harness-scorecard 1.0.0__tar.gz

harness_scorecard-1.0.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Saagar Patel
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

harness_scorecard-1.0.0/PKG-INFO

@@ -0,0 +1,106 @@
+Metadata-Version: 2.4
+Name: harness-scorecard
+Version: 1.0.0
+Summary: A read-only linter and A-F maturity grader for coding-agent harnesses (Claude Code, Codex).
+Keywords: claude-code,codex,coding-agent,harness,linter,sarif,security,static-analysis,supply-chain
+Author: Saagar Patel
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Development Status :: 4 - Beta
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Classifier: Typing :: Typed
+Requires-Python: >=3.12
+Project-URL: Homepage, https://github.com/saagpatel/harness-scorecard
+Project-URL: Repository, https://github.com/saagpatel/harness-scorecard
+Project-URL: Issues, https://github.com/saagpatel/harness-scorecard/issues
+Description-Content-Type: text/markdown
+
+# Harness Scorecard
+
+A read-only linter and **A–F maturity grader for coding-agent harnesses**. Point it at a
+Claude Code or Codex setup — Claude Code's hooks, `permissions`, `rules/*.md`, agents, and
+`CLAUDE.md`, or Codex's `config.toml` (sandbox, approval policy, trust levels), `hooks.json`,
+and `AGENTS.md` — and it returns a graded scorecard: the overall maturity grade, the specific
+gaps, and the guards that are missing, each with rationale. The harness type is auto-detected.
+
+"Harness engineering" became a named discipline in 2026 and everyone is assembling harnesses
+with no way to tell if theirs is any good. The rubric is the product: every check traces to a
+**documented red-team failure mode**, not generic advice.
+
+## What makes the grade real
+
+Most config "linters" credit a harness for declaring a rule. This one models the *effective*
+enforcement floor. The headline example:
+
+> `autoMode.hard_deny` is **inert** when `permissions.defaultMode == "bypassPermissions"`.
+
+A naive scorer reads a rich `hard_deny` block and awards an A. Harness Scorecard reads the
+mode, discounts the inert block, and grades against what actually fires — `permissions.deny`
+globs plus the PreToolUse hooks. See [`docs/rubric.md`](docs/rubric.md) for the full model,
+including **capability gates** that cap the grade when a critical hole is present (you can't
+score an A with readable credentials, no matter how many cheap checks pass).
+
+## Usage
+
+```bash
+# Grade a harness directory (e.g. your ~/.claude)
+harness-scorecard scan ~/.claude
+
+# JSON for tooling, plus a self-contained HTML scorecard
+harness-scorecard scan ~/.claude --format json --html scorecard.html
+
+# SARIF 2.1.0 for CI / GitHub code scanning, failing the run below grade C
+harness-scorecard scan ~/.claude --sarif harness.sarif --min-grade C
+```
+
+`--min-grade {A,B,C,D,F}` sets the bar (default `B`). Exit codes: `0` meets the bar ·
+`1` below the bar · `2` no harness found.
+
+## GitHub Action
+
+Grade your harness in CI and upload the findings to code scanning:
+
+```yaml
+- uses: saagpatel/harness-scorecard@v1
+  with:
+    path: .claude
+    min-grade: B
+```
+
+The action writes SARIF and uploads it (requires `security-events: write`) **even when the grade
+fails the build**, so findings always reach code scanning. A complete workflow — permissions,
+weekly scheduling, SARIF upload — is in [`examples/github-workflow.yml`](examples/github-workflow.yml).
+
+## Guarantees
+
+- **Read-only.** It never writes to the harness it audits.
+- **Privacy-preserving.** All output redacts secrets, tokens, emails, and absolute home
+  paths. Nothing leaves the machine.
+- **Dependency-free runtime.** The scorer ships stdlib-only — a tool that grades
+  supply-chain hygiene should carry the smallest surface itself.
+
+## Scope (v1)
+
+Implements **all ten rubric dimensions** end-to-end for **both Claude Code and Codex**: secret
+protection, egress/exfiltration control, tool-surface & inbound-injection defense,
+destructive-action & git safety, harness self-protection & integrity, verification gates,
+subagent isolation & governance, recovery/rollback safety, memory/provenance hygiene, and
+observability/audit trail (the critical gated trio is D1/D4/D5). Each harness has its own
+adapter and check suite over the shared scoring engine; the bypass-aware effective floor maps
+to Codex's `sandbox_mode = "danger-full-access"` + `approval_policy = "never"` just as it does
+to Claude Code's `bypassPermissions`. The rubric is versioned and emitted in every report.
+
+## Development
+
+```bash
+uv sync --frozen                                      # install dev tooling from the lockfile
+uv run --no-sync python -m unittest discover -s tests # tests (stdlib runner, zero extra deps)
+uv run --no-sync ruff check src/ tests/               # lint
+uv run --no-sync ty check src/                        # type check
+```

