shield-harness 1.0.0

package/.claude/rules/implementation-context.md

@@ -0,0 +1,112 @@
+# Shield Harness Implementation Context
+
+> Shield Harness = Claude Code の `.claude/` ディレクトリ構造によるセキュリティハーネス（hooks + rules + skills + settings.json）
+
+## Design Documents（実装時に必ず参照）
+
+| #   | ドキュメント       | 層        | パス                                         | 用途                                     |
+| --- | ------------------ | --------- | -------------------------------------------- | ---------------------------------------- |
+| ①   | REQUIREMENTS.md    | Why       | docs/REQUIREMENTS.md                         | 機能要件・受入基準                       |
+| ②   | THREAT_MODEL.md    | Why→What  | docs/THREAT_MODEL.md                         | 脅威 ID・攻撃ベクトル                    |
+| ③   | ARCHITECTURE.md    | What      | docs/ARCHITECTURE.md                         | 22 フック一覧・ディレクトリ構造          |
+| ④   | CLAUDE_MD_SPEC.md  | What      | docs/CLAUDE_MD_SPEC.md                       | 28 ルール仕様・トレーサビリティ          |
+| ⑤   | DETAILED_DESIGN.md | How       | docs/DETAILED_DESIGN.md                      | 各フックの入出力・正規表現・分岐ロジック |
+| ADR | ADR 設計提案       | Reference | .reference/CLAWLESS_ADR_REDESIGN_PROPOSAL.md | 35 ADR の設計判断根拠                    |
+
+## Implementation Order（依存関係グラフに基づく）
+
+```
+Phase A（基盤 — 最初に実装）:
+  ADR-033: backlog.yaml スキーマ + sync-project-views.ps1
+  ↓ 他 ADR の前提
+
+Phase B（パイプライン）:
+  ADR-031: sh-pipeline.sh（STG ゲート駆動）
+  ADR-032: 承認レスモード（approval_free） ← 並列可
+  ADR-035: バイリンガル README + sync-readme.ps1 ← 並列可
+  ↓
+
+Phase C（自律ループ）:
+  ADR-034: auto-pickup + チャンネル連携 + ブロック通知
+```
+
+## Technical Constraints
+
+- **Hook language**: pure bash + jq（ミリ秒応答必須）。複雑ロジックのみ Node.js CommonJS
+- **Hook protocol**: exit 0 = allow, exit 2 = deny（stdout に JSON）。deny() は sh-utils.sh 経由
+- **Target**: 22 hook scripts + lib/sh-utils.sh + injection-patterns.json
+- **External deps**: yq (Go), jq 1.6+, node (NFKC), pwsh (sync scripts, bash fallback あり), gh (optional)
+- **OS**: Windows ネイティブファースト（Git Bash 環境）。WSL2/Linux 互換
+- **Trusted Operation**: pipeline の git 操作は bash 子プロセスとして直接実行（フックエンジン非経由）
+- **fail-close**: 安全条件を確認できない場合は exit 2 で停止
+
+## Directory Structure（生成対象の全量）
+
+```
+.claude/
+├─ settings.json
+├─ settings.local.json
+├─ hooks/
+│   ├─ sh-permission.sh
+│   ├─ sh-permission-learn.sh
+│   ├─ sh-gate.sh
+│   ├─ sh-injection-guard.sh
+│   ├─ sh-user-prompt.sh
+│   ├─ sh-evidence.sh
+│   ├─ sh-output-control.sh
+│   ├─ sh-quiet-inject.sh
+│   ├─ sh-circuit-breaker.sh
+│   ├─ sh-task-gate.sh
+│   ├─ sh-precompact.sh
+│   ├─ sh-postcompact.sh
+│   ├─ sh-instructions.sh
+│   ├─ sh-session-start.sh
+│   ├─ sh-session-end.sh
+│   ├─ sh-config-guard.sh
+│   ├─ sh-subagent.sh
+│   ├─ sh-dependency-guard.sh
+│   ├─ sh-elicitation.sh
+│   ├─ sh-worktree.sh
+│   ├─ sh-data-boundary.sh
+│   ├─ sh-pipeline.sh
+│   └─ lib/
+│       └─ sh-utils.sh
+├─ patterns/
+│   └─ injection-patterns.json
+├─ rules/
+│   ├─ security.md
+│   ├─ coding-principles.md
+│   └─ channel-security.md
+└─ logs/
+    ├─ evidence-ledger.jsonl
+    └─ instructions-hashes.json
+
+.shield-harness/
+├─ session.json
+├─ config/
+│   └─ pipeline-config.json
+└─ logs/
+
+tasks/
+└─ backlog.yaml
+
+docs/project/
+├─ ROADMAP.md
+├─ WBS.md
+├─ GANTT.md
+└─ MILESTONES.md
+
+scripts/
+├─ sync-project-views.ps1
+└─ sync-readme.ps1
+```
+
+## Coding Rules for Hook Scripts
+
+- **DETAILED_DESIGN.md が唯一の実装仕様書** — 各フックの §番号を参照して実装すること
+- deny() は stdout に JSON を出力 + exit 2（stderr ではない）
+- NFKC 正規化: Node.js 不在時は fail-close（deny）
+- Hash chain: flock ベースロック（Windows Git Bash では mkdir フォールバック）
+- READONLY_PATTERNS から sed を除外（sed -i は書込操作）
+- permissions.allow: standard プロファイルで 40 操作
+- Circuit breaker: stop_hook_active フラグは allow 後にリセット

