Menu
Composite Phase-2 audit worker (ADR-150). Bundles harness oia-manifest + threat-model + mcp-scan into one timestamped audit record stored in the `metaharness-audit` memory namespace. Designed for cron-scheduled drift detection.
One-command drift detection. Composes audit-list + oia-audit + audit-trend into a single primitive — finds the most recent audit in `metaharness-audit` namespace, runs a fresh audit against the current repo, diffs them via ADR-152 §3.1 similarity, and alerts when structural distance crosses `--threshold`. Iter 53 of ADR-150 deep integration.
ADR-152 — weighted similarity between two harness fingerprints (genome + score JSON). Returns overall score in [0,1] plus per-component breakdown (cosine over 9 numerics, categorical agreement over 4 enums, jaccard over agent_topology). Unblocks ADR-151 §3.2 Recommender, §3.3 Drift Detection, §3.5 Plugin Compat. Pure-TS, no `@metaharness/*` dep — preserves ADR-150's four architectural constraints.
7-section repo readiness report from `metaharness genome <path>`. Returns repo_type / agent_topology / risk_score / mcp_surface / test_confidence / publish_readiness. Pure-read; degrades gracefully (ADR-150).
Static security scan of a harness's declared MCP surface via `harness mcp-scan <path>`. Reads `.mcp/servers.json` + `.harness/claims.json`. Pure-read, no dispatch. Exits 1 on findings at or above `--fail-on` severity.
Scaffold a custom AI agent harness via `metaharness new <name> --template <id> --host <id>`. Defaults to DRY-RUN (no writes) unless --confirm is passed. Refuses to write to the calling repo root or anywhere inside it. Honors ADR-150 architectural constraint + ruflo's "destructive-action confirmation" pattern.
5-dimension harness readiness scorecard from `metaharness score <path>`. Returns harnessFit / compileConfidence / taskCoverage / toolSafety / memoryUsefulness + estCostPerRunUsd + scaffoldReady. Pure-read; subprocess invocation; degrades gracefully when MetaHarness is absent (ADR-150 architectural constraint).
| name | harness-oia-audit |
| description | Composite Phase-2 audit worker (ADR-150). Bundles harness oia-manifest + threat-model + mcp-scan into one timestamped audit record stored in the `metaharness-audit` memory namespace. Designed for cron-scheduled drift detection. |
| argument-hint | [--path .] [--dry-run] [--alert-on-worst clean|low|medium|high] [--format table|json] |
| allowed-tools | Bash |
The 13th worker (ADR-150 Phase 2) — runs three MetaHarness static surfaces in one shot, computes a composite worst-severity signal, and persists the audit record to memory so drift over time is visible.
Implementation: scripts/oia-audit.mjs.
harness oia-manifest <path> — Open Infrastructure Architecture
layer alignment (L1-L9).harness threat-model <path> — categorized MCP-surface threat
report with worst: clean|low|medium|high.harness mcp-scan <path> — per-server/tool policy + permissions
max(threatModel.worst, max(mcpScan.findings.severity)).metaharness-audit with key
audit-<iso-timestamp> (unless --dry-run).--alert-on-worst <severity>: exit 1 if composite worst ≥ threshold.When ALL three components report metaharness-not-available, the script
emits the standard degraded payload and exits 0. When only some are
degraded, each individual component carries its own degraded: true
flag in the audit record — the audit still runs and persists what it
could gather.
Designed for weekly cron in .github/workflows/:
on:
schedule:
- cron: '17 4 * * 0' # Sundