supipowers 2.1.0 → 2.2.0

package/src/context/startup-check.ts

@@ -1,5 +1,5 @@
 import type { ParsedSkill, PromptSection } from "./analyzer.js";
-import { parseManagedRule } from "./rule-renderer.js";
+import { MANAGED_COMMAND_HEADER, parseManagedCommand, parseManagedExtension, parseManagedRule } from "./rule-renderer.js";
 import {
   hashOptimizationSource,
   type ManualOptimizationAction,
@@ -16,9 +16,32 @@ export interface StartupOptimizerManifestRule {
   slug: string;
   sourceBytes: number;
   condition?: string;
+  triggers?: string;
+  scope?: string;
   description?: string;
 }
 
+export interface StartupOptimizerManifestCommand {
+  path: string;
+  sourceId: string;
+  sourceName: string;
+  sourceHash: string;
+  slug: string;
+  commandName: string;
+  sourceBytes: number;
+  description?: string;
+}
+
+export interface StartupOptimizerManifestExtension {
+  path: string;
+  sourceId: string;
+  sourceName: string;
+  sourceHash: string;
+  slug: string;
+  extensionName: string;
+  sourceBytes: number;
+}
+
 export interface StartupOptimizerManifest {
   version: 1;
   targetBytes: number;
@@ -27,6 +50,8 @@ export interface StartupOptimizerManifest {
   estimatedAfterBytes: number;
   estimatedSavedBytes: number;
   rules: StartupOptimizerManifestRule[];
+  commands: StartupOptimizerManifestCommand[];
+  extensions: StartupOptimizerManifestExtension[];
   tokenignore: {
     path: string;
     entries: string[];
@@ -46,6 +71,16 @@ export type StartupCheckReason =
   | "rule-drift"
   | "rule-body-drift"
   | "tokenignore-drift"
+  | "missing-command"
+  | "unmanaged-command"
+  | "malformed-command"
+  | "command-drift"
+  | "command-body-drift"
+  | "missing-extension"
+  | "unmanaged-extension"
+  | "malformed-extension"
+  | "extension-drift"
+  | "extension-body-drift"
   | "still-loaded-source"
   | "unresolved-manual-action"
   | "prompt-over-target"
@@ -64,6 +99,8 @@ export interface StartupCheckInput {
   manifestPath: string;
   manifestText: string | null | undefined;
   ruleFiles: Record<string, string | null | undefined>;
+  commandFiles?: Record<string, string | null | undefined>;
+  extensionFiles?: Record<string, string | null | undefined>;
   tokenignorePath: string;
   tokenignoreText: string | null | undefined;
   currentPrompt: string | null | undefined;
@@ -153,7 +190,9 @@ export function runStartupCheck(input: StartupCheckInput): StartupCheckReport {
 
     const metadata = parsed.metadata;
     const frontmatterDrift = rule.mode === "ttsr"
-      ? parsed.frontmatter.condition !== rule.condition
+      ? parsed.frontmatter.condition !== rule.condition ||
+        (typeof rule.triggers === "string" && parsed.frontmatter.triggers !== rule.triggers) ||
+        parsed.frontmatter.scope !== (rule.scope ?? "text")
       : (typeof rule.description === "string" && parsed.frontmatter.description !== rule.description);
 
     if (
@@ -187,6 +226,133 @@ export function runStartupCheck(input: StartupCheckInput): StartupCheckReport {
     }
   }
 