package/.claude/rules/language.md

@@ -0,0 +1,26 @@
+# Language Rules
+
+## Thinking and Reasoning
+
+- **Always think and reason in English**
+- Internal analysis, planning, and problem-solving should be in English
+- Code comments, variable names, function names, and docstrings should be in English
+
+## User Communication
+
+- **Always respond to users in Japanese**
+- Explanations, questions, and status updates should be in Japanese
+- Error messages shown to users should be in Japanese
+
+## Code
+
+- All code should be written in English:
+  - Variable names: `user_count`, not `ユーザー数`
+  - Function names: `calculate_total()`, not `合計計算()`
+  - Comments: `# Check if valid`, not `# 有効かチェック`
+  - Docstrings: English descriptions
+
+## Documentation
+
+- Technical documentation: English
+- User-facing documentation (README, etc.): Japanese is acceptable

package/.claude/rules/security.md

@@ -0,0 +1,109 @@
+# Security Rules
+
+Security checklist to always verify when writing code.
+
+## Secrets Management
+
+### Never Do
+
+- Hardcode API keys or passwords
+- Log sensitive information
+- Commit `.env` files
+
+### Required
+
+```python
+# Good: Get from environment variables
+import os
+API_KEY = os.environ["API_KEY"]
+
+# Good: With existence check
+API_KEY = os.environ.get("API_KEY")
+if not API_KEY:
+    raise ValueError("API_KEY environment variable is required")
+```
+
+## Input Validation
+
+Always validate external input:
+
+```python
+from pydantic import BaseModel, EmailStr, Field
+
+class UserInput(BaseModel):
+    email: EmailStr
+    age: int = Field(ge=0, le=150)
+    name: str = Field(min_length=1, max_length=100)
+```
+
+## SQL Injection Prevention
+
+```python
+# Bad: String concatenation
+cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+
+# Good: Parameterized query
+cursor.execute("SELECT * FROM users WHERE id = ?", (user_id,))
+```
+
+## XSS Prevention
+
+- Escape user input before embedding in HTML
+- Enable template engine auto-escaping
+
+## Error Messages
+
+```python
+# Bad: Too detailed (gives attackers information)
+raise Exception(f"Database connection failed: {connection_string}")
+
+# Good: Minimal information
+raise Exception("Database connection failed")
+# Details go to logs (logs are private)
+logger.error(f"Database connection failed: {connection_string}")
+```
+
+## Dependencies
+
+- Regular vulnerability checks: `pip-audit`, `safety`
+- Remove unused dependencies
+- Pin versions (`==` over `>=`)
+
+## Code Review Checklist
+
+- [ ] No hardcoded secrets
+- [ ] External input is validated
+- [ ] SQL queries are parameterized
+- [ ] Error messages are not too detailed
+- [ ] Logs don't contain sensitive information
+
+## Git Operations Safety
+
+git rm --cached is a prohibited operation.
+Locally it appears to only remove files from the index,
+but after committing, it propagates as physical deletion
+when others pull/merge from the remote.
+
+Prohibited commands:
+
+- git rm --cached (single files or directories)
+- git rm -r --cached (recursive untrack)
+
+When managing files that should not be tracked via .gitignore,
+the principle is to never commit them in the first place.
+Simply adding an already-committed file to .gitignore does not
+remove it from tracking, which tempts the use of git rm --cached,
+but it is prohibited for the reasons stated above.
+
+Alternative: When you need to remove already-committed files from tracking,
+consult the human (project owner) and determine the approach
+after confirming the impact scope.
+
+## Line Ending Management
+
+Line ending normalization is managed by `.gitattributes` only.
+Do not set `core.autocrlf=true` in this repository.
+
+When restoring files from old commits (`git checkout <commit> -- <path>`),
+always run `git add --renormalize .` afterward to re-apply `.gitattributes` rules.
+Otherwise, phantom diffs will appear in `git status` due to EOL mismatch.