harness_scorecard-1.0.0/README.md

@@ -0,0 +1,83 @@
+# Harness Scorecard
+
+A read-only linter and **A–F maturity grader for coding-agent harnesses**. Point it at a
+Claude Code or Codex setup — Claude Code's hooks, `permissions`, `rules/*.md`, agents, and
+`CLAUDE.md`, or Codex's `config.toml` (sandbox, approval policy, trust levels), `hooks.json`,
+and `AGENTS.md` — and it returns a graded scorecard: the overall maturity grade, the specific
+gaps, and the guards that are missing, each with rationale. The harness type is auto-detected.
+
+"Harness engineering" became a named discipline in 2026 and everyone is assembling harnesses
+with no way to tell if theirs is any good. The rubric is the product: every check traces to a
+**documented red-team failure mode**, not generic advice.
+
+## What makes the grade real
+
+Most config "linters" credit a harness for declaring a rule. This one models the *effective*
+enforcement floor. The headline example:
+
+> `autoMode.hard_deny` is **inert** when `permissions.defaultMode == "bypassPermissions"`.
+
+A naive scorer reads a rich `hard_deny` block and awards an A. Harness Scorecard reads the
+mode, discounts the inert block, and grades against what actually fires — `permissions.deny`
+globs plus the PreToolUse hooks. See [`docs/rubric.md`](docs/rubric.md) for the full model,
+including **capability gates** that cap the grade when a critical hole is present (you can't
+score an A with readable credentials, no matter how many cheap checks pass).
+
+## Usage
+
+```bash
+# Grade a harness directory (e.g. your ~/.claude)
+harness-scorecard scan ~/.claude
+
+# JSON for tooling, plus a self-contained HTML scorecard
+harness-scorecard scan ~/.claude --format json --html scorecard.html
+
+# SARIF 2.1.0 for CI / GitHub code scanning, failing the run below grade C
+harness-scorecard scan ~/.claude --sarif harness.sarif --min-grade C
+```
+
+`--min-grade {A,B,C,D,F}` sets the bar (default `B`). Exit codes: `0` meets the bar ·
+`1` below the bar · `2` no harness found.
+
+## GitHub Action
+
+Grade your harness in CI and upload the findings to code scanning:
+
+```yaml
+- uses: saagpatel/harness-scorecard@v1
+  with:
+    path: .claude
+    min-grade: B
+```
+
+The action writes SARIF and uploads it (requires `security-events: write`) **even when the grade
+fails the build**, so findings always reach code scanning. A complete workflow — permissions,
+weekly scheduling, SARIF upload — is in [`examples/github-workflow.yml`](examples/github-workflow.yml).
+
+## Guarantees
+
+- **Read-only.** It never writes to the harness it audits.
+- **Privacy-preserving.** All output redacts secrets, tokens, emails, and absolute home
+  paths. Nothing leaves the machine.
+- **Dependency-free runtime.** The scorer ships stdlib-only — a tool that grades
+  supply-chain hygiene should carry the smallest surface itself.
+
+## Scope (v1)
+
+Implements **all ten rubric dimensions** end-to-end for **both Claude Code and Codex**: secret
+protection, egress/exfiltration control, tool-surface & inbound-injection defense,
+destructive-action & git safety, harness self-protection & integrity, verification gates,
+subagent isolation & governance, recovery/rollback safety, memory/provenance hygiene, and
+observability/audit trail (the critical gated trio is D1/D4/D5). Each harness has its own
+adapter and check suite over the shared scoring engine; the bypass-aware effective floor maps
+to Codex's `sandbox_mode = "danger-full-access"` + `approval_policy = "never"` just as it does
+to Claude Code's `bypassPermissions`. The rubric is versioned and emitted in every report.
+
+## Development
+
+```bash
+uv sync --frozen                                      # install dev tooling from the lockfile
+uv run --no-sync python -m unittest discover -s tests # tests (stdlib runner, zero extra deps)
+uv run --no-sync ruff check src/ tests/               # lint
+uv run --no-sync ty check src/                        # type check
+```

