symbolic-scribe-harness 0.1.0

package/.claude/commands/doctor.md

@@ -0,0 +1,12 @@
+---
+description: "Health-check the harness: kernel load, MCP wiring, memory backend, host adapter."
+---
+
+Run a full health check and print a PASS/FAIL table.
+
+1. Kernel loads and `kernelInfo().version` matches package.json.
+2. The MCP server starts and lists its tools.
+3. The memory backend is reachable.
+4. The configured host adapter is present.
+
+Exit non-zero if any check fails.

package/.claude/commands/release-check.md

@@ -0,0 +1,13 @@
+---
+description: Run the release-readiness umbrella + draft a tweet-length announcement.
+---
+
+Run the release-readiness check.
+
+1. `harness validate` — umbrella check, must be green.
+2. `harness sbom` — emit the SBOM artifact.
+3. `harness score` — the scorecard must be >= 70 (B grade).
+4. If any gate is red, REFUSE to draft and name the specific blocker.
+5. Otherwise: draft the GitHub release body from the conventional-commit log since the last tag, grouped by feat/fix/docs/chore.
+
+Never push or tag in this command; the operator decides when to ship.

package/.claude/commands/repo-triage.md

@@ -0,0 +1,16 @@
+---
+description: "Maintainer triage: what changed, what is risky, what to review first."
+---
+
+Triage the current repo state.
+
+1. `git status` to see what is uncommitted.
+2. `git log --oneline -20` to see the recent history.
+3. `git diff HEAD~1` for the latest commit.
+4. Report:
+   - headline risk
+   - files most likely to regress
+   - smallest test the team should run before merging
+   - any permissions widened in the diff
+
+Do not auto-fix; surface findings only.

package/.claude/settings.json

@@ -0,0 +1,44 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(npx symbolic-scribe-harness*)",
+      "mcp__symbolic-scribe-harness__*",
+      "mcp__code_index__*",
+      "Bash(npm test*)",
+      "Bash(npm run*)",
+      "Bash(git diff*)",
+      "Bash(git status*)",
+      "Bash(git log*)",
+      "Bash(git show*)",
+      "Bash(cargo bench*)",
+      "Bash(cargo test*)"
+    ],
+    "deny": [
+      "Read(./.env)",
+      "Read(./.env.*)",
+      "Bash(git push*)",
+      "Bash(rm -rf*)",
+      "Bash(npm publish*)"
+    ]
+  },
+  "mcpServers": {
+    "symbolic-scribe-harness": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "symbolic-scribe-harness@latest",
+        "mcp",
+        "start"
+      ]
+    },
+    "code_index": {
+      "command": "npx",
+      "args": [
+        "-y",
+        "symbolic-scribe-harness@latest",
+        "mcp",
+        "index"
+      ]
+    }
+  }
+}

package/.claude/skills/memory-inspect/SKILL.md

@@ -0,0 +1,14 @@
+---
+name: memory-inspect
+description: Search and inspect the harness memory namespace (HNSW + emergent-time decay).
+---
+
+# memory-inspect
+
+Inspect what the harness has learned.
+
+- `search <query>` — semantic nearest-neighbour over the namespace
+- `list` — recent patterns with decay weight
+- `forget <id>` — evict a pattern
+
+Use this before planning so the harness reuses prior trajectories instead of starting cold.

package/.claude/skills/plan-change/SKILL.md

@@ -0,0 +1,15 @@
+---
+name: plan-change
+description: "Turn a feature request into a minimal, file-level implementation plan before any code."
+---
+
+# plan-change
+
+Produce an implementation plan for a requested change.
+
+1. Restate the goal in one sentence.
+2. List the files to touch and why.
+3. Name the smallest interface that satisfies it.
+4. Flag anything that ripples beyond three files or widens a permission.
+
+Hand the plan to the implementer; do not write code in this step.