+
+  for (const command of manifest.commands) {
+    const text = input.commandFiles?.[command.path];
+    if (text == null) {
+      issues.push(issue("missing-command", {
+        path: command.path,
+        sourceId: command.sourceId,
+        message: `Managed command file is missing for ${command.sourceId}.`,
+        remediation: "Rerun /supi:optimize-context --apply to regenerate managed commands.",
+      }));
+      continue;
+    }
+
+    const parsed = parseManagedCommand(text);
+    if (parsed.status === "unmanaged") {
+      issues.push(issue("unmanaged-command", {
+        path: command.path,
+        sourceId: command.sourceId,
+        message: `Command file ${command.path} is not managed by supipowers.`,
+        remediation: "Move the user-authored command aside or choose a different command name before applying again.",
+      }));
+      continue;
+    }
+
+    if (parsed.status === "malformed") {
+      issues.push(issue("malformed-command", {
+        path: command.path,
+        sourceId: command.sourceId,
+        message: `Managed command ${command.path} is malformed: ${parsed.error}.`,
+        remediation: "Rerun /supi:optimize-context --apply to rewrite the managed command.",
+      }));
+      continue;
+    }
+
+    // Legacy managed commands stored supipowers metadata before command
+    // frontmatter. OMP sends that prefix as prompt text, so force a refresh.
+    const commandDrift =
+      text.startsWith(MANAGED_COMMAND_HEADER) ||
+      parsed.metadata.sourceId !== command.sourceId ||
+      parsed.metadata.sourceHash !== command.sourceHash ||
+      parsed.metadata.slug !== command.slug ||
+      parsed.metadata.commandName !== command.commandName ||
+      parsed.metadata.sourceBytes !== command.sourceBytes ||
+      (typeof command.description === "string" && parsed.frontmatter.description !== command.description);
+    if (commandDrift) {
+      issues.push(issue("command-drift", {
+        path: command.path,
+        sourceId: command.sourceId,
+        message: `Managed command ${command.path} no longer matches the startup optimizer manifest.`,
+        remediation: "Rerun /supi:optimize-context --apply to refresh managed command artifacts.",
+      }));
+      continue;
+    }
+
+    const actualBodyHash = hashOptimizationSource(parsed.body);
+    const actualBodyBytes = byteLength(parsed.body);
+    if (actualBodyHash !== command.sourceHash || actualBodyBytes !== command.sourceBytes) {
+      issues.push(issue("command-body-drift", {
+        path: command.path,
+        sourceId: command.sourceId,
+        message: `Managed command ${command.path} body has been modified (hash/size no longer matches the manifest).`,
+        remediation: "Rerun /supi:optimize-context --apply to rewrite the managed command from the current prompt source.",
+      }));
+    }
+  }
+
+  for (const extension of manifest.extensions) {
+    const text = input.extensionFiles?.[extension.path];
+    if (text == null) {
+      issues.push(issue("missing-extension", {
+        path: extension.path,
+        sourceId: extension.sourceId,
+        message: `Managed extension file is missing for ${extension.sourceId}.`,
+        remediation: "Rerun /supi:optimize-context --apply to regenerate managed extensions.",
+      }));
+      continue;
+    }
+
+    const parsed = parseManagedExtension(text);
+    if (parsed.status === "unmanaged") {
+      issues.push(issue("unmanaged-extension", {
+        path: extension.path,
+        sourceId: extension.sourceId,
+        message: `Extension file ${extension.path} is not managed by supipowers.`,
+        remediation: "Move the user-authored extension aside or choose a different extension name before applying again.",
+      }));
+      continue;
+    }
+
+    if (parsed.status === "malformed") {
+      issues.push(issue("malformed-extension", {
+        path: extension.path,
+        sourceId: extension.sourceId,
+        message: `Managed extension ${extension.path} is malformed: ${parsed.error}.`,
+        remediation: "Rerun /supi:optimize-context --apply to rewrite the managed extension.",
+      }));
+      continue;
+    }
+
+    const extensionDrift =
+      parsed.metadata.sourceId !== extension.sourceId ||
+      parsed.metadata.sourceHash !== extension.sourceHash ||
+      parsed.metadata.slug !== extension.slug ||
+      parsed.metadata.extensionName !== extension.extensionName ||
+      parsed.metadata.sourceBytes !== extension.sourceBytes;
+    if (extensionDrift) {
+      issues.push(issue("extension-drift", {
+        path: extension.path,
+        sourceId: extension.sourceId,
+        message: `Managed extension ${extension.path} no longer matches the startup optimizer manifest.`,
+        remediation: "Rerun /supi:optimize-context --apply to refresh managed extension artifacts.",
+      }));
+      continue;
+    }
+
+    const actualBodyHash = hashOptimizationSource(parsed.body);
+    const actualBodyBytes = byteLength(parsed.body);
+    if (actualBodyHash !== extension.sourceHash || actualBodyBytes !== extension.sourceBytes) {
+      issues.push(issue("extension-body-drift", {
+        path: extension.path,
+        sourceId: extension.sourceId,
+        message: `Managed extension ${extension.path} body has been modified (hash/size no longer matches the manifest).`,
+        remediation: "Rerun /supi:optimize-context --apply to rewrite the managed extension from the current optimizer template.",
+      }));
+    }
+  }
+
   const tokenignore = parseManagedTokenignore(input.tokenignoreText);
   if (
     tokenignore.status !== "managed" ||
@@ -213,6 +379,10 @@ export function runStartupCheck(input: StartupCheckInput): StartupCheckReport {
     if (rule.sourceId.startsWith("skill:")) skillSourceIdsToVerify.add(rule.sourceId);
     else if (rule.sourceId.startsWith("section:")) sectionSourceIdsToVerify.add(rule.sourceId);
   }
+  for (const command of manifest.commands) {
+    if (command.sourceId.startsWith("skill:")) skillSourceIdsToVerify.add(command.sourceId);
+    else if (command.sourceId.startsWith("section:")) sectionSourceIdsToVerify.add(command.sourceId);
+  }
   for (const action of manifest.manualActions) {
     if (action.kind !== "manual-disable") continue;
     if (action.sourceId.startsWith("skill:")) skillSourceIdsToVerify.add(action.sourceId);
@@ -310,6 +480,29 @@ export function parseStartupOptimizerManifest(
     rules.push(candidate as unknown as StartupOptimizerManifestRule);
   }
 
