Harness hardening: guards, upgrade protocol, and reproducible secret scan#69
Merged
joyzoursky merged 10 commits intomainfrom Apr 17, 2026
Merged
Harness hardening: guards, upgrade protocol, and reproducible secret scan#69joyzoursky merged 10 commits intomainfrom
joyzoursky merged 10 commits intomainfrom
Conversation
Parses verify output and prints VERIFY_FAILURE block naming the failing checker (e.g. quality:check-hotspots) so agents cannot misattribute a failure to the wrong subsystem. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds a soft-warning band at 95% of the maxLines cap (855/900 default) that compares each file's line count to origin/main and warns when a PR adds lines to a file already in the band. Upgrade to hard failure via --strict-creep flag or STRICT_HOTSPOT_CREEP=1. Defaults stay warning-only so local dev is not blocked. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Parses package-lock.json and asserts minimum versions for packages with known advisories (js-yaml >= 4.1.1, @modelcontextprotocol/sdk >= 1.26.0) at every node_modules path, including nested transitive copies. Wired into verify after audit. Catches regressions that audit-ci's advisory allowlist would otherwise mask. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Compares the overrides blocks in root and apps/web package.json. Fails on value mismatches or on keys present in only one location (unless allowlisted). Shared keys must agree; workspace-only or root-only keys need explicit allowlist entries. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Documents reproducer-first npm override workflow, preferred override shapes, and the lockfile CVE floor verification path. Codifies anti-patterns from recent incidents (shotgun override editing, lockfile surgery, verify failure dismissal). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Seven rules covering verify attribution, hotspot awareness, override workflow, commit hygiene on broken base, force-push protocol, destructive git operations, and minimal-diff completion. Each rule cites the incident that created it. Linked from CLAUDE.md; Codex should load this file before tasks. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Adds task-routing rows for dependency security regressions and verify failure attribution, lists agent-session-rules.md and dependency-upgrade-protocol.md under Docs To Read First, and documents verify:explain in Commands. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
…o verify - Add .gitleaks.toml excluding node_modules/build artifacts so local scans match CI (12min → ~1s on full checkout). - Pin gitleaks version in .gitleaks-version, read by both CI and Makefile. - Add `make scan-secrets` (+ `scan-secrets-ensure`) using the same flags as CI; fold into `make verify` and `make bootstrap`. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- check-hotspot-loc: auto-fetch origin/main when absent (handles CI fetch-depth:1); warn loudly and stop creep detection if still missing. Also flag birth-creep for new files born in the creep band. - check-overrides-drift: fail on stale allowlist entries (webOnly / rootOnly / valueDriftAllowed keys that no longer correspond to an override) so the allowlist doesn't rot silently. - explain-verify-failure: raise spawnSync maxBuffer to 50MB so full tsc dumps don't truncate the last script header and break attribution; derive KNOWN_CHECKERS from apps/web/package.json scripts.verify so new checkers can't be forgotten; fall through to the raw script name when no friendly label is registered. - Makefile scan-secrets-ensure: download the .gitleaks-version tarball (verified against the release checksum) and refuse to run when the installed gitleaks doesn't match the pin, so local scans no longer drift from CI via an unpinned brew install. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
apps/web, and averify:explainfailure attribution helper.CLAUDE.md..gitleaks.tomlexcludesnode_modules/build artifacts (local scan: ~12 min → ~1 s),.gitleaks-versionpins the version for CI + Makefile, andmake scan-secretsis wired intomake verifyandmake bootstrap.sk-valid12345) with an inline// gitleaks:allow.Test plan
Secret Scanjob passes on this branch.npm run verifyandmake verifyboth pass locally.make bootstrapon a clean machine installs gitleaks (brew path).make scan-secretsexits 0 with the new.gitleaks.toml.🤖 Generated with Claude Code