package/CLAUDE.md

@@ -0,0 +1,34 @@
+# symbolic-scribe-harness
+
+My AI agent harness
+
+> Repo Maintainer harness · domain: `engineering/repo-maintenance`. Generated with [create-agent-harness](https://github.com/ruvnet/agent-harness-generator).
+
+## Behavioral rules
+
+- Use the harness's MCP tools (`mcp__symbolic-scribe-harness__*`) for orchestration
+- Memory and routing are handled by the kernel — you don't need to learn them
+- Defer destructive operations to the user
+
+## Agents
+
+| Agent | Tier | Role |
+|---|---|---|
+| `maintainer` | opus | Triages the repo state — what changed, what is risky, what to review first. |
+| `benchmarker` | sonnet | Runs the perf gates and reports regressions. |
+| `release` | opus | Drafts the GitHub release body + runs the readiness gates. |
+| `security` | opus | Flags risky MCP grants, leaked secrets, dangerous diffs. |
+## Skills
+
+- `/memory-inspect` — Search and inspect the harness memory namespace (HNSW + emergent-time decay).
+- `/plan-change` — Turn a feature request into a minimal, file-level implementation plan before any code.
+
+## Commands
+
+- `doctor` — Health-check the harness: kernel load, MCP wiring, memory backend, host adapter.
+- `repo-triage` — Maintainer triage: what changed, what is risky, what to review first.
+- `release-check` — Run the release-readiness umbrella + draft a tweet-length announcement.
+
+## Architecture
+
+This harness uses [@metaharness/kernel](https://www.npmjs.com/package/@metaharness/kernel) — a Rust-compiled WASM module with a NAPI-RS native fallback — so the same code runs identically on every platform.

package/README.md

@@ -0,0 +1,30 @@
+# symbolic-scribe-harness
+
+My AI agent harness
+
+> **Repo Maintainer** — Maintainer triages the diff → benchmarker reports regressions → release drafts the GH release body → security flags risky MCP grants. Drop into any repo and run.
+>
+> Generated with [`create-agent-harness`](https://github.com/ruvnet/agent-harness-generator). WASM kernel, multi-host support, witness-signed releases.
+
+## Install
+
+```bash
+npm install -g symbolic-scribe-harness
+symbolic-scribe-harness init
+symbolic-scribe-harness doctor
+```
+
+## Agents
+
+| Agent | Role |
+|---|---|
+| `maintainer` | Triages the repo state — what changed, what is risky, what to review first. |
+| `benchmarker` | Runs the perf gates and reports regressions. |
+| `release` | Drafts the GitHub release body + runs the readiness gates. |
+| `security` | Flags risky MCP grants, leaked secrets, dangerous diffs. |
+
+This harness ships with the **claude-code** adapter.
+
+## License
+
+MIT