package/.claude/rules/testing.md

@@ -0,0 +1,43 @@
+# Testing Rules
+
+## Principles (Language-Agnostic)
+
+- **TDD when possible**: Write tests before implementation (Red-Green-Refactor)
+- **AAA Pattern**: Arrange / Act / Assert
+- **Naming**: `test_{subject}_{condition}_{expected_result}`
+- **Coverage target**: 80%+ for source code
+
+## Test Categories
+
+1. **Happy path**: Normal input, expected output
+2. **Boundary values**: Min, max, empty, zero
+3. **Error cases**: Invalid input, error conditions
+4. **Edge cases**: Null, empty string, special characters
+
+## PowerShell Testing (Pester)
+
+When Pester is available:
+
+```powershell
+# Run tests
+Invoke-Pester -Verbose
+
+# Run with coverage
+Invoke-Pester -CodeCoverage ./scripts/*.ps1
+
+# Test file naming: {Module}.Tests.ps1
+# Test structure: Describe / Context / It
+```
+
+## Current Testing Approach
+
+Until a formal test framework is adopted:
+
+- **Git guard**: Pre-commit hooks catch secrets and sensitive data
+- **Manual verification**: Review output before committing
+
+## Mocking
+
+- Isolate external dependencies (file I/O, network, CLI tools)
+- Use `unittest.mock` (Python hooks) or Pester `Mock` (PowerShell)
+- Test fixtures in dedicated `tests/` directory when available

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 sora
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.ja.md

@@ -0,0 +1,107 @@
+<div align="center">
+
+# Shield Harness
+
+**Claude Code のセキュリティハーネス — 苦労なし、フック駆動の防御**
+
+> くろうレス — 苦労レス — 苦労しない
+
+[![English](https://img.shields.io/badge/lang-English-blue?style=flat-square)](README.md)
+[![日本語](https://img.shields.io/badge/lang-日本語-red?style=flat-square)](#)
+
+</div>
+
+## Shield Harness とは
+
+Claude Code が安全・再現可能に開発を進めるためのハーネス。
+`.claude/` ディレクトリに展開される hooks + rules + permissions + settings の多層防御でエージェントを統制します。
+
+## クイックスタート
+
+```bash
+npx shield-harness init [--profile minimal|standard|strict]
+```
+
+## なぜ Shield Harness なのか
+
+- **フック駆動の防御**: 22 のセキュリティフックが Claude Code の全操作を監視
+- **承認レスモード**: hooks に全セキュリティ判定を委譲し、人間の承認ダイアログを排除
+- **fail-close 原則**: 安全条件を確認できない場合は自動的に停止
+- **証跡記録**: SHA-256 ハッシュチェーンで全 allow/deny 決定を改ざん不能な形で記録
+
+## アーキテクチャ概要
+
+3 層防御モデル:
+
+| 層      | 防御           | 実装                                 |
+| ------- | -------------- | ------------------------------------ |
+| Layer 1 | 権限制御       | `settings.json` の deny/allow ルール |
+| Layer 2 | フック防御     | 22 の Node.js フックスクリプト       |
+| Layer 3 | サンドボックス | OS レベルのプロセス隔離              |
+
+## プロファイル
+
+| プロファイル | 説明     | 承認レス | 用途                         |
+| ------------ | -------- | -------- | ---------------------------- |
+| **minimal**  | 最小構成 | 有効     | 低リスクタスク               |
+| **standard** | 推奨構成 | 有効     | 通常の開発                   |
+| **strict**   | 厳格構成 | 無効     | セキュリティ監査が必要な場合 |
+
+## フックカタログ
+
+| #   | フック           | イベント              | 責務                                          |
+| --- | ---------------- | --------------------- | --------------------------------------------- |
+| 1   | permission       | PreToolUse            | ツール使用の 4 カテゴリ分類                   |
+| 2   | gate             | PreToolUse            | Bash コマンドの 7 攻撃ベクトル検査            |
+| 3   | injection-guard  | PreToolUse            | 9 カテゴリ 50+ パターンのインジェクション検出 |
+| 4   | data-boundary    | PreToolUse            | 本番データ境界 + 管轄追跡                     |
+| 5   | quiet-inject     | PreToolUse            | quiet フラグ自動注入                          |
+| 6   | evidence         | PostToolUse           | SHA-256 ハッシュチェーン証跡                  |
+| 7   | output-control   | PostToolUse           | 出力トランケーション + トークン予算           |
+| 8   | dep-audit        | PostToolUse           | パッケージインストール検出                    |
+| 9   | lint-on-save     | PostToolUse           | 自動 lint 実行                                |
+| 10  | session-start    | SessionStart          | セッション初期化 + 整合性ベースライン         |
+| 11  | session-end      | SessionEnd            | クリーンアップ + 統計                         |
+| 12  | circuit-breaker  | Stop                  | リトライ上限 (3 回)                           |
+| 13  | config-guard     | ConfigChange          | 設定変更の監視                                |
+| 14  | user-prompt      | UserPromptSubmit      | ユーザー入力のインジェクション検査            |
+| 15  | permission-learn | PermissionRequest     | 権限学習ガード                                |
+| 16  | elicitation      | Elicitation           | フィッシング + スコープガード                 |
+| 17  | subagent         | SubagentStart         | サブエージェント予算制約 (25%)                |
+| 18  | instructions     | InstructionsLoaded    | ルールファイル整合性監視                      |
+| 19  | precompact       | PreCompact            | コンパクション前バックアップ                  |
+| 20  | postcompact      | PostCompact           | コンパクション後復元 + 検証                   |
+| 21  | worktree         | WorktreeCreate/Remove | セキュリティ伝播 + 証跡マージ                 |
+| 22  | task-gate        | TaskCompleted         | テストゲート                                  |
+
+## パイプライン
+
+STG ゲート駆動の自動化パイプライン:
+
+```
+STG0 → STG1 → STG2 → STG3 → STG4 → STG5 → STG6
+要件    設計    実装    検証    CI     コミット  PR/マージ
+```
+
+## チャンネル連携
+
+Claude Code Channels (Telegram/Discord) との連携をサポート。
+チャンネル経由のメッセージには自動的に severity boost が適用されます。
+
+## システム要件
+
+| ツール       | バージョン   | 用途                     | 必須/任意      |
+| ------------ | ------------ | ------------------------ | -------------- |
+| Git          | 2.x          | バージョン管理           | 必須           |
+| Git Bash     | (Git 同梱)   | フックスクリプト実行環境 | 必須 (Windows) |
+| Node.js      | 18+          | フック実行 + NFKC 正規化 | 必須           |
+| jq           | 1.6+         | フック内 JSON 処理       | 必須           |
+| yq           | v4+ (Go版)   | backlog.yaml 操作        | 必須           |
+| PowerShell 7 | 7.x (`pwsh`) | sync スクリプト          | 推奨           |
+| GitHub CLI   | 2.x (`gh`)   | PR 作成・マージ自動化    | 任意           |
+
+OS: Windows ネイティブファースト（Git Bash 環境）、WSL2/Linux 互換。
+
+## ライセンス
+
+MIT

