agentic-harness 0.2.0__py3-none-any.whl

agent_harness/__init__.py

@@ -0,0 +1,6 @@
+# src/agent_harness/__init__.py
+from pathlib import Path
+
+__version__ = "0.2.0"
+
+POLICIES_DIR = Path(__file__).resolve().parent / "policies"

agent_harness/cli.py

@@ -0,0 +1,179 @@
+# src/agent_harness/cli.py
+import click
+from pathlib import Path
+
+
+@click.group()
+@click.version_option()
+def cli():
+    """AI Harness — deterministic controls for AI agents."""
+
+
+@cli.command()
+def detect():
+    """Detect project stacks and subprojects."""
+    from agent_harness.detect import detect_all
+
+    cwd = Path.cwd()
+    results = detect_all(cwd)
+    if not results:
+        click.echo("no stacks detected")
+        return
+    for path, stacks in sorted(results.items()):
+        rel = "." if path == cwd else str(path.relative_to(cwd))
+        stacks_str = ", ".join(sorted(stacks))
+        has_harness = (path / ".agent-harness.yml").exists()
+        suffix = "" if has_harness else "  (no .agent-harness.yml)"
+        click.echo(f"{rel:<30} {stacks_str}{suffix}")
+
+
+def print_results(results) -> int:
+    """Print lint results and return exit code."""
+    failed = [r for r in results if not r.passed]
+    passed = [r for r in results if r.passed]
+    total_ms = sum(r.duration_ms for r in results)
+
+    for r in results:
+        icon = "PASS" if r.passed else "FAIL"
+        click.echo(f"  {icon}  {r.name} ({r.duration_ms}ms)")
+        if not r.passed:
+            detail = r.error or r.output
+            if detail:
+                for line in detail.strip().splitlines():
+                    click.echo(f"       {line}")
+
+    click.echo(f"\n{len(passed)} passed, {len(failed)} failed ({total_ms}ms)")
+    return 1 if failed else 0
+
+
+@cli.command()
+def lint():
+    """Run all harness checks (auto-discovers subprojects)."""
+    from agent_harness.lint import run_lint_all
+
+    cwd = Path.cwd()
+    all_results = run_lint_all(cwd)
+    total_exit = 0
+    for path, results in sorted(all_results.items()):
+        rel = "." if path == cwd else str(path.relative_to(cwd))
+        if len(all_results) > 1:
+            click.echo(f"\n=== {rel} ===")
+        exit_code = print_results(results)
+        if exit_code:
+            total_exit = 1
+    raise SystemExit(total_exit)
+
+
+@cli.command()
+def fix():
+    """Auto-fix what's fixable, then lint (auto-discovers subprojects)."""
+    from agent_harness.fix import run_fix_all
+    from agent_harness.lint import run_lint_all
+
+    cwd = Path.cwd()
+
+    click.echo("Fixing...")
+    fix_results = run_fix_all(cwd)
+    for path, actions in sorted(fix_results.items()):
+        rel = "." if path == cwd else str(path.relative_to(cwd))
+        for a in actions:
+            click.echo(f"  {rel}: {a}")
+
+    click.echo("\nLinting...")
+    lint_results = run_lint_all(cwd)
+    total_exit = 0
+    for path, results in sorted(lint_results.items()):
+        rel = "." if path == cwd else str(path.relative_to(cwd))
+        if len(lint_results) > 1:
+            click.echo(f"\n=== {rel} ===")
+        exit_code = print_results(results)
+        if exit_code:
+            total_exit = 1
+    raise SystemExit(total_exit)
+
+
+@cli.command()
+@click.option("--apply", is_flag=True, help="Apply fixes and create missing files")
+def init(apply):
+    """Diagnose harness setup: check tools, config quality, missing files.
+
+    Without --apply: report mode (shows issues, suggests fixes).
+    With --apply: applies auto-fixes and creates missing config files.
+
+    Setup checks diagnose configuration quality (thresholds, flags,
+    coverage settings) and offer fixes. Lint checks run separately
+    via 'agent-harness lint' for fast pass/fail enforcement.
+
+    Examples:
+      agent-harness init            # diagnose only
+      agent-harness init --apply    # diagnose and fix
+    """
+    from agent_harness.init.scaffold import scaffold_all
+
+    all_results = scaffold_all(Path.cwd(), apply=apply)
+    any_actions = False
+    for path, actions in sorted(all_results.items()):
+        for action in actions:
+            click.echo(f"  {action}")
+        if actions:
+            any_actions = True
+    if any_actions:
+        click.echo("\n  Done. Run: make lint")
+
+
+def _run_audit(base_branch: str | None, full_history: bool) -> None:
+    """Shared logic for security audit commands."""
+    from agent_harness.config import load_config
+    from agent_harness.security.audit import run_security_audit
+    from agent_harness.security.display import format_report
+
+    cwd = Path.cwd()
+    config = load_config(cwd)
+
+    if base_branch:
+        config.setdefault("security", {})["base_branch"] = base_branch
+
+    stacks = config.get("stacks", set())
+    mode = "full history" if full_history else "working directory"
+    click.echo(f"Running security audit ({mode})...")
+
+    report = run_security_audit(
+        cwd, stacks=stacks, config=config, full_history=full_history
+    )
+
+    for line in format_report(report):
+        click.echo(line)
+
+    if report.has_failures:
+        raise SystemExit(1)
+
+
+@cli.command("security-audit")
+@click.option(
+    "--base-branch",
+    default=None,
+    help="Base branch for dep diff (default: from config or origin/main)",
+)
+def security_audit(base_branch):
+    """Scan working directory for vulnerabilities and leaked secrets.
+
+    Checks deps for known CVEs (blocks new deps with High/Critical + fix).
+    Scans working directory for secrets. Fast, safe for every commit.
+    """
+    _run_audit(base_branch, full_history=False)
+
+
+@cli.command("security-audit-history")
+@click.option(
+    "--base-branch",
+    default=None,
+    help="Base branch for dep diff (default: from config or origin/main)",
+)
+def security_audit_history(base_branch):
+    """Deep scan full git history for leaked secrets.
+
+    Same as security-audit but also scans all past commits for secrets
+    that were committed and later deleted. Slower (10-60s). Run once
+    during setup or periodically in CI.
+    """
+    _run_audit(base_branch, full_history=True)