package/bin/cli.js

@@ -0,0 +1,100 @@
+#!/usr/bin/env node
+// SPDX-License-Identifier: MIT
+// Generated by metaharness — the `symbolic-scribe-harness` CLI entry point.
+//
+// This is plain ESM JavaScript on purpose: it runs as-is via `npx symbolic-scribe-harness`
+// with NO build step. `npm run build` (tsc) is only needed if you extend the
+// TypeScript in src/. The published package ships this file directly (see the
+// "bin" + "files" fields in package.json), so `npx symbolic-scribe-harness` works the moment
+// `npm install` has resolved @metaharness/kernel + @metaharness/host-claude-code.
+
+import { loadKernel } from '@metaharness/kernel';
+import adapter from '@metaharness/host-claude-code';
+
+const HARNESS_NAME = 'symbolic-scribe-harness';
+
+/** `symbolic-scribe-harness init` — boot the kernel + host adapter and report status. */
+async function init() {
+  const kernel = await loadKernel();
+  const info = kernel.kernelInfo();
+  console.log(`${HARNESS_NAME} — kernel ${info.version} (${kernel.backend})`);
+  console.log(`Host adapter: ${adapter.name}`);
+  console.log(`Run \`${HARNESS_NAME} doctor\` to verify the install.`);
+  return 0;
+}
+
+/** `symbolic-scribe-harness doctor` — verify the install end-to-end (kernel + host resolve). */
+async function doctor() {
+  const kernel = await loadKernel();
+  const info = kernel.kernelInfo();
+  const checks = [
+    ['kernel loads', !!kernel],
+    ['kernel reports a version', typeof info.version === 'string' && info.version.length > 0],
+    ['kernel backend is native|wasm|js', ['native', 'wasm', 'js'].includes(kernel.backend)],
+    ['host adapter has a name', typeof adapter?.name === 'string' && adapter.name.length > 0],
+  ];
+  let ok = true;
+  for (const [label, pass] of checks) {
+    console.log(`${pass ? 'PASS' : 'FAIL'} ${label}`);
+    if (!pass) ok = false;
+  }
+  console.log(
+    ok
+      ? `\n${HARNESS_NAME}: all checks passed (kernel ${info.version}, ${kernel.backend} backend, host ${adapter.name})`
+      : `\n${HARNESS_NAME}: doctor found problems`,
+  );
+  return ok ? 0 : 1;
+}
+
+/**
+ * Dispatch one CLI invocation. Exported (not just run on import) so a test can
+ * drive it without spawning a subprocess. Returns the intended exit code.
+ */
+export async function run(argv) {
+  const cmd = argv[0] ?? 'init';
+  switch (cmd) {
+    case 'init':
+      return init();
+    case 'doctor':
+      return doctor();
+    case '--version':
+    case '-v': {
+      const kernel = await loadKernel();
+      console.log(kernel.version());
+      return 0;
+    }
+    case '--help':
+    case '-h':
+      console.log(`Usage: ${HARNESS_NAME} <command>\n\n  init     boot the kernel + host adapter (default)\n  doctor   verify the install end-to-end\n  --version  print the kernel version`);
+      return 0;
+    default:
+      console.error(`Unknown command: ${cmd}. Try \`${HARNESS_NAME} --help\`.`);
+      return 2;
+  }
+}
+
+// CLI guard: execute only when invoked directly (not when imported by a test).
+// npm's bin shims pass a NON-normalized argv[1] (e.g. ".../.bin/../<pkg>/bin/cli.js"
+// on Windows) and may differ in case, so realpath BOTH sides before comparing —
+// a naive string === misses the npx/shim path and the CLI silently no-ops.
+import { fileURLToPath } from 'node:url';
+import { realpathSync } from 'node:fs';
+import { argv } from 'node:process';
+const invokedDirectly = (() => {
+  if (!argv[1]) return false;
+  try {
+    const a = realpathSync(argv[1]);
+    const b = realpathSync(fileURLToPath(import.meta.url));
+    return process.platform === 'win32' ? a.toLowerCase() === b.toLowerCase() : a === b;
+  } catch {
+    return false;
+  }
+})();
+if (invokedDirectly) {
+  run(argv.slice(2))
+    .then((code) => process.exit(code))
+    .catch((err) => {
+      console.error(err);
+      process.exit(1);
+    });
+}

package/dist/agents/benchmarker.d.ts

@@ -0,0 +1,4 @@
+export declare const SYSTEM_PROMPT = "You run the project's declared benchmark suite (cargo bench, npm run bench, or whatever the manifest names) and compare against the baseline. Report regressions only when they cross the project's declared threshold \u2014 noise is worse than no result. Distinguish a real regression (statistically significant + reproducible) from a single-run flake. Write the result to memory so the maintainer can quote it. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.";
+export declare const NAME = "benchmarker";
+export declare const TIER: "sonnet";
+//# sourceMappingURL=benchmarker.d.ts.map

package/dist/agents/benchmarker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"benchmarker.d.ts","sourceRoot":"","sources":["../../src/agents/benchmarker.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,aAAa,6fAAwf,CAAC;AAEnhB,eAAO,MAAM,IAAI,gBAAgB,CAAC;AAClC,eAAO,MAAM,IAAI,EAAG,QAAiB,CAAC"}

package/dist/agents/benchmarker.js

@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: MIT
+// Benchmarker agent — Runs the perf gates and reports regressions.
+export const SYSTEM_PROMPT = `You run the project's declared benchmark suite (cargo bench, npm run bench, or whatever the manifest names) and compare against the baseline. Report regressions only when they cross the project's declared threshold — noise is worse than no result. Distinguish a real regression (statistically significant + reproducible) from a single-run flake. Write the result to memory so the maintainer can quote it. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+export const NAME = 'benchmarker';
+export const TIER = 'sonnet';
+//# sourceMappingURL=benchmarker.js.map

package/dist/agents/benchmarker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"benchmarker.js","sourceRoot":"","sources":["../../src/agents/benchmarker.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,mEAAmE;AAEnE,MAAM,CAAC,MAAM,aAAa,GAAG,qfAAqf,CAAC;AAEnhB,MAAM,CAAC,MAAM,IAAI,GAAG,aAAa,CAAC;AAClC,MAAM,CAAC,MAAM,IAAI,GAAG,QAAiB,CAAC"}