+  const commands: StartupOptimizerManifestCommand[] = [];
+  const rawCommands = Array.isArray((parsed as any).commands) ? (parsed as any).commands : [];
+  for (const candidate of rawCommands) {
+    if (!isRecord(candidate)) return "Startup optimizer manifest has invalid command entry.";
+    for (const key of ["path", "sourceId", "sourceName", "sourceHash", "slug", "commandName"] as const) {
+      if (typeof candidate[key] !== "string") return `Startup optimizer manifest command is missing ${key}.`;
+    }
+    if (!isFiniteNumber(candidate.sourceBytes)) return "Startup optimizer manifest command is missing sourceBytes.";
+    commands.push(candidate as unknown as StartupOptimizerManifestCommand);
+  }
+
+  const extensions: StartupOptimizerManifestExtension[] = [];
+  const rawExtensions = Array.isArray((parsed as any).extensions) ? (parsed as any).extensions : [];
+  for (const candidate of rawExtensions) {
+    if (!isRecord(candidate)) return "Startup optimizer manifest has invalid extension entry.";
+    for (const key of ["path", "sourceId", "sourceName", "sourceHash", "slug", "extensionName"] as const) {
+      if (typeof candidate[key] !== "string") return `Startup optimizer manifest extension is missing ${key}.`;
+    }
+    if (!isFiniteNumber(candidate.sourceBytes)) return "Startup optimizer manifest extension is missing sourceBytes.";
+    extensions.push(candidate as unknown as StartupOptimizerManifestExtension);
+  }
+
+
   if (typeof parsed.tokenignore.path !== "string") return "Startup optimizer manifest tokenignore is missing path.";
   if (!Array.isArray(parsed.tokenignore.entries) || !parsed.tokenignore.entries.every((entry) => typeof entry === "string")) {
     return "Startup optimizer manifest tokenignore has invalid entries.";
@@ -324,6 +517,8 @@ export function parseStartupOptimizerManifest(
     estimatedAfterBytes: parsed.estimatedAfterBytes,
     estimatedSavedBytes: parsed.estimatedSavedBytes,
     rules,
+    commands,
+    extensions,
     tokenignore: {
       path: parsed.tokenignore.path,
       entries: parsed.tokenignore.entries,

package/src/context/startup-optimizer.ts

@@ -1,5 +1,6 @@
 import { createHash } from "node:crypto";
 import type { ParsedSkill, PromptSection } from "./analyzer.js";
+import { RUNBOOK_EXTENSION_NAME, RUNBOOK_EXTENSION_PATH, RUNBOOK_EXTENSION_SOURCE } from "./runbook-extension-template.js";
 import type { TechStack } from "./optimizer.js";
 