agent_harness/config.py

@@ -0,0 +1,57 @@
+"""Config loading — dict-based, each preset reads its own section."""
+
+from __future__ import annotations
+
+import subprocess
+from pathlib import Path
+
+import yaml
+
+
+def _resolve_git_root(project_dir: Path) -> Path | None:
+    """Find the git repository root for project_dir, or None if not in a repo."""
+    result = subprocess.run(
+        ["git", "rev-parse", "--show-toplevel"],
+        capture_output=True,
+        text=True,
+        cwd=str(project_dir),
+    )
+    if result.returncode != 0:
+        return None
+    return Path(result.stdout.strip())
+
+
+def load_config(project_dir: Path) -> dict:
+    """Load .agent-harness.yml. Returns dict."""
+    config: dict = {"stacks": set(), "exclude": []}
+    config["git_root"] = _resolve_git_root(project_dir)
+    cfg_path = project_dir / ".agent-harness.yml"
+
+    if cfg_path.exists():
+        try:
+            raw = yaml.safe_load(cfg_path.read_text()) or {}
+        except yaml.YAMLError as e:
+            import click
+
+            click.echo(
+                f"  WARNING: {cfg_path} is malformed, using defaults\n  {e}", err=True
+            )
+            raw = {}
+
+        if "stacks" in raw:
+            config["stacks"] = set(raw["stacks"])
+        if "exclude" in raw:
+            config["exclude"] = list(raw["exclude"])
+
+        # Pass through all other sections for presets to read
+        for key, value in raw.items():
+            if key not in ("stacks", "exclude"):
+                config[key] = value
+
+    # Auto-detect if no stacks specified
+    if not config["stacks"]:
+        from agent_harness.registry import PRESETS
+
+        config["stacks"] = {p.name for p in PRESETS if p.detect(project_dir)}
+
+    return config