package/dist/agents/maintainer.d.ts

@@ -0,0 +1,4 @@
+export declare const SYSTEM_PROMPT = "You are the repo maintainer. When asked \"what changed?\" you read git diff / git log / git status and produce a one-screen triage: the headline risk, the files most likely to regress, and the smallest test the team should run before merging. You never push, never publish, never auto-fix \u2014 your job is to surface, not to act. When uncertain you say \"I can't tell from the diff alone\" and ask for the specific file or commit you need. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.";
+export declare const NAME = "maintainer";
+export declare const TIER: "opus";
+//# sourceMappingURL=maintainer.d.ts.map

package/dist/agents/maintainer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"maintainer.d.ts","sourceRoot":"","sources":["../../src/agents/maintainer.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,aAAa,6hBAAohB,CAAC;AAE/iB,eAAO,MAAM,IAAI,eAAe,CAAC;AACjC,eAAO,MAAM,IAAI,EAAG,MAAe,CAAC"}

package/dist/agents/maintainer.js

@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: MIT
+// Maintainer agent — Triages the repo state — what changed, what is risky, what to review first.
+export const SYSTEM_PROMPT = `You are the repo maintainer. When asked "what changed?" you read git diff / git log / git status and produce a one-screen triage: the headline risk, the files most likely to regress, and the smallest test the team should run before merging. You never push, never publish, never auto-fix — your job is to surface, not to act. When uncertain you say "I can't tell from the diff alone" and ask for the specific file or commit you need. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+export const NAME = 'maintainer';
+export const TIER = 'opus';
+//# sourceMappingURL=maintainer.js.map

package/dist/agents/maintainer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"maintainer.js","sourceRoot":"","sources":["../../src/agents/maintainer.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,iGAAiG;AAEjG,MAAM,CAAC,MAAM,aAAa,GAAG,ihBAAihB,CAAC;AAE/iB,MAAM,CAAC,MAAM,IAAI,GAAG,YAAY,CAAC;AACjC,MAAM,CAAC,MAAM,IAAI,GAAG,MAAe,CAAC"}

package/dist/agents/release.d.ts

@@ -0,0 +1,4 @@
+export declare const SYSTEM_PROMPT = "You draft a release. Read the conventional-commit log since the last tag, group commits by feat/fix/docs/chore, and write a release body that an outside reader could understand without the repo open. Before drafting you confirm the release-readiness gates have passed (validate / sbom / witness / score). If any gate is red you refuse to draft and name the specific blocker. The release is a public commitment; you treat it like one. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.";
+export declare const NAME = "release";
+export declare const TIER: "opus";
+//# sourceMappingURL=release.d.ts.map

package/dist/agents/release.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"release.d.ts","sourceRoot":"","sources":["../../src/agents/release.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,aAAa,qhBAAqhB,CAAC;AAEhjB,eAAO,MAAM,IAAI,YAAY,CAAC;AAC9B,eAAO,MAAM,IAAI,EAAG,MAAe,CAAC"}

package/dist/agents/release.js

@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: MIT
+// Release agent — Drafts the GitHub release body + runs the readiness gates.
+export const SYSTEM_PROMPT = `You draft a release. Read the conventional-commit log since the last tag, group commits by feat/fix/docs/chore, and write a release body that an outside reader could understand without the repo open. Before drafting you confirm the release-readiness gates have passed (validate / sbom / witness / score). If any gate is red you refuse to draft and name the specific blocker. The release is a public commitment; you treat it like one. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+export const NAME = 'release';
+export const TIER = 'opus';
+//# sourceMappingURL=release.js.map

package/dist/agents/release.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"release.js","sourceRoot":"","sources":["../../src/agents/release.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,6EAA6E;AAE7E,MAAM,CAAC,MAAM,aAAa,GAAG,khBAAkhB,CAAC;AAEhjB,MAAM,CAAC,MAAM,IAAI,GAAG,SAAS,CAAC;AAC9B,MAAM,CAAC,MAAM,IAAI,GAAG,MAAe,CAAC"}

