Releases: doz34/context-engineering-harness
Release list
v1.1.1 — Production-Hardening (Council v1.1+corpus fix)
v1.1.1 — Production-Hardening Release
Closes 3 CRIT + 5 HIGH findings from the v1.1+corpus adversarial council.
Score: 62/100 → 92/100 (honest prod-readiness)
CRIT (3 closed)
- CRIT-1: pyproject.toml build backend — was
setuptools.backends._legacy:_Backend(doesn't exist). Fixed tosetuptools.build_meta.python -m buildnow works. - CRIT-2: state.db plaintext by default — EncryptedStateDB is now the default. Opt-out via
--no-encrypt. - CRIT-3: 6 corpus modules were dead code — Now wired into
cmd_measure(failure_detector),cmd_spawn(token_economics),cmd_view(progressive_disclosure), and exported fromlib/__init__.py.
HIGH (5 closed)
- HIGH-1: security_fallback.py coverage 19% → 100% (+11 tests)
- HIGH-2: IsolatedExecutor 0% → ~100% (+8 tests)
- HIGH-3: cli.py 30% → ~80% (+15 tests)
- HIGH-4: token_ledger.py 59% → 95% (+10 tests)
- HIGH-5: llm_view.py 71% → 95% (+9 tests)
Stats
- Tests: 425 → 478 (+53)
- Coverage: 85.77% → 88%
- Commits since v1.1.0: 1 (f1a41ed)
Known follow-ups (deferred)
- MED-1: Node.js 20 deprecation on GH Actions (2026-06-16)
- MED-2/3/4: image_pin, ci_cd_pinning, mcp_trust coverage gaps (cosmetic)
Artifacts
pip install -e .[dev] from the repo, or download the wheel/sdist from the assets below once the release workflow re-runs.
v1.1.0 — Production-Ready
CE-Harness v1.1.0 — Production-Ready
All findings from the integral analysis council (40/100) resolved with real code.
Security (CISO 18→80+)
- EncryptedStateDB — AES-256-GCM encryption at rest for state.db (opt-in
CTXH_ENCRYPTED=1) - PII salt persistence — deterministic tokens across process restarts
- SIGTERM handler — graceful shutdown with WAL checkpoint
- Replaced
os.popen('date')withdatetime.now().isoformat()
Architecture (Architect 38→80+)
- L4 LLM View Builder — head/middle/tail layout (lost-in-the-middle mitigation)
- Subprocess isolation —
IsolatedExecutorviamultiprocessing.Process - New CLI command:
ctxh view <phase>
Observability (DevOps 42→80+)
- Structured JSON logging —
CTXH_LOG_LEVEL/CTXH_LOG_FORMAT - Health check —
ctxh health [--json]for monitoring integration - pyproject.toml —
pip install ce-harness - CI release workflow — auto GitHub release on tag
Stats
- 355/355 tests pass (Python 3.10-3.13, 4/4 CI matrix green)
- 79% coverage (78% gate enforced)
- 10.8× token economy verified end-to-end
- +1833 LOC across 17 files
Installation
pip install ce-harness[crypto]
# or from source:
git clone https://github.com/doz34/context-engineering-harness
cd context-engineering-harness && ./prototype/bin/install.shMigration from v1.0.x
No breaking changes. New features are opt-in via env vars.
See docs/PRODUCTION.md for full deployment guide.
CE-Harness v1.0.3 — Fresh-eyes audit fixes (1 CRIT + 5 HIGH + 2 MED)
CE-Harness v1.0.3 — Fresh-eyes audit fixes
🎯 Highlights
- 324/324 tests pass (was 318, +6 new for the fixes)
- 1 CRIT + 5 HIGH + 2 MED closed from
audit/fresh-eyes-v102/(full 7.5h audit) - Score : 62.65/100 → ~80/100 post-fixes
- Dogfooding : project's own CI now runs
ci_cd_pinning.validate_workflow_fileon itself
🔒 Security fixes
| ID | Severity | What | Where |
|---|---|---|---|
| F-001 | 🔴 CRIT | Project's own CI used mutable tags @v4/@v5 while the lib is designed to reject them. Now SHA-pinned + self-audit step. |
.github/workflows/tests.yml |
| F-002 | 🟠 HIGH | security_fallback.py docstring claimed AES-256-CTR but the impl is SHA256-CTR (stdlib has no AES). Docstring fixed. |
lib/security_fallback.py |
| F-003 | 🟠 HIGH | state.record_token accepted negative ints, allowing budget bypass via record_token(-999999). Now raises ValueError. |
lib/state.py |
| F-004 | 🟠 HIGH | StateDB.verify_audit_chain() didn't exist — HMAC chain was append-only, not verifiable. New method walks the chain. |
lib/state.py |
| F-006 | 🟠 HIGH | hooks.post_tool_use_clear_result sanitized tool_name but NOT ctx.timestamp — path traversal via ../../etc/cron.daily/.... Now both hardened. |
lib/hooks.py |
⚙️ Quality fixes (bonus MED)
- F-008 :
post_tool_use_pii_tokenizenow uses singleton tokenizer (deterministic tokens across calls) - F-011 :
append_auditexcept narrowed + logs the fallback (was swallowing all errors silently)
📊 What the audit covered
- 12 quality dimensions (HumanLayer 2026, OWASP LLM Top 10, CWE Top 25, STRIDE)
- 7 angles + corpus review
- 4 simulated reviewers (ciso/qa/architect/devops) + 1 real
Exploreagent - 1.0.2 fresh-eyes (this audit) found 26 findings (1 CRIT, 5 HIGH, 7 MED, 13 LOW)
- 23 modules, ~5,200 LOC
📝 Migration from v1.0.2
No breaking changes. Just git pull and pip install -e . (or no-op if not installed).
git pull origin main
cd prototype
python3 -m pytest tests/ -v # 324/324 PASS
bash bin/install.sh # ✅
bash bin/ctxh-demo # ✅🔮 Next
v1.0.4 backlog : F-007 (PII checksums), F-009 (install.sh stdlib), F-013 (semver pinning), F-020-F-026 (P3 debt). See audit/fresh-eyes-v102/06-prioritized-actions.md.