agent_harness/conftest.py

@@ -0,0 +1,51 @@
+"""Shared conftest runner for Rego policy checks."""
+
+from __future__ import annotations
+
+import json
+import os
+import tempfile
+from pathlib import Path
+
+from agent_harness import POLICIES_DIR
+from agent_harness.runner import CheckResult, run_check
+
+
+def run_conftest(
+    name: str,
+    project_dir: Path,
+    target_file: str,
+    policy_subdir: str,
+    data: dict | None = None,
+) -> CheckResult:
+    """Run conftest test on a target file with bundled policies."""
+    target = project_dir / target_file
+    if not target.exists():
+        return CheckResult(
+            name=name, passed=True, output=f"Skipping {name}: {target_file} not found"
+        )
+
+    policy_path = POLICIES_DIR / policy_subdir
+    cmd = [
+        "conftest",
+        "test",
+        str(target),
+        "--policy",
+        str(policy_path),
+        "--no-color",
+        "--all-namespaces",
+    ]
+
+    data_path = None
+    if data:
+        tmp = tempfile.NamedTemporaryFile(mode="w", suffix=".json", delete=False)
+        json.dump(data, tmp)
+        tmp.close()
+        data_path = tmp.name
+        cmd.extend(["--data", data_path])
+
+    try:
+        return run_check(name, cmd, cwd=str(project_dir))
+    finally:
+        if data_path:
+            os.unlink(data_path)

agent_harness/detect.py

@@ -0,0 +1,54 @@
+"""Stack detection orchestrator — delegates to preset detect methods."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+from agent_harness.git_files import find_files
+from agent_harness.registry import PRESETS
+
+# Dependency manifests that define a real project (not just a build target)
+_PROJECT_MANIFESTS = [
+    "pyproject.toml",
+    "package.json",
+    "go.mod",
+    "Cargo.toml",
+    "Gemfile",
+    "composer.json",
+    "pom.xml",
+    "build.gradle",
+]
+
+
+def detect_stacks(project_dir: Path) -> set[str]:
+    """Detect which stacks a project uses based on file presence."""
+    return {p.name for p in PRESETS if p.detect(project_dir)}
+
+
+def detect_all(project_dir: Path) -> dict[Path, set[str]]:
+    """Detect stacks in root and subdirectories.
+
+    A directory is a project only if it has a dependency manifest
+    (pyproject.toml, package.json, etc.) or is the root directory.
+    Docker-only directories are build targets, not projects.
+    """
+    all_patterns = [f"**/{m}" for m in _PROJECT_MANIFESTS] + [
+        m for m in _PROJECT_MANIFESTS
+    ]
+    manifest_files = find_files(project_dir, all_patterns)
+
+    project_dirs: set[Path] = set()
+    for f in manifest_files:
+        project_dirs.add(f.parent)
+
+    root_stacks = detect_stacks(project_dir)
+    if root_stacks:
+        project_dirs.add(project_dir)
+
+    results: dict[Path, set[str]] = {}
+    for d in sorted(project_dirs):
+        stacks = detect_stacks(d)
+        if stacks:
+            results[d] = stacks
+
+    return results