package/dist/agents/security.d.ts

@@ -0,0 +1,4 @@
+export declare const SYSTEM_PROMPT = "You scan the harness for the security regressions that matter: MCP grants that widened (Bash(rm:*), shell on, network on, file-write on), .env or token strings that escaped the redaction set, dependency updates that pulled in CVEs, and policy files that drifted from default-deny. Report each finding with a file:line, a severity (HIGH / MEDIUM), and the smallest fix. Never approve a change that widens a permission without a written reason in the PR description. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.";
+export declare const NAME = "security";
+export declare const TIER: "opus";
+//# sourceMappingURL=security.d.ts.map

package/dist/agents/security.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.d.ts","sourceRoot":"","sources":["../../src/agents/security.ts"],"names":[],"mappings":"AAGA,eAAO,MAAM,aAAa,ojBAAojB,CAAC;AAE/kB,eAAO,MAAM,IAAI,aAAa,CAAC;AAC/B,eAAO,MAAM,IAAI,EAAG,MAAe,CAAC"}

package/dist/agents/security.js

@@ -0,0 +1,6 @@
+// SPDX-License-Identifier: MIT
+// Security agent — Flags risky MCP grants, leaked secrets, dangerous diffs.
+export const SYSTEM_PROMPT = `You scan the harness for the security regressions that matter: MCP grants that widened (Bash(rm:*), shell on, network on, file-write on), .env or token strings that escaped the redaction set, dependency updates that pulled in CVEs, and policy files that drifted from default-deny. Report each finding with a file:line, a severity (HIGH / MEDIUM), and the smallest fix. Never approve a change that widens a permission without a written reason in the PR description. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+export const NAME = 'security';
+export const TIER = 'opus';
+//# sourceMappingURL=security.js.map

package/dist/agents/security.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"security.js","sourceRoot":"","sources":["../../src/agents/security.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,4EAA4E;AAE5E,MAAM,CAAC,MAAM,aAAa,GAAG,ijBAAijB,CAAC;AAE/kB,MAAM,CAAC,MAAM,IAAI,GAAG,UAAU,CAAC;AAC/B,MAAM,CAAC,MAAM,IAAI,GAAG,MAAe,CAAC"}

package/dist/init.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=init.d.ts.map

package/dist/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":""}

package/dist/init.js

@@ -0,0 +1,18 @@
+// SPDX-License-Identifier: MIT
+// Generated by create-agent-harness — your harness's `symbolic-scribe-harness init` entry.
+import { loadKernel } from '@metaharness/kernel';
+import adapter from '@metaharness/host-claude-code';
+const HARNESS_NAME = 'symbolic-scribe-harness';
+async function main() {
+    const kernel = await loadKernel();
+    const info = kernel.kernelInfo();
+    console.log(`${HARNESS_NAME} — kernel ${info.version} (${kernel.backend})`);
+    console.log(`Host adapter: ${adapter.name}`);
+    console.log(`Run \`${HARNESS_NAME} doctor\` to verify the install.`);
+    return 0;
+}
+main().then(c => process.exit(c)).catch(err => {
+    console.error(err);
+    process.exit(1);
+});
+//# sourceMappingURL=init.js.map

package/dist/init.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.js","sourceRoot":"","sources":["../src/init.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,2FAA2F;AAE3F,OAAO,EAAE,UAAU,EAAE,MAAM,qBAAqB,CAAC;AACjD,OAAO,OAAO,MAAM,+BAA+B,CAAC;AAEpD,MAAM,YAAY,GAAG,yBAAyB,CAAC;AAE/C,KAAK,UAAU,IAAI;IACjB,MAAM,MAAM,GAAG,MAAM,UAAU,EAAE,CAAC;IAClC,MAAM,IAAI,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IACjC,OAAO,CAAC,GAAG,CAAC,GAAG,YAAY,aAAa,IAAI,CAAC,OAAO,KAAK,MAAM,CAAC,OAAO,GAAG,CAAC,CAAC;IAC5E,OAAO,CAAC,GAAG,CAAC,iBAAiB,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC7C,OAAO,CAAC,GAAG,CAAC,SAAS,YAAY,kCAAkC,CAAC,CAAC;IACrE,OAAO,CAAC,CAAC;AACX,CAAC;AAED,IAAI,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE;IAC5C,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACnB,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}