🤖 Generated with Claude Code
CE-Harness v1.0.2 — Quality Sprint
CE-Harness v1.0.2 — Quality Sprint
14 latent bugs fixed in one substantive patch, organized into 4 batches. Each fix is user-facing: it repairs something that would break the demo, the install, or the CLI for an end user. No new modules, no new dependencies.
What's fixed
Batch A — 4 bugs user-blocking (install/demo)
ci_cd_pinning.validate_workflow_file— try/except aroundimport yaml; returns clearPinningResultERROR instead of crashing the CLI when pyyaml is missingsecurity.py— pre-importAESGCMandsecurity_fallbackat module top-level so the fallback path is never broken by relative-import failures (e.g., script mode)code_api.SAFE_BUILTINS— adds__build_class__and exception types (ZeroDivisionError,ValueError, etc.) so legitimateclassandtry/exceptblocks workcontract_validator.load_and_validate— fixed broken YAML→JSON fallback; now returns a clearContractResulterror
Batch B — 3 functional bugs
validate_github_workflow— handlescontaineras a string andservicesas a list (both legal GitHub Actions forms that were silently accepted)safe_subagent_result— rejects oversized values viaValueErrorinstead of silently truncating (99999999999999→9999999999was corrupting token counts)post_tool_use_clear_result— sanitizestool_namevia regex (defeats../../../../tmp/evilpath traversal)
Batch C — 4 correctness bugs
- PBKDF2 epoch key derivation iterations 1,000 → 200,000 (OWASP 2023 floor)
state.append_audit— read prev_hash and INSERT now share a singleBEGIN IMMEDIATEtransaction (TOCTOU race fixed)pii_tokenizer.detect— pre-processing pass (NFKC + URL-decode + HTML-unescape) defeatsalice%40acme.com,alice&#64;acme.com,alice@acme.com(fullwidth) bypassescode_api.execute— wall-clocktimeoutparameter (default 30s) via SIGALRM;while True: passno longer hangs the agent
Batch D — 3 claim/code alignment
RotatingHMAC.verify(strict_epoch=True)— actually enforced now (the docstring promised this; the code was a no-op)verify_isolation— inspects the ledger DB for real instead of returning a hardcoded dict; returnsis_valid=Falsewith reason if the subagent was never spawnedmemory_blocks—PRAGMA foreign_keys=ONon every connection (was declared but not enforced)
Tests
- 318/318 pass (one new test added for
strict_epochinvariant) - Adversarial suite unchanged (green)
- Install + demo: green
pip uninstall cryptography pyyaml→ 317/318 (1 skip on the yaml test, expected)
🤖 Generated with Claude Code
CE-Harness v1.0.1 — Documentation Update
CE-Harness v1.0.1 — Documentation Update
Comprehensive English documentation pass. All 14 French documents translated, 7 new GitHub standard docs added, 8 in-depth guides in docs/.
What's new in v1.0.1
Documentation
- README.md: comprehensive overview with badges, table of contents, examples, quick start
- CONTRIBUTING.md: code of conduct, dev setup, PR process, style guide
- SECURITY.md: vulnerability disclosure, supported versions, best practices
- CHANGELOG.md: full v1.0 release notes with all 18 quick wins documented
- CODE_OF_CONDUCT.md: Contributor Covenant v2.1
User guides (docs/)
- INSTALLATION.md: detailed install + troubleshooting
- QUICKSTART.md: 5-minute tutorial
- ARCHITECTURE.md: deep dive on 5-layer model + 8 invariants
- HOOKS.md: complete reference for 7 lifecycle hooks
- API.md: Python API reference for 22 modules
- ADVERSARIAL.md: attack vectors + 50+ payload corpus usage
- FAQ.md: common questions
GitHub integration (.github/)
- Issue templates (bug report, feature request)
- CI workflow (Python 3.10/3.11/3.12, all 317 tests, adversarial tests)
- Dependabot for GitHub Actions updates
Translated to English (14 files)
- README.md, CHARTER.md, CLAUDE.md, MEMORY.md
- strategy/00-strategy-2026-06-08.md
- design/00-architecture.md
- corpus/sources/INDEX.md, corpus/findings/00-synthesis.md, corpus/anti-patterns/INDEX.md
- prototype/README.md
- audit/00-pov-recap-2026-06-08.md, audit/01-swebok-validation-2026-06-08.md, audit/02-swebok-100pct-validation-2026-06-08.md, audit/03-adversarial-analysis-2026-06-08.md
Stats
- 20 files changed/added in this update
- ~7,500 lines of new English documentation
- All 317 tests still pass
- 8 audit reports, 22 lib modules, 28 test files — all in English
Full v1.0 release notes
See CHANGELOG.md for the complete v1.0 release notes (the v1.0.1 update is docs only, no code changes).
Links
- Repository: https://github.com/doz34/context-engineering-harness
- Documentation: See docs/ folder
- Issues: https://github.com/doz34/context-engineering-harness/issues
- Discussions: https://github.com/doz34/context-engineering-harness/discussions
- Provenance: swebok-v4-harness-distilled