 export const STARTUP_OPTIMIZER_MANIFEST_VERSION = 1;
@@ -33,6 +34,35 @@ export interface WriteRuleAction {
   sourceContent: string;
   condition?: string;
   description?: string;
+  triggers?: string;
+  scope?: string;
+}
+
+export interface WriteCommandAction {
+  kind: "write-command";
+  sourceId: string;
+  sourceName: string;
+  sourceHash: string;
+  slug: string;
+  commandName: string;
+  targetPath: string;
+  sourceBytes: number;
+  estimatedSavedBytes: number;
+  sourceContent: string;
+  description?: string;
+}
+
+export interface WriteExtensionAction {
+  kind: "write-extension";
+  sourceId: string;
+  sourceName: string;
+  sourceHash: string;
+  slug: string;
+  extensionName: string;
+  targetPath: string;
+  sourceBytes: number;
+  estimatedSavedBytes: number;
+  sourceContent: string;
 }
 
 export type ManualDisableReason = "source-still-loaded" | "tech-stack-irrelevant";
@@ -58,7 +88,7 @@ export interface ManualAgentsSplitAction {
 }
 
 export type ManualOptimizationAction = ManualDisableAction | ManualAgentsSplitAction;
-export type OptimizationAction = WriteRuleAction | ManualOptimizationAction;
+export type OptimizationAction = WriteRuleAction | WriteCommandAction | WriteExtensionAction | ManualOptimizationAction;
 
 export interface OptimizationWarning {
   code: string;
@@ -91,27 +121,44 @@ export interface BuildOptimizationPlanInput {
   techStack: TechStack;
 }
 
+interface TtsrRuleOptions {
+  condition: string;
+  triggers?: string;
+  scope?: string;
+}
+
+
 interface BehaviorSkillSpec {
   mode: "ttsr";
   condition: string;
+  triggers: string;
+  scope: string;
 }
 
 const BEHAVIOR_SKILLS: Record<string, BehaviorSkillSpec> = {
   debugging: {
     mode: "ttsr",
     condition: String.raw`\b(?:debug(?:ging)?|root\s+cause|investigate|repro(?:duce|duction)?|failing\s+test)\b`,
+    triggers: "debugging, root cause, investigate, reproduce, failing test",
+    scope: "text",
   },
   tdd: {
     mode: "ttsr",
     condition: String.raw`\b(?:tdd|test\s+first|failing\s+test\s+first|red[-\s]+green[-\s]+refactor)\b`,
+    triggers: "TDD, test first, failing test first, red-green-refactor",
+    scope: "text",
   },
   verification: {
     mode: "ttsr",
     condition: String.raw`\b(?:verify|verification|evidence|prove|proof|run\s+(?:the\s+)?(?:focused\s+)?tests?)\b`,
+    triggers: "verify, verification, evidence, proof, run focused tests",
+    scope: "text",
   },
   "receiving-code-review": {
     mode: "ttsr",
     condition: String.raw`\b(?:pr\s+feedback|code\s+review\s+comments?|reviewer\s+feedback|review\s+comments?)\b`,
+    triggers: "PR feedback, code review comments, reviewer feedback",
+    scope: "text",
   },
 };
 
@@ -130,10 +177,40 @@ const TECH_STACK_SKILLS: Record<string, { anyOf: Array<keyof TechStack>; values:
   },
 };
 
+const WORKFLOW_COMMAND_SKILLS = new Set([
+  "rewrite-page-copy",
+  "e2e-test-orchestrator",
+  "design-refiner",
+  "workflow-extractor",
+  "engaging-writing",
+  "brand-namer",
+  "brand-forge",
+  "product-linear-issues",
+  "skill-auditor",
+  "caveman",
+  "caveman-compress",
+  "security-threat-model",
+  "brand-migrate",
+  "audit",
+  "setup-tyndale",
+  "setup-tyndale-local",
+  "writing-commands",
+  "playwright",
+  "ui-design",
+  "quick-setup",
+  "planning",
+  "fix-pr",
+  "create-readme",
+  "translate-book",
+]);
+
+
 const ACTION_KIND_ORDER: Record<OptimizationAction["kind"], number> = {
   "write-rule": 0,
-  "manual-disable": 1,
-  "manual-agents-split": 2,
+  "write-command": 1,
+  "write-extension": 2,
+  "manual-disable": 3,
+  "manual-agents-split": 4,
 };
 