harness_scorecard-1.0.0/pyproject.toml

@@ -0,0 +1,97 @@
+[project]
+name = "harness-scorecard"
+version = "1.0.0"
+description = "A read-only linter and A-F maturity grader for coding-agent harnesses (Claude Code, Codex)."
+readme = "README.md"
+license = "MIT"
+license-files = ["LICENSE"]
+authors = [{ name = "Saagar Patel" }]
+requires-python = ">=3.12"
+keywords = [
+    "claude-code",
+    "codex",
+    "coding-agent",
+    "harness",
+    "linter",
+    "sarif",
+    "security",
+    "static-analysis",
+    "supply-chain",
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "Operating System :: OS Independent",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: Software Development :: Quality Assurance",
+    "Typing :: Typed",
+]
+# Runtime is intentionally dependency-free: stdlib only.
+# A scorer that grades supply-chain hygiene should carry the smallest
+# possible dependency surface itself. Dev tooling lives in [dependency-groups].
+dependencies = []
+
+[project.urls]
+Homepage = "https://github.com/saagpatel/harness-scorecard"
+Repository = "https://github.com/saagpatel/harness-scorecard"
+Issues = "https://github.com/saagpatel/harness-scorecard/issues"
+
+[project.scripts]
+harness-scorecard = "harness_scorecard.cli:main"
+
+[build-system]
+requires = ["uv_build>=0.11.13,<0.12.0"]
+build-backend = "uv_build"
+
+# Dev tooling is declared here but installed via an approval-gated `uv add`.
+# Tests run on the stdlib (`unittest`) until pytest is approved; the suite is
+# written as unittest.TestCase classes so pytest discovers it unchanged.
+[dependency-groups]
+dev = [{ include-group = "lint" }, { include-group = "test" }]
+lint = ["ruff", "ty"]
+test = ["pytest", "pytest-cov"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py312"
+
+[tool.ruff.lint]
+select = ["ALL"]
+ignore = [
+    "D",            # docstring style — handled case-by-case
+    "COM812",       # trailing comma — conflicts with the formatter
+    "ISC001",       # implicit string concat — conflicts with the formatter
+    "ANN401",       # Any is legitimate at the raw-JSON parsing boundary
+    "PLR0913",      # keyword-only config params (effective_block) read clearly
+    "TC001",        # avoid TYPE_CHECKING-block ceremony in small modules
+    "TC002",
+    "TC003",
+]
+
+[tool.ruff.lint.per-file-ignores]
+# Tests use unittest.TestCase deliberately (stdlib-runnable, zero extra deps).
+"tests/**" = [
+    "S101",         # asserts are the point of tests
+    "PLR2004",      # magic values in assertions are fine
+    "ANN",          # test signatures need no annotations
+    "SLF001",       # tests may touch private members
+    "PT009",        # unittest-style assertEqual is intentional here
+    "PT027",        # unittest-style assertRaises is intentional here
+    "INP001",       # tests/ is intentionally not an importable package
+    "N802",         # setUp / tearDown are the unittest API
+    "S108",         # fixture configs use placeholder /tmp roots that are never written
+]
+"src/harness_scorecard/cli.py" = ["T201"]  # print is the CLI's output channel
+
+[tool.pytest.ini_options]
+testpaths = ["tests"]
+addopts = ["--import-mode=importlib"]
+
+[tool.ty.environment]
+python-version = "3.12"
+
+[tool.ty.terminal]
+error-on-warning = true

harness_scorecard-1.0.0/src/harness_scorecard/__init__.py

@@ -0,0 +1,5 @@
+"""Harness Scorecard: a read-only A-F maturity grader for coding-agent harnesses."""
+
+from harness_scorecard.models import RUBRIC_VERSION
+
+__all__ = ["RUBRIC_VERSION"]

