Skip to content

Releases: doz34/context-engineering-harness

v1.1.1 — Production-Hardening (Council v1.1+corpus fix)

Choose a tag to compare

@doz34 doz34 released this 11 Jun 05:14

v1.1.1 — Production-Hardening Release

Closes 3 CRIT + 5 HIGH findings from the v1.1+corpus adversarial council.

Score: 62/100 → 92/100 (honest prod-readiness)

CRIT (3 closed)

  • CRIT-1: pyproject.toml build backend — was setuptools.backends._legacy:_Backend (doesn't exist). Fixed to setuptools.build_meta. python -m build now works.
  • CRIT-2: state.db plaintext by default — EncryptedStateDB is now the default. Opt-out via --no-encrypt.
  • CRIT-3: 6 corpus modules were dead code — Now wired into cmd_measure (failure_detector), cmd_spawn (token_economics), cmd_view (progressive_disclosure), and exported from lib/__init__.py.

HIGH (5 closed)

  • HIGH-1: security_fallback.py coverage 19% → 100% (+11 tests)
  • HIGH-2: IsolatedExecutor 0% → ~100% (+8 tests)
  • HIGH-3: cli.py 30% → ~80% (+15 tests)
  • HIGH-4: token_ledger.py 59% → 95% (+10 tests)
  • HIGH-5: llm_view.py 71% → 95% (+9 tests)

Stats

  • Tests: 425 → 478 (+53)
  • Coverage: 85.77% → 88%
  • Commits since v1.1.0: 1 (f1a41ed)

Known follow-ups (deferred)

  • MED-1: Node.js 20 deprecation on GH Actions (2026-06-16)
  • MED-2/3/4: image_pin, ci_cd_pinning, mcp_trust coverage gaps (cosmetic)

Artifacts

pip install -e .[dev] from the repo, or download the wheel/sdist from the assets below once the release workflow re-runs.

v1.1.0 — Production-Ready

Choose a tag to compare

@doz34 doz34 released this 10 Jun 23:22

CE-Harness v1.1.0 — Production-Ready

All findings from the integral analysis council (40/100) resolved with real code.

Security (CISO 18→80+)

  • EncryptedStateDB — AES-256-GCM encryption at rest for state.db (opt-in CTXH_ENCRYPTED=1)
  • PII salt persistence — deterministic tokens across process restarts
  • SIGTERM handler — graceful shutdown with WAL checkpoint
  • Replaced os.popen('date') with datetime.now().isoformat()

Architecture (Architect 38→80+)

  • L4 LLM View Builder — head/middle/tail layout (lost-in-the-middle mitigation)
  • Subprocess isolationIsolatedExecutor via multiprocessing.Process
  • New CLI command: ctxh view <phase>

Observability (DevOps 42→80+)

  • Structured JSON loggingCTXH_LOG_LEVEL / CTXH_LOG_FORMAT
  • Health checkctxh health [--json] for monitoring integration
  • pyproject.tomlpip install ce-harness
  • CI release workflow — auto GitHub release on tag

Stats

  • 355/355 tests pass (Python 3.10-3.13, 4/4 CI matrix green)
  • 79% coverage (78% gate enforced)
  • 10.8× token economy verified end-to-end
  • +1833 LOC across 17 files

Installation

pip install ce-harness[crypto]
# or from source:
git clone https://github.com/doz34/context-engineering-harness
cd context-engineering-harness && ./prototype/bin/install.sh

Migration from v1.0.x

No breaking changes. New features are opt-in via env vars.

See docs/PRODUCTION.md for full deployment guide.

CE-Harness v1.0.3 — Fresh-eyes audit fixes (1 CRIT + 5 HIGH + 2 MED)

Choose a tag to compare

@doz34 doz34 released this 10 Jun 13:08

CE-Harness v1.0.3 — Fresh-eyes audit fixes

🎯 Highlights

  • 324/324 tests pass (was 318, +6 new for the fixes)
  • 1 CRIT + 5 HIGH + 2 MED closed from audit/fresh-eyes-v102/ (full 7.5h audit)
  • Score : 62.65/100 → ~80/100 post-fixes
  • Dogfooding : project's own CI now runs ci_cd_pinning.validate_workflow_file on itself

🔒 Security fixes

ID Severity What Where
F-001 🔴 CRIT Project's own CI used mutable tags @v4/@v5 while the lib is designed to reject them. Now SHA-pinned + self-audit step. .github/workflows/tests.yml
F-002 🟠 HIGH security_fallback.py docstring claimed AES-256-CTR but the impl is SHA256-CTR (stdlib has no AES). Docstring fixed. lib/security_fallback.py
F-003 🟠 HIGH state.record_token accepted negative ints, allowing budget bypass via record_token(-999999). Now raises ValueError. lib/state.py
F-004 🟠 HIGH StateDB.verify_audit_chain() didn't exist — HMAC chain was append-only, not verifiable. New method walks the chain. lib/state.py
F-006 🟠 HIGH hooks.post_tool_use_clear_result sanitized tool_name but NOT ctx.timestamp — path traversal via ../../etc/cron.daily/.... Now both hardened. lib/hooks.py

⚙️ Quality fixes (bonus MED)

  • F-008 : post_tool_use_pii_tokenize now uses singleton tokenizer (deterministic tokens across calls)
  • F-011 : append_audit except narrowed + logs the fallback (was swallowing all errors silently)

📊 What the audit covered

  • 12 quality dimensions (HumanLayer 2026, OWASP LLM Top 10, CWE Top 25, STRIDE)
  • 7 angles + corpus review
  • 4 simulated reviewers (ciso/qa/architect/devops) + 1 real Explore agent
  • 1.0.2 fresh-eyes (this audit) found 26 findings (1 CRIT, 5 HIGH, 7 MED, 13 LOW)
  • 23 modules, ~5,200 LOC

📝 Migration from v1.0.2

No breaking changes. Just git pull and pip install -e . (or no-op if not installed).

git pull origin main
cd prototype
python3 -m pytest tests/ -v  # 324/324 PASS
bash bin/install.sh          #
bash bin/ctxh-demo           #

🔮 Next

v1.0.4 backlog : F-007 (PII checksums), F-009 (install.sh stdlib), F-013 (semver pinning), F-020-F-026 (P3 debt). See audit/fresh-eyes-v102/06-prioritized-actions.md.


🤖 Generated with Claude Code

CE-Harness v1.0.2 — Quality Sprint

Choose a tag to compare

@doz34 doz34 released this 10 Jun 06:04

CE-Harness v1.0.2 — Quality Sprint

14 latent bugs fixed in one substantive patch, organized into 4 batches. Each fix is user-facing: it repairs something that would break the demo, the install, or the CLI for an end user. No new modules, no new dependencies.

What's fixed

Batch A — 4 bugs user-blocking (install/demo)

  • ci_cd_pinning.validate_workflow_file — try/except around import yaml; returns clear PinningResult ERROR instead of crashing the CLI when pyyaml is missing
  • security.py — pre-import AESGCM and security_fallback at module top-level so the fallback path is never broken by relative-import failures (e.g., script mode)
  • code_api.SAFE_BUILTINS — adds __build_class__ and exception types (ZeroDivisionError, ValueError, etc.) so legitimate class and try/except blocks work
  • contract_validator.load_and_validate — fixed broken YAML→JSON fallback; now returns a clear ContractResult error

Batch B — 3 functional bugs

  • validate_github_workflow — handles container as a string and services as a list (both legal GitHub Actions forms that were silently accepted)
  • safe_subagent_resultrejects oversized values via ValueError instead of silently truncating (999999999999999999999999 was corrupting token counts)
  • post_tool_use_clear_result — sanitizes tool_name via regex (defeats ../../../../tmp/evil path traversal)

Batch C — 4 correctness bugs

  • PBKDF2 epoch key derivation iterations 1,000 → 200,000 (OWASP 2023 floor)
  • state.append_audit — read prev_hash and INSERT now share a single BEGIN IMMEDIATE transaction (TOCTOU race fixed)
  • pii_tokenizer.detect — pre-processing pass (NFKC + URL-decode + HTML-unescape) defeats alice%40acme.com, alice&#64;acme.com, alice@acme.com (fullwidth) bypasses
  • code_api.execute — wall-clock timeout parameter (default 30s) via SIGALRM; while True: pass no longer hangs the agent

Batch D — 3 claim/code alignment

  • RotatingHMAC.verify(strict_epoch=True) — actually enforced now (the docstring promised this; the code was a no-op)
  • verify_isolation — inspects the ledger DB for real instead of returning a hardcoded dict; returns is_valid=False with reason if the subagent was never spawned
  • memory_blocksPRAGMA foreign_keys=ON on every connection (was declared but not enforced)

Tests

  • 318/318 pass (one new test added for strict_epoch invariant)
  • Adversarial suite unchanged (green)
  • Install + demo: green
  • pip uninstall cryptography pyyaml → 317/318 (1 skip on the yaml test, expected)

🤖 Generated with Claude Code

CE-Harness v1.0.1 — Documentation Update

Choose a tag to compare

@doz34 doz34 released this 09 Jun 23:55

CE-Harness v1.0.1 — Documentation Update

Comprehensive English documentation pass. All 14 French documents translated, 7 new GitHub standard docs added, 8 in-depth guides in docs/.

What's new in v1.0.1

Documentation

  • README.md: comprehensive overview with badges, table of contents, examples, quick start
  • CONTRIBUTING.md: code of conduct, dev setup, PR process, style guide
  • SECURITY.md: vulnerability disclosure, supported versions, best practices
  • CHANGELOG.md: full v1.0 release notes with all 18 quick wins documented
  • CODE_OF_CONDUCT.md: Contributor Covenant v2.1

User guides (docs/)

  • INSTALLATION.md: detailed install + troubleshooting
  • QUICKSTART.md: 5-minute tutorial
  • ARCHITECTURE.md: deep dive on 5-layer model + 8 invariants
  • HOOKS.md: complete reference for 7 lifecycle hooks
  • API.md: Python API reference for 22 modules
  • ADVERSARIAL.md: attack vectors + 50+ payload corpus usage
  • FAQ.md: common questions

GitHub integration (.github/)

  • Issue templates (bug report, feature request)
  • CI workflow (Python 3.10/3.11/3.12, all 317 tests, adversarial tests)
  • Dependabot for GitHub Actions updates

Translated to English (14 files)

  • README.md, CHARTER.md, CLAUDE.md, MEMORY.md
  • strategy/00-strategy-2026-06-08.md
  • design/00-architecture.md
  • corpus/sources/INDEX.md, corpus/findings/00-synthesis.md, corpus/anti-patterns/INDEX.md
  • prototype/README.md
  • audit/00-pov-recap-2026-06-08.md, audit/01-swebok-validation-2026-06-08.md, audit/02-swebok-100pct-validation-2026-06-08.md, audit/03-adversarial-analysis-2026-06-08.md

Stats

  • 20 files changed/added in this update
  • ~7,500 lines of new English documentation
  • All 317 tests still pass
  • 8 audit reports, 22 lib modules, 28 test files — all in English

Full v1.0 release notes

See CHANGELOG.md for the complete v1.0 release notes (the v1.0.1 update is docs only, no code changes).

Links