare class AuditManager {
+    private sinks;
+    addSink(sink: AuditSink): void;
+    emit(event: AuditEvent): void;
+    flush(): Promise<void>;
+    close(): Promise<void>;
+}
+//# sourceMappingURL=manager.d.ts.map

package/build/audit/manager.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.d.ts","sourceRoot":"","sources":["../../src/audit/manager.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,YAAY,CAAC;AAKxD;;;;GAIG;AACH,qBAAa,YAAY;IACvB,OAAO,CAAC,KAAK,CAAmB;IAEhC,OAAO,CAAC,IAAI,EAAE,SAAS,GAAG,IAAI;IAK9B,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;IAevB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IActB,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;CAc7B"}

package/build/audit/manager.js

@@ -0,0 +1,55 @@
+import { createLogger } from "../utils/logger.js";
+const log = createLogger("audit-manager");
+/**
+ * Fan-out orchestrator for audit events.
+ * Distributes each event to all registered sinks. Sink failures are
+ * logged but never propagate — audit must never break tool execution.
+ */
+export class AuditManager {
+    sinks = [];
+    addSink(sink) {
+        this.sinks.push(sink);
+        log.debug(`Audit sink registered: ${sink.name}`);
+    }
+    emit(event) {
+        for (const sink of this.sinks) {
+            try {
+                const result = sink.emit(event);
+                if (result && typeof result.catch === "function") {
+                    result.catch((err) => {
+                        log.warn(`Audit sink "${sink.name}" async emit failed`, { error: String(err) });
+                    });
+                }
+            }
+            catch (err) {
+                log.warn(`Audit sink "${sink.name}" emit failed`, { error: String(err) });
+            }
+        }
+    }
+    async flush() {
+        await Promise.allSettled(this.sinks
+            .filter((s) => s.flush)
+            .map(async (s) => {
+            try {
+                await s.flush();
+            }
+            catch (err) {
+                log.warn(`Audit sink "${s.name}" flush failed`, { error: String(err) });
+            }
+        }));
+    }
+    async close() {
+        await this.flush();
+        await Promise.allSettled(this.sinks
+            .filter((s) => s.close)
+            .map(async (s) => {
+            try {
+                await s.close();
+            }
+            catch (err) {
+                log.warn(`Audit sink "${s.name}" close failed`, { error: String(err) });
+            }
+        }));
+    }
+}
+//# sourceMappingURL=manager.js.map

package/build/audit/manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"manager.js","sourceRoot":"","sources":["../../src/audit/manager.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,oBAAoB,CAAC;AAElD,MAAM,GAAG,GAAG,YAAY,CAAC,eAAe,CAAC,CAAC;AAE1C;;;;GAIG;AACH,MAAM,OAAO,YAAY;IACf,KAAK,GAAgB,EAAE,CAAC;IAEhC,OAAO,CAAC,IAAe;QACrB,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACtB,GAAG,CAAC,KAAK,CAAC,0BAA0B,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,IAAI,CAAC,KAAiB;QACpB,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;YAC9B,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;gBAChC,IAAI,MAAM,IAAI,OAAQ,MAAwB,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;oBACnE,MAAwB,CAAC,KAAK,CAAC,CAAC,GAAG,EAAE,EAAE;wBACtC,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,qBAAqB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;oBAClF,CAAC,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,eAAe,IAAI,CAAC,IAAI,eAAe,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC5E,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,OAAO,CAAC,UAAU,CACtB,IAAI,CAAC,KAAK;aACP,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;aACtB,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;YACf,IAAI,CAAC;gBACH,MAAM,CAAC,CAAC,KAAM,EAAE,CAAC;YACnB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,gBAAgB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC,CAAC,CACL,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,KAAK;QACT,MAAM,IAAI,CAAC,KAAK,EAAE,CAAC;QACnB,MAAM,OAAO,CAAC,UAAU,CACtB,IAAI,CAAC,KAAK;aACP,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;aACtB,GAAG,CAAC,KAAK,EAAE,CAAC,EAAE,EAAE;YACf,IAAI,CAAC;gBACH,MAAM,CAAC,CAAC,KAAM,EAAE,CAAC;YACnB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,GAAG,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,IAAI,gBAAgB,EAAE,EAAE,KAAK,EAAE,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC1E,CAAC;QACH,CAAC,CAAC,CACL,CAAC;IACJ,CAAC;CACF"}

package/build/audit/sinks/jsonl-file.d.ts

@@ -0,0 +1,13 @@
+import type { AuditEvent, AuditSink } from "../types.js";
+/**
+ * Appends audit events as NDJSON (one JSON object per line) to a file.
+ * Enabled when HARNESS_AUDIT_FILE is set.
+ */
+export declare class JsonlFileSink implements AuditSink {
+    private readonly filePath;
+    readonly name = "jsonl-file";
+    private dirEnsured;
+    constructor(filePath: string);
+    emit(event: AuditEvent): void;
+}
+//# sourceMappingURL=jsonl-file.d.ts.map

package/build/audit/sinks/jsonl-file.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsonl-file.d.ts","sourceRoot":"","sources":["../../../src/audit/sinks/jsonl-file.ts"],"names":[],"mappings":"AAEA,OAAO,KAAK,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAKzD;;;GAGG;AACH,qBAAa,aAAc,YAAW,SAAS;IAIjC,OAAO,CAAC,QAAQ,CAAC,QAAQ;IAHrC,QAAQ,CAAC,IAAI,gBAAgB;IAC7B,OAAO,CAAC,UAAU,CAAS;gBAEE,QAAQ,EAAE,MAAM;IAE7C,IAAI,CAAC,KAAK,EAAE,UAAU,GAAG,IAAI;CAmB9B"}