Project harness for Ruby

[THardy98]

What was changed

Adds ruby/harness/ package, effectively a port of the same Python harness (python/harness).

ruby/harness is a standalone Ruby package that supports the same harness semantics, structure, and API as the existing Python harness. The test suite (ruby/harness/tests`) similarly mimics the existing Python harness test suite.

Notable, a significant portion of the change comes from making the harness a standalone Ruby package with linting support (RBS, Steepfile, etc.).

Why?

• load testing ergonomics / DX
• Language parity

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	gem/​rubocop@​1.86.1
	golang/​github.com/​temporalio/​features@​v0.0.0-20260331150122-757294c2a9e9 ⏵ v0.0.0-20260427223549-86e4c0deedd7	+1
	gem/​rake@​13.4.2
	gem/​minitest@​6.0.5
	gem/​rbs@​3.10.4
	gem/​harness@​0.1.0
	gem/​grpc-tools@​1.80.0
	gem/​steep@​1.10.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potentially malicious package (AI signal): golang github.com/temporalio/features is 74.0% likely malicious Notes: This snippet is highly suspicious from a supply-chain and runtime-capability standpoint. It uses a Function-constructor pattern to access process/mainModule, dynamically loads additional packages, and injects those capabilities into globalThis at module evaluation time. Even though the referenced packages look legitimate (Temporal SDK), the mechanism is consistent with evasive capability loading and potential global hooking/interception by other code. No direct network/file/exfiltration behavior is visible in this snippet alone, but the capability escalation and global injection warrant thorough review of the full package and how these globals are used. Confidence: 0.74 Severity: 0.78 From: go.mod → golang/github.com/temporalio/features@v0.0.0-20260427223549-86e4c0deedd7 ℹ Read more on: This package | This alert | What is AI-detected potential malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Given the AI system's identification of this package as malware, extreme caution is advised. It is recommended to avoid downloading or installing this package until the threat is confirmed or flagged as a false positive. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore golang/github.com/temporalio/features@v0.0.0-20260427223549-86e4c0deedd7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report