 export function hashOptimizationSource(content: string): string {
@@ -162,12 +239,24 @@ export function buildOptimizationPlan(input: BuildOptimizationPlanInput): Optimi
   const actions: OptimizationAction[] = [];
   const warnings: OptimizationWarning[] = [];
 
+  actions.push(buildRunbookExtensionAction());
+
   for (const source of sources) {
     if (source.sourceType === "skill") {
       const canonicalName = source.sourceName.toLowerCase();
       const behavior = BEHAVIOR_SKILLS[canonicalName];
       if (behavior) {
-        actions.push(buildWriteRuleAction(source, behavior.mode, behavior.condition));
+        actions.push(buildWriteRuleAction(source, behavior.mode, {
+          condition: behavior.condition,
+          triggers: behavior.triggers,
+          scope: behavior.scope,
+        }));
+        actions.push(buildManualDisableAction(source, "source-still-loaded"));
+        continue;
+      }
+
+      if (WORKFLOW_COMMAND_SKILLS.has(canonicalName)) {
+        actions.push(buildWriteCommandAction(source));
         actions.push(buildManualDisableAction(source, "source-still-loaded"));
         continue;
       }
@@ -202,12 +291,12 @@ export function buildOptimizationPlan(input: BuildOptimizationPlanInput): Optimi
   const beforeBytes = byteLength(input.prompt);
 
   // Sources whose content the user is expected to actually remove from the
-  // startup prompt: write-rule companions and tech-stack manual-disable
-  // actions. Deduplicated by sourceId because a write-rule action is paired
-  // with a `source-still-loaded` manual-disable for the same source.
+  // startup prompt: write-rule companions, write-command companions, and
+  // manual-disable actions. Deduplicated by sourceId because generated artifacts
+  // are paired with `source-still-loaded` manual-disable records.
   const removedSourceIds = new Set<string>();
   for (const action of actions) {
-    if (action.kind === "write-rule" || action.kind === "manual-disable") {
+    if (action.kind === "write-rule" || action.kind === "write-command" || action.kind === "manual-disable") {
       removedSourceIds.add(action.sourceId);
     }
   }
@@ -289,7 +378,7 @@ function canonicalSourceContent(content: string): string {
 function buildWriteRuleAction(
   source: OptimizationSource,
   mode: RuleMode,
-  condition?: string,
+  ttsr?: TtsrRuleOptions,
 ): WriteRuleAction {
   return {
     kind: "write-rule",
@@ -302,7 +391,41 @@ function buildWriteRuleAction(
     sourceBytes: source.bytes,
     estimatedSavedBytes: source.bytes,
     sourceContent: source.content,
-    ...(condition ? { condition } : {}),
+    ...(ttsr ? { condition: ttsr.condition, triggers: ttsr.triggers, scope: ttsr.scope } : {}),
+  };
+}
+
+function buildWriteCommandAction(source: OptimizationSource): WriteCommandAction {
+  const commandName = slugifyOptimizationSource(source.sourceName);
+  return {
+    kind: "write-command",
+    sourceId: source.sourceId,
+    sourceName: source.sourceName,
+    sourceHash: source.sourceHash,
+    slug: source.slug,
+    commandName,
+    targetPath: `.omp/commands/${commandName}.md`,
+    sourceBytes: source.bytes,
+    estimatedSavedBytes: source.bytes,
+    sourceContent: source.content,
+    description: `Run the ${source.sourceName} workflow on demand.`,
+  };
+}
+
+function buildRunbookExtensionAction(): WriteExtensionAction {
+  const sourceContent = canonicalSourceContent(RUNBOOK_EXTENSION_SOURCE);
+  const sourceBytes = byteLength(sourceContent);
+  return {
+    kind: "write-extension",
+    sourceId: "extension:runbook",
+    sourceName: RUNBOOK_EXTENSION_NAME,
+    sourceHash: hashOptimizationSource(sourceContent),
+    slug: "extension-runbook",
+    extensionName: RUNBOOK_EXTENSION_NAME,
+    targetPath: RUNBOOK_EXTENSION_PATH,
+    sourceBytes,
+    estimatedSavedBytes: 0,
+    sourceContent,
   };
 }
 