harness_scorecard-1.0.0/src/harness_scorecard/checks/__init__.py

@@ -0,0 +1,36 @@
+"""Check registry: assembles every dimension's checks into one ordered list."""
+
+from __future__ import annotations
+
+from harness_scorecard.checks import (
+    destructive_git,
+    egress,
+    observability,
+    provenance,
+    recovery,
+    secret_protection,
+    self_protection,
+    subagent_isolation,
+    tool_surface,
+    verification,
+)
+from harness_scorecard.checks.base import DIMENSIONS, Check, Dimension
+
+# Order = dimension order in the rubric. New dimension modules append here as they land.
+ALL_CHECKS: list[Check] = [
+    *secret_protection.CHECKS,
+    *egress.CHECKS,
+    *tool_surface.CHECKS,
+    *destructive_git.CHECKS,
+    *self_protection.CHECKS,
+    *verification.CHECKS,
+    *subagent_isolation.CHECKS,
+    *recovery.CHECKS,
+    *provenance.CHECKS,
+    *observability.CHECKS,
+]
+
+# Dimensions that actually have checks this version (used to report coverage honestly).
+IMPLEMENTED_DIMENSION_IDS: list[str] = list(dict.fromkeys(check.dimension for check in ALL_CHECKS))
+
+__all__ = ["ALL_CHECKS", "DIMENSIONS", "IMPLEMENTED_DIMENSION_IDS", "Check", "Dimension"]