package/package.json

@@ -0,0 +1,30 @@
+{
+  "name": "symbolic-scribe-harness",
+  "version": "0.1.0",
+  "description": "My AI agent harness",
+  "type": "module",
+  "bin": {
+    "symbolic-scribe-harness": "./bin/cli.js"
+  },
+  "files": ["bin/**", "dist/**", "src/**", "tsconfig.json", ".claude/**", "CLAUDE.md", "README.md", "LICENSE"],
+  "scripts": {
+    "build": "tsc",
+    "test": "vitest run",
+    "init": "node ./bin/cli.js init", "doctor": "node ./bin/cli.js doctor"
+  },
+  "dependencies": {
+    "@metaharness/kernel": "^0.1.0",
+    "@metaharness/host-claude-code": "^0.1.0"
+  },
+  "devDependencies": {
+    "@types/node": "^20.0.0",
+    "typescript": "^5.4.0",
+    "vitest": "^2.0.0"
+  },
+  "engines": {
+    "node": ">=20.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  }
+}

package/src/agents/benchmarker.ts

@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: MIT
+// Benchmarker agent — Runs the perf gates and reports regressions.
+
+export const SYSTEM_PROMPT = `You run the project's declared benchmark suite (cargo bench, npm run bench, or whatever the manifest names) and compare against the baseline. Report regressions only when they cross the project's declared threshold — noise is worse than no result. Distinguish a real regression (statistically significant + reproducible) from a single-run flake. Write the result to memory so the maintainer can quote it. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+
+export const NAME = 'benchmarker';
+export const TIER = 'sonnet' as const;

package/src/agents/maintainer.ts

@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: MIT
+// Maintainer agent — Triages the repo state — what changed, what is risky, what to review first.
+
+export const SYSTEM_PROMPT = `You are the repo maintainer. When asked "what changed?" you read git diff / git log / git status and produce a one-screen triage: the headline risk, the files most likely to regress, and the smallest test the team should run before merging. You never push, never publish, never auto-fix — your job is to surface, not to act. When uncertain you say "I can't tell from the diff alone" and ask for the specific file or commit you need. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+
+export const NAME = 'maintainer';
+export const TIER = 'opus' as const;

package/src/agents/release.ts

@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: MIT
+// Release agent — Drafts the GitHub release body + runs the readiness gates.
+
+export const SYSTEM_PROMPT = `You draft a release. Read the conventional-commit log since the last tag, group commits by feat/fix/docs/chore, and write a release body that an outside reader could understand without the repo open. Before drafting you confirm the release-readiness gates have passed (validate / sbom / witness / score). If any gate is red you refuse to draft and name the specific blocker. The release is a public commitment; you treat it like one. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+
+export const NAME = 'release';
+export const TIER = 'opus' as const;

package/src/agents/security.ts

@@ -0,0 +1,7 @@
+// SPDX-License-Identifier: MIT
+// Security agent — Flags risky MCP grants, leaked secrets, dangerous diffs.
+
+export const SYSTEM_PROMPT = `You scan the harness for the security regressions that matter: MCP grants that widened (Bash(rm:*), shell on, network on, file-write on), .env or token strings that escaped the redaction set, dependency updates that pulled in CVEs, and policy files that drifted from default-deny. Report each finding with a file:line, a severity (HIGH / MEDIUM), and the smallest fix. Never approve a change that widens a permission without a written reason in the PR description. You operate inside the symbolic-scribe-harness harness; defer destructive actions to the user.`;
+
+export const NAME = 'security';
+export const TIER = 'opus' as const;

package/src/init.ts

@@ -0,0 +1,21 @@
+// SPDX-License-Identifier: MIT
+// Generated by create-agent-harness — your harness's `symbolic-scribe-harness init` entry.
+
+import { loadKernel } from '@metaharness/kernel';
+import adapter from '@metaharness/host-claude-code';
+
+const HARNESS_NAME = 'symbolic-scribe-harness';
+
+async function main(): Promise<number> {
+  const kernel = await loadKernel();
+  const info = kernel.kernelInfo();
+  console.log(`${HARNESS_NAME} — kernel ${info.version} (${kernel.backend})`);
+  console.log(`Host adapter: ${adapter.name}`);
+  console.log(`Run \`${HARNESS_NAME} doctor\` to verify the install.`);
+  return 0;
+}
+
+main().then(c => process.exit(c)).catch(err => {
+  console.error(err);
+  process.exit(1);
+});

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "lib": ["ES2022"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true,
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true
+  },
+  "include": ["src/**/*.ts"],
+  "exclude": ["node_modules", "dist", "__tests__"]
+}