package/src/harness/command.ts

@@ -39,6 +39,7 @@ import {
   loadHarnessSession,
   loadHarnessValidateReport,
   readSlopQueue,
+  saveHarnessDesignSpecJson,
   saveHarnessSession,
 } from "./storage.js";
 import { computeScore } from "./anti_slop/score.js";
@@ -55,6 +56,8 @@ import { buildBackendAdapter } from "./anti_slop/backend-factory.js";
 import { getWorkingTreeStatus } from "../git/status.js";
 import { DEFAULT_HARNESS_CONFIG } from "./hooks/register.js";
 import { handlePrComment } from "./pr-comment/handler.js";
+import { runGitVerificationQa } from "./git-verify-qa.js";
+import { getHarnessSessionDir } from "./project-paths.js";
 import type { HarnessDesignSpec, HarnessGateMode, HarnessSession, HarnessStage } from "../types.js";
 
 modelRegistry.register({
@@ -223,12 +226,13 @@ async function runPipelineWithProgress(
   gates: HarnessGateMode,
   stageInputs: BuildRunnerInput,
   startStage?: HarnessStage,
+  forceStages?: ReadonlySet<HarnessStage>,
 ): Promise<PipelineRunOutcome> {
   const harnessProgress = createHarnessProgress(ctx);
   const modelConfig = loadModelConfig(platform.paths, ctx.cwd);
   const outcome = await pipelineDriver({
     platform, paths: platform.paths, cwd: ctx.cwd, sessionId,
-    modelConfig, gates, stageInputs, startStage,
+    modelConfig, gates, stageInputs, startStage, forceStages,
     onProgress: harnessProgress.onProgress,
   });
   // Single consolidated notification.
@@ -558,12 +562,12 @@ async function runDesignQa(
 
     if (choice === "Accept all suggestions") {
       applyDesignAnalysis(base, analysis);
-      await askCiAndTooling(ctx, base);
+      await askCiAndTooling(platform, ctx, base);
       return base;
     }
 
     if (choice === "Skip — use bare defaults") {
-      await askCiAndTooling(ctx, base);
+      await askCiAndTooling(platform, ctx, base);
       return base;
     }
   }
@@ -627,7 +631,7 @@ async function runDesignQa(
     }
   }
 
-  await askCiAndTooling(ctx, base);
+  await askCiAndTooling(platform, ctx, base);
   return base;
 }
 
@@ -707,7 +711,7 @@ function localCommandOptions(base: HarnessDesignSpec): string[] {
   ]));
 }
 
-async function askCiAndTooling(ctx: HarnessCommandContext, base: HarnessDesignSpec): Promise<void> {
+async function askCiAndTooling(platform: Platform, ctx: HarnessCommandContext, base: HarnessDesignSpec): Promise<void> {
   if (!ctx.ui.select) return;
 