agent_harness/exclusions.py

@@ -0,0 +1,64 @@
+"""
+File exclusion system.
+
+WHAT: Provides default and configurable file exclusion patterns for all checks.
+
+WHY: Without exclusions, agent-harness scans lock files, build output, archives,
+and vendored code. This wastes time (yamllint on pnpm-lock.yaml: 1.7s) and
+produces false positives (JSONC parse failures on tsconfig.json in _archive/).
+
+WITHOUT IT: 2.5s lint runs that should be 200ms, false positives on generated
+files, agents fixing issues in files they shouldn't touch.
+
+FIX: Add patterns to `exclude:` in .agent-harness.yml.
+"""
+
+from __future__ import annotations
+
+import fnmatch
+
+DEFAULT_EXCLUSIONS = [
+    # Lock files
+    "*.lock",
+    "*-lock.*",
+    "package-lock.json",
+    # Build output
+    "dist/",
+    ".astro/",
+    ".next/",
+    ".nuxt/",
+    # Dependencies
+    "node_modules/",
+    ".venv/",
+    # Caches
+    "__pycache__/",
+    ".pytest_cache/",
+    ".ruff_cache/",
+    # Archives
+    "_archive/",
+]
+
+
+def get_excluded_patterns(config_exclude: list[str]) -> list[str]:
+    """Merge default exclusions with config-provided ones."""
+    return DEFAULT_EXCLUSIONS + config_exclude
+
+
+def is_excluded(filepath: str, patterns: list[str]) -> bool:
+    """Check if a filepath matches any exclusion pattern."""
+    for pattern in patterns:
+        # Directory prefix match: "dist/" matches "dist/foo/bar.js"
+        if pattern.endswith("/") and filepath.startswith(pattern):
+            return True
+        # Also match if any path segment matches directory pattern
+        if pattern.endswith("/"):
+            dir_name = pattern.rstrip("/")
+            if f"/{dir_name}/" in f"/{filepath}" or filepath.startswith(f"{dir_name}/"):
+                return True
+        # Glob match: "*.lock" matches "poetry.lock"
+        if fnmatch.fnmatch(filepath, pattern):
+            return True
+        # Also match basename: "*-lock.*" matches "path/to/pnpm-lock.yaml"
+        if fnmatch.fnmatch(filepath.split("/")[-1], pattern):
+            return True
+    return False

agent_harness/fix.py

@@ -0,0 +1,36 @@
+from __future__ import annotations
+
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from pathlib import Path
+
+from agent_harness.config import load_config
+from agent_harness.registry import PRESETS, UNIVERSAL
+from agent_harness.workspace import discover_roots
+
+
+def run_fix(project_dir: Path) -> list[str]:
+    """Auto-fix what's fixable, then return actions taken."""
+    config = load_config(project_dir)
+    actions = UNIVERSAL.run_fix(project_dir, config)
+    for preset in PRESETS:
+        if preset.name in config.get("stacks", set()):
+            actions.extend(preset.run_fix(project_dir, config))
+    return actions
+
+
+def run_fix_all(project_dir: Path) -> dict[Path, list[str]]:
+    """Discover all subprojects and run fix in each."""
+    roots = discover_roots(project_dir)
+    if not roots:
+        return {project_dir: run_fix(project_dir)}
+
+    results: dict[Path, list[str]] = {}
+    with ThreadPoolExecutor() as pool:
+        futures = {pool.submit(run_fix, root): root for root in roots}
+        for future in as_completed(futures):
+            root = futures[future]
+            try:
+                results[root] = future.result()
+            except Exception as e:
+                results[root] = [f"error: {e}"]
+    return results