package/README.md

@@ -0,0 +1,105 @@
+<div align="center">
+
+# Shield Harness
+
+**Security harness for Claude Code — zero-hassle, hooks-driven defense**
+
+[![English](https://img.shields.io/badge/lang-English-blue?style=flat-square)](#)
+[![日本語](https://img.shields.io/badge/lang-日本語-red?style=flat-square)](README.ja.md)
+
+</div>
+
+## What is Shield Harness
+
+A security harness that governs Claude Code through multi-layered defense:
+hooks + rules + permissions + settings deployed in the `.claude/` directory.
+
+## Quick Start
+
+```bash
+npx shield-harness init [--profile minimal|standard|strict]
+```
+
+## Why Shield Harness
+
+- **Hooks-driven defense**: 22 security hooks monitor every Claude Code operation
+- **Approval-free mode**: Delegate all security decisions to hooks, eliminating human approval dialogs
+- **fail-close principle**: Automatically stops when safety conditions cannot be verified
+- **Evidence recording**: Tamper-proof SHA-256 hash chain records all allow/deny decisions
+
+## Architecture Overview
+
+3-layer defense model:
+
+| Layer   | Defense            | Implementation                   |
+| ------- | ------------------ | -------------------------------- |
+| Layer 1 | Permission control | `settings.json` deny/allow rules |
+| Layer 2 | Hook defense       | 22 Node.js hook scripts          |
+| Layer 3 | Sandbox            | OS-level process isolation       |
+
+## Profiles
+
+| Profile      | Description    | Approval-free | Use case                                    |
+| ------------ | -------------- | ------------- | ------------------------------------------- |
+| **minimal**  | Minimal config | Enabled       | Low-risk tasks                              |
+| **standard** | Recommended    | Enabled       | Normal development                          |
+| **strict**   | Strict config  | Disabled      | When security audit requires human approval |
+
+## Hook Catalog
+
+| #   | Hook             | Event                 | Responsibility                                   |
+| --- | ---------------- | --------------------- | ------------------------------------------------ |
+| 1   | permission       | PreToolUse            | 4-category tool usage classification             |
+| 2   | gate             | PreToolUse            | 7 attack vector inspection for Bash commands     |
+| 3   | injection-guard  | PreToolUse            | 9-category 50+ pattern injection detection       |
+| 4   | data-boundary    | PreToolUse            | Production data boundary + jurisdiction tracking |
+| 5   | quiet-inject     | PreToolUse            | Auto-inject quiet flags                          |
+| 6   | evidence         | PostToolUse           | SHA-256 hash chain evidence                      |
+| 7   | output-control   | PostToolUse           | Output truncation + token budget                 |
+| 8   | dep-audit        | PostToolUse           | Package install detection                        |
+| 9   | lint-on-save     | PostToolUse           | Auto lint execution                              |
+| 10  | session-start    | SessionStart          | Session init + integrity baseline                |
+| 11  | session-end      | SessionEnd            | Cleanup + statistics                             |
+| 12  | circuit-breaker  | Stop                  | Retry limit (3 attempts)                         |
+| 13  | config-guard     | ConfigChange          | Settings change monitoring                       |
+| 14  | user-prompt      | UserPromptSubmit      | User input injection scanning                    |
+| 15  | permission-learn | PermissionRequest     | Permission learning guard                        |
+| 16  | elicitation      | Elicitation           | Phishing + scope guard                           |
+| 17  | subagent         | SubagentStart         | Subagent budget constraint (25%)                 |
+| 18  | instructions     | InstructionsLoaded    | Rule file integrity monitoring                   |
+| 19  | precompact       | PreCompact            | Pre-compaction backup                            |
+| 20  | postcompact      | PostCompact           | Post-compaction restore + verify                 |
+| 21  | worktree         | WorktreeCreate/Remove | Security propagation + evidence merge            |
+| 22  | task-gate        | TaskCompleted         | Test gate                                        |
+
+## Pipeline
+
+STG gate-driven automation pipeline:
+
+```
+STG0 → STG1 → STG2 → STG3 → STG4 → STG5 → STG6
+Reqs    Design  Impl    Verify  CI     Commit   PR/Merge
+```
+
+## Channel Integration
+
+Supports Claude Code Channels (Telegram/Discord).
+Channel-sourced messages automatically receive severity boost for enhanced security.
+
+## System Requirements
+
+| Tool         | Version            | Purpose                             | Required           |
+| ------------ | ------------------ | ----------------------------------- | ------------------ |
+| Git          | 2.x                | Version control                     | Required           |
+| Git Bash     | (bundled with Git) | Hook script runtime                 | Required (Windows) |
+| Node.js      | 18+                | Hook execution + NFKC normalization | Required           |
+| jq           | 1.6+               | JSON processing in hooks            | Required           |
+| yq           | v4+ (Go)           | backlog.yaml operations             | Required           |
+| PowerShell 7 | 7.x (`pwsh`)       | Sync scripts                        | Recommended        |
+| GitHub CLI   | 2.x (`gh`)         | PR creation/merge automation        | Optional           |
+
+OS: Windows-native first (Git Bash), WSL2/Linux compatible.
+
+## License
+
+MIT