   const triggerChoice = await ctx.ui.select(
@@ -741,6 +745,84 @@ async function askCiAndTooling(ctx: HarnessCommandContext, base: HarnessDesignSp
   } else if (toolChoice) {
     base.ci.localCommand = toolChoice.replace(/\s+\(.+\)$/, "");
   }
+
+  // After the user picks their CI trigger and local command, offer the optional Git
+  // verification flow. This populates `base.ci.git` so the implement stage renders the
+  // PR-source guardrail and validate confirms the wiring. Skippable; declining leaves
+  // `git` unset and the rest of the pipeline behaves identically to before this feature.
+  await runGitVerificationStep(platform, ctx, base);
+}
+
+/**
+ * Adapter around `runGitVerificationQa` that fits the harness command UI. The QA helper
+ * expects an `ExecFn`-shaped function plus a `select / input / notify` UI trio; we wrap
+ * `platform.exec` and `ctx.ui` so the helper stays independent of the OMP plumbing.
+ *
+ * Persists any returned `HarnessCiGitConfig` onto the in-memory `base` spec; the design
+ * stage runner persists the spec to disk so no extra storage call is needed here. We
+ * also widen `base.ci.trigger.branches` to include both `mainBranch` and `devBranch`
+ * so the rendered workflow runs CI on both PR targets — matching the rule "CI runs on
+ * both the dev branch PR and the main branch".
+ */
+async function runGitVerificationStep(
+  platform: Platform,
+  ctx: HarnessCommandContext,
+  base: HarnessDesignSpec,
+): Promise<void> {
+  if (!ctx.ui.select || !ctx.ui.input) return; // No interactive UI — skip silently.
+
+  const sessionDir = getHarnessSessionDir(platform.paths, ctx.cwd, base.sessionId);
+
+  const result = await runGitVerificationQa({
+    exec: (cmd, args, opts) => platform.exec(cmd, args, opts),
+    cwd: ctx.cwd,
+    sessionDir,
+    ui: {
+      select: (title, options) => ctx.ui.select!(title, options as unknown as string[]),
+      input: (label) => ctx.ui.input!(label),
+      notify: (message) => notifyInfo(ctx, "Git verification", message),
+    },
+  });
+
+  if (!result) return;
+  base.ci.git = result;
+
+  // Ensure the CI trigger includes both branches so the workflow runs on PRs targeting
+  // either. Preserve any user-customized branches the prior step already picked.
+  if (base.ci.trigger.mode === "branches") {
+    const next = new Set(base.ci.trigger.branches);
+    next.add(result.mainBranch);
+    if (result.devBranch) next.add(result.devBranch);
+    base.ci.trigger = { mode: "branches", branches: Array.from(next) };
+  }
+}
+
+/**
+ * Harden-mode entry point for Git verification. Mutates the persisted design spec in
+ * place so the downstream implement stage re-renders the workflow with the new `git`
+ * block. Returns true when a new `ci.git` block was captured and persisted so the
+ * caller can force-re-run the affected stages; false when the user declined or no UI
+ * is available.
+ */
+async function runGitVerificationOnHarden(
+  platform: Platform,
+  ctx: HarnessCommandContext,
+  sessionId: string,
+  spec: HarnessDesignSpec,
+): Promise<boolean> {
+  await runGitVerificationStep(platform, ctx, spec);
+  if (!spec.ci.git) return false; // user declined
+  const persisted = saveHarnessDesignSpecJson(platform.paths, ctx.cwd, sessionId, spec);
+  if (!persisted.ok) {
+    notifyInfo(
+      ctx,
+      "Git verification persisted partially",
+      `In-memory spec updated, but persistence failed: ${persisted.error.message}. ` +
+        `Re-run /supi:harness to retry.`,
+    );
+    return false;
+  }
+  return true;
 }
 
 
@@ -902,7 +984,17 @@ async function handleBareEntry(platform: Platform, ctx: HarnessCommandContext):
     if (layerCount >= 2) {
       await promptDocsTierIfNeeded(platform, ctx, sessionId, layerCount);
     }
-    await runPipelineWithProgress(platform, ctx, sessionId, "auto", {});
+    // Offer the optional Git verification flow on harden when the existing spec has no
+    // `ci.git` block. Keeps the harden path lightweight by skipping silently when the
+    // user previously declined or completed the verification. When the user captures a
+    // new `ci.git` block, force implement + validate to re-run so the workflow file is
+    // re-rendered with the `verify-pr-source` job and the validate cross-check fires.
+    let forceStages: ReadonlySet<HarnessStage> | undefined;
+    if (designSpec.ok && !designSpec.value.ci.git) {
+      const captured = await runGitVerificationOnHarden(platform, ctx, sessionId, designSpec.value);
+      if (captured) forceStages = new Set<HarnessStage>(["implement", "validate"]);
+    }
+    await runPipelineWithProgress(platform, ctx, sessionId, "auto", {}, undefined, forceStages);
   } else {
     // Rebuild: full regeneration with user gates at each stage.
     await runRebuildWithGates(platform, ctx, sessionId);