agent_harness/git_files.py

@@ -0,0 +1,75 @@
+"""Git-aware file discovery -- respects .gitignore, finds tracked + untracked files."""
+
+from __future__ import annotations
+
+import fnmatch
+import subprocess
+from pathlib import Path
+
+
+def find_files(project_dir: Path, patterns: list[str]) -> list[Path]:
+    """Find files matching glob patterns, respecting .gitignore.
+
+    Uses git ls-files for repos (tracked + untracked, excluding ignored).
+    Falls back to filesystem walk for non-git directories.
+    """
+    files = _git_find(project_dir, patterns)
+    if files is not None:
+        return files
+    return _fs_find(project_dir, patterns)
+
+
+def _git_find(project_dir: Path, patterns: list[str]) -> list[Path] | None:
+    """Use git ls-files to find files. Returns None if not in a git repo."""
+    result = subprocess.run(
+        [
+            "git",
+            "ls-files",
+            "--cached",
+            "--others",
+            "--exclude-standard",
+            *patterns,
+        ],
+        capture_output=True,
+        text=True,
+        cwd=str(project_dir),
+    )
+    if result.returncode != 0:
+        return None
+    paths = []
+    for line in result.stdout.strip().splitlines():
+        if line:
+            paths.append((project_dir / line).resolve())
+    return sorted(set(paths))
+
+
+def _fs_find(project_dir: Path, patterns: list[str]) -> list[Path]:
+    """Fallback: filesystem walk with basic glob matching."""
+    _skip = {
+        ".venv",
+        "venv",
+        "node_modules",
+        ".git",
+        "dist",
+        "build",
+        "__pycache__",
+        ".astro",
+        ".next",
+        ".nuxt",
+        ".worktrees",
+        "_archive",
+        ".pytest_cache",
+        ".ruff_cache",
+    }
+    results: set[Path] = set()
+    for path in project_dir.rglob("*"):
+        if any(part in _skip for part in path.parts):
+            continue
+        if not path.is_file():
+            continue
+        rel = str(path.relative_to(project_dir))
+        if any(
+            fnmatch.fnmatch(rel, p) or fnmatch.fnmatch(path.name, p) for p in patterns
+        ):
+            results.add(path.resolve())
+    return sorted(results)

agent_harness/init/diagnostic.py

@@ -0,0 +1,69 @@
+"""Diagnostic display for init command."""
+
+from __future__ import annotations
+
+from pathlib import Path
+
+import click
+
+from agent_harness.preset import ToolInfo
+from agent_harness.runner import tool_available
+from agent_harness.setup_check import SetupIssue
+
+
+def display_setup_issues(
+    preset_name: str,
+    issues: list[SetupIssue],
+    tools: list[ToolInfo],
+    project_dir: Path,
+) -> tuple[int, int, int]:
+    """Display setup check results. Returns (critical_count, recommendation_count, fixable_count)."""
+    click.echo(f"\n  {preset_name}:")
+
+    critical_count = 0
+    recommendation_count = 0
+    fixable_count = 0
+
+    for issue in issues:
+        if issue.severity == "critical":
+            suffix = " (fixable)" if issue.fixable else ""
+            click.echo(f"    \u2717 {issue.file}: {issue.message}    critical{suffix}")
+            critical_count += 1
+            if issue.fixable:
+                fixable_count += 1
+        else:
+            click.echo(f"    ~ {issue.file}: {issue.message}    recommendation")
+            recommendation_count += 1
+
+    for tool in tools:
+        available = tool_available(tool.binary, project_dir)
+        if available:
+            click.echo(f"    \u2713 {tool.name} installed")
+        else:
+            click.echo(f"    \u2717 {tool.name} not installed    ({tool.install_hint})")
+            critical_count += 1
+
+    return critical_count, recommendation_count, fixable_count
+
+
+def display_summary(
+    critical: int, recommendations: int, fixable: int, missing_files: int
+) -> None:
+    """Display final summary line."""
+    parts = []
+    if critical:
+        fix_note = f" ({fixable} fixable)" if fixable else ""
+        parts.append(f"{critical} critical{fix_note}")
+    if recommendations:
+        parts.append(
+            f"{recommendations} recommendation{'s' if recommendations != 1 else ''}"
+        )
+    if missing_files:
+        parts.append(
+            f"{missing_files} file{'s' if missing_files != 1 else ''} to create"
+        )
+
+    if parts:
+        click.echo(f"\n  {', '.join(parts)}.")
+    else:
+        click.echo("\n  All checks passed.")