package/bin/shield-harness.js

@@ -0,0 +1,141 @@
+#!/usr/bin/env node
+"use strict";
+
+const fs = require("fs");
+const path = require("path");
+
+const PROFILES = ["minimal", "standard", "strict"];
+const DEFAULT_PROFILE = "standard";
+
+// Source directories within the npm package
+const PKG_ROOT = path.resolve(__dirname, "..");
+const HOOK_SRC = path.join(PKG_ROOT, ".claude", "hooks");
+const PATTERN_SRC = path.join(PKG_ROOT, ".claude", "patterns");
+const RULES_SRC = path.join(PKG_ROOT, ".claude", "rules");
+
+/**
+ * Recursively copy a directory.
+ * @param {string} src
+ * @param {string} dest
+ */
+function copyDir(src, dest) {
+  if (!fs.existsSync(src)) return;
+  fs.mkdirSync(dest, { recursive: true });
+
+  for (const entry of fs.readdirSync(src, { withFileTypes: true })) {
+    const srcPath = path.join(src, entry.name);
+    const destPath = path.join(dest, entry.name);
+
+    if (entry.isDirectory()) {
+      copyDir(srcPath, destPath);
+    } else {
+      fs.copyFileSync(srcPath, destPath);
+    }
+  }
+}
+
+/**
+ * Main init command.
+ * @param {string} profile
+ */
+function init(profile) {
+  const targetDir = process.cwd();
+  const claudeDir = path.join(targetDir, ".claude");
+  const shieldHarnessDir = path.join(targetDir, ".shield-harness");
+
+  // Check if already initialized
+  if (fs.existsSync(path.join(claudeDir, "hooks", "sh-gate.js"))) {
+    console.error("Shield Harness is already initialized in this directory.");
+    console.error("To re-initialize, remove .claude/hooks/sh-*.js first.");
+    process.exit(1);
+  }
+
+  console.log(`Initializing Shield Harness (profile: ${profile})...`);
+
+  // Copy hooks
+  copyDir(HOOK_SRC, path.join(claudeDir, "hooks"));
+  console.log("  [OK] hooks/");
+
+  // Copy patterns
+  copyDir(PATTERN_SRC, path.join(claudeDir, "patterns"));
+  console.log("  [OK] patterns/");
+
+  // Copy rules
+  copyDir(RULES_SRC, path.join(claudeDir, "rules"));
+  console.log("  [OK] rules/");
+
+  // Create .shield-harness runtime directories
+  fs.mkdirSync(path.join(shieldHarnessDir, "config"), { recursive: true });
+  fs.mkdirSync(path.join(shieldHarnessDir, "logs"), { recursive: true });
+  fs.mkdirSync(path.join(shieldHarnessDir, "state"), { recursive: true });
+  console.log("  [OK] .shield-harness/");
+
+  // Create default pipeline config
+  const pipelineConfig = {
+    auto_commit: false,
+    auto_push: false,
+    auto_pr: false,
+    auto_merge: false,
+    auto_branch_cleanup: false,
+    commit_message_format: "[{task_id}] STG{gate}: {intent}",
+    pr_template: ".github/pull_request_template.md",
+    protected_branches: ["main", "master"],
+    approval_free: profile !== "strict",
+    sync_views_on_commit: true,
+    sync_views_on_session_start: true,
+    auto_tag: false,
+    version_bump: "patch",
+    auto_pickup_next_task: false,
+    auto_skip_blocked: false,
+    blocked_notification_channel: null,
+  };
+
+  const configPath = path.join(
+    shieldHarnessDir,
+    "config",
+    "pipeline-config.json",
+  );
+  if (!fs.existsSync(configPath)) {
+    fs.writeFileSync(
+      configPath,
+      JSON.stringify(pipelineConfig, null, 2) + "\n",
+    );
+    console.log("  [OK] pipeline-config.json");
+  }
+
+  console.log("");
+  console.log(`Shield Harness initialized successfully (profile: ${profile}).`);
+  console.log("Run 'claude' to start a secured session.");
+}
+
+// ---------------------------------------------------------------------------
+// CLI
+// ---------------------------------------------------------------------------
+
+const args = process.argv.slice(2);
+const command = args[0];
+
+if (command === "init") {
+  let profile = DEFAULT_PROFILE;
+  const profileIdx = args.indexOf("--profile");
+  if (profileIdx !== -1 && args[profileIdx + 1]) {
+    profile = args[profileIdx + 1];
+    if (!PROFILES.includes(profile)) {
+      console.error(`Unknown profile: ${profile}`);
+      console.error(`Available profiles: ${PROFILES.join(", ")}`);
+      process.exit(1);
+    }
+  }
+  init(profile);
+} else {
+  const pkg = require("../package.json");
+  console.log(`Shield Harness v${pkg.version}`);
+  console.log("");
+  console.log("Usage:");
+  console.log("  npx shield-harness init [--profile minimal|standard|strict]");
+  console.log("");
+  console.log("Profiles:");
+  console.log("  minimal   — Minimal config, approval-free");
+  console.log("  standard  — Recommended (default), approval-free");
+  console.log("  strict    — Strict config, requires human approval");
+}