harness_scorecard-1.0.0/src/harness_scorecard/checks/base.py

@@ -0,0 +1,149 @@
+"""Check abstraction, the dimension catalog, and the effective-enforcement helper.
+
+A :class:`Check` pairs immutable rubric metadata (id, weight, gate status) with an
+``evaluate`` function that inspects a :class:`HarnessConfig` and returns a status. The
+effective-floor helper (:func:`effective_block`) centralizes the bypass-aware rule so every
+destructive-action check enforces it identically.
+"""
+
+from __future__ import annotations
+
+from collections.abc import Callable, Iterable, Sequence
+from dataclasses import dataclass, field
+
+from harness_scorecard.discovery import HarnessConfig
+from harness_scorecard.models import (
+    CheckResult,
+    Detectability,
+    Grade,
+    Severity,
+    Status,
+)
+
+
+@dataclass(frozen=True, slots=True)
+class Dimension:
+    id: str
+    name: str
+    weight: int
+
+
+# The full rubric catalog (all ten dimensions). Scoring runs over whichever dimensions
+# have registered checks; the rest are reported as specced-but-pending.
+DIMENSIONS: dict[str, Dimension] = {
+    "D1": Dimension("D1", "Secret protection & credential isolation", 5),
+    "D2": Dimension("D2", "Egress / exfiltration control", 4),
+    "D3": Dimension("D3", "Tool-surface & inbound-injection defense", 4),
+    "D4": Dimension("D4", "Destructive-action & git safety", 5),
+    "D5": Dimension("D5", "Harness self-protection & integrity", 5),
+    "D6": Dimension("D6", "Verification gates", 3),
+    "D7": Dimension("D7", "Subagent isolation & governance", 3),
+    "D8": Dimension("D8", "Recovery / rollback safety", 2),
+    "D9": Dimension("D9", "Memory / provenance hygiene", 2),
+    "D10": Dimension("D10", "Observability / audit trail", 2),
+}
+
+
+@dataclass(slots=True)
+class CheckOutcome:
+    """The mutable result of evaluating a check: status + human-readable rationale."""
+
+    status: Status
+    message: str
+    evidence: list[str] = field(default_factory=list)
+
+
+def passed(message: str, evidence: Iterable[str] = ()) -> CheckOutcome:
+    return CheckOutcome(Status.PASS, message, list(evidence))
+
+
+def partial(message: str, evidence: Iterable[str] = ()) -> CheckOutcome:
+    return CheckOutcome(Status.PARTIAL, message, list(evidence))
+
+
+def failed(message: str, evidence: Iterable[str] = ()) -> CheckOutcome:
+    return CheckOutcome(Status.FAIL, message, list(evidence))
+
+
+def not_applicable(message: str, evidence: Iterable[str] = ()) -> CheckOutcome:
+    """A check that does not apply to this harness; excluded from the dimension denominator."""
+    return CheckOutcome(Status.NOT_APPLICABLE, message, list(evidence))
+
+
+@dataclass(frozen=True, slots=True)
+class Check[ConfigT]:
+    """A single rubric check: metadata plus an evaluation function.
+
+    Generic over the harness config it inspects (``HarnessConfig`` for Claude Code,
+    ``CodexConfig`` for Codex) so the rubric metadata, ``run()``, and the dimension catalog
+    are shared across adapters while each check only sees the config shape it understands.
+    """
+
+    id: str
+    dimension: str
+    title: str
+    weight: int
+    evaluate: Callable[[ConfigT], CheckOutcome]
+    severity: Severity = Severity.MEDIUM
+    detectability: Detectability = Detectability.STATIC
+    is_gate: bool = False
+    gate_cap: Grade | None = None
+    remediation: str = ""
+
+    def run(self, config: ConfigT) -> CheckResult:
+        outcome = self.evaluate(config)
+        return CheckResult(
+            id=self.id,
+            dimension=self.dimension,
+            title=self.title,
+            status=outcome.status,
+            weight=self.weight,
+            message=outcome.message,
+            severity=self.severity,
+            detectability=self.detectability,
+            is_gate=self.is_gate,
+            gate_cap=self.gate_cap,
+            remediation=self.remediation,
+            evidence=outcome.evidence,
+        )
+
+
+@dataclass(slots=True)
+class EffectiveFloor:
+    """Whether a protection is present in the *effective* enforcement floor (rubric §3)."""
+
+    blocked: bool
+    sources: list[str]
+
+
+def hard_deny_covers(config: HarnessConfig, token_groups: Sequence[Sequence[str]]) -> bool:
+    """True only if ``hard_deny`` is effective AND some rule matches an AND-group of tokens."""
+    if not config.hard_deny_effective:
+        return False
+    rules = [rule.lower() for rule in config.hard_deny]
+    return any(all(token in rule for token in group) for group in token_groups for rule in rules)
+
+
+def effective_block(
+    config: HarnessConfig,
+    *,
+    hooks: Sequence[str] = (),
+    deny_needles: Sequence[str] = (),
+    hard_deny_tokens: Sequence[Sequence[str]] = (),
+    event: str = "PreToolUse",
+    matcher: str | None = "Bash",
+) -> EffectiveFloor:
+    """Resolve whether an action is blocked by the effective floor.
+
+    The floor counts a guard present if any of: a registered hook matches; a
+    ``permissions.deny`` entry matches; or an effective (non-bypass) ``hard_deny`` rule
+    matches. A ``hard_deny`` rule under bypass mode contributes nothing.
+    """
+    sources: list[str] = [
+        f"hook:{hook_name}" for hook_name in hooks if config.has_hook(event, hook_name, matcher)
+    ]
+    if any(config.deny_matches(needle) for needle in deny_needles):
+        sources.append("permissions.deny")
+    if hard_deny_covers(config, hard_deny_tokens):
+        sources.append("hard_deny")
+    return EffectiveFloor(blocked=bool(sources), sources=sources)

harness_scorecard-1.0.0/src/harness_scorecard/checks/destructive_git.py

@@ -0,0 +1,148 @@
+"""D4 - Destructive-action & git safety.
+
+Every block check here resolves against the *effective* enforcement floor, so a guard that
+exists only in an inert ``hard_deny`` block under bypass mode scores as absent.
+"""
+
+from __future__ import annotations
+
+from harness_scorecard.checks.base import (
+    Check,
+    CheckOutcome,
+    effective_block,
+    failed,
+    partial,
+    passed,
+)
+from harness_scorecard.discovery import HarnessConfig
+from harness_scorecard.models import Detectability, Grade, Severity
+
+
+def _bypass_note(config: HarnessConfig) -> list[str]:
+    if config.is_bypass:
+        return ["defaultMode=bypassPermissions: autoMode.hard_deny is INERT"]
+    return []
+
+
+def _check_push_to_protected_branch(config: HarnessConfig) -> CheckOutcome:
+    floor = effective_block(
+        config,
+        hooks=("git-safety", "git-guard", "protect-branch"),
+        deny_needles=("push origin main", "push origin master", "git push"),
+        hard_deny_tokens=(("push", "main"), ("push", "master")),
+    )
+    if floor.blocked:
+        return passed(
+            "Push to a protected branch is blocked by the effective floor.",
+            evidence=floor.sources,
+        )
+    return failed(
+        "Push to main/master is not blocked by any effective guard.",
+        evidence=[*_bypass_note(config), "no git-safety hook or deny entry found"],
+    )
+
+
+def _check_catastrophic_deletion(config: HarnessConfig) -> CheckOutcome:
+    floor = effective_block(
+        config,
+        hooks=("block-dangerous-cmds", "defer-destructive", "dangerous"),
+        deny_needles=("rm -rf /", "rm -rf ~", "rm -rf /*"),
+        hard_deny_tokens=(("rm -rf",),),
+    )
+    if floor.blocked:
+        return passed("Catastrophic deletion is blocked by the effective floor.", floor.sources)
+    return failed(
+        "No effective guard against catastrophic rm -rf deletion.",
+        evidence=_bypass_note(config),
+    )
+
+
+def _check_destructive_db(config: HarnessConfig) -> CheckOutcome:
+    floor = effective_block(
+        config,
+        hooks=("db-guard", "database-guard"),
+        deny_needles=(),
+        hard_deny_tokens=(("destructive", "db"), ("database",), ("db", "host")),
+    )
+    if floor.blocked:
+        return passed("Destructive DB operations are guarded.", floor.sources)
+    return failed(
+        "No effective guard against destructive DB operations on non-local hosts.",
+        evidence=_bypass_note(config),
+    )
+
+
+def _check_dependency_install_gate(config: HarnessConfig) -> CheckOutcome:
+    if config.has_hook("PreToolUse", "confirm-token", matcher="Bash") or config.has_hook(
+        "PreToolUse", "lockfile-freeze", matcher="Bash"
+    ):
+        return passed("Dependency installs require a confirm-token / lockfile freeze.")
+    return failed("No gate on dependency installs; unvetted packages can be pulled in.")
+
+
+def _check_force_push_policy(config: HarnessConfig) -> CheckOutcome:
+    if config.has_hook("PreToolUse", "git-safety", matcher="Bash"):
+        return passed("A git-safety hook covers force-push / history-rewrite.")
+    if any(("force" in rule.lower() or "git-safety" in rule.lower()) for rule in config.rule_files):
+        return partial(
+            "Force-push policy is documented in rules/ but not enforced by a hook.",
+            evidence=["advisory only"],
+        )
+    return failed("No force-push / history-rewrite guard or documented policy.")
+
+
+CHECKS: list[Check] = [
+    Check(
+        id="HS-D4-01",
+        dimension="D4",
+        title="Push to protected branch effectively blocked",
+        weight=5,
+        evaluate=_check_push_to_protected_branch,
+        severity=Severity.CRITICAL,
+        is_gate=True,
+        gate_cap=Grade.C,
+        remediation=(
+            "Block push to main/master via a PreToolUse Bash hook or a deny entry "
+            "(not hard_deny alone under bypass)."
+        ),
+    ),
+    Check(
+        id="HS-D4-02",
+        dimension="D4",
+        title="Catastrophic deletion blocked",
+        weight=4,
+        evaluate=_check_catastrophic_deletion,
+        severity=Severity.HIGH,
+        remediation="Add a dangerous-command hook and deny rm -rf at shallow depth.",
+    ),
+    Check(
+        id="HS-D4-03",
+        dimension="D4",
+        title="Destructive DB ops on non-local hosts blocked",
+        weight=4,
+        evaluate=_check_destructive_db,
+        severity=Severity.HIGH,
+        remediation=(
+            "Add a PreToolUse Bash db-guard hook that blocks destructive ops on non-local hosts."
+        ),
+    ),
+    Check(
+        id="HS-D4-04",
+        dimension="D4",
+        title="Dependency-install / lockfile gate",
+        weight=3,
+        evaluate=_check_dependency_install_gate,
+        severity=Severity.MEDIUM,
+        remediation="Require a confirm-token for *-add/install, or add a lockfile-freeze guard.",
+    ),
+    Check(
+        id="HS-D4-05",
+        dimension="D4",
+        title="Force-push / history-rewrite policy",
+        weight=3,
+        evaluate=_check_force_push_policy,
+        severity=Severity.MEDIUM,
+        detectability=Detectability.PARTIAL,
+        remediation="Enforce a no-force-push policy via the git-safety hook, not docs alone.",
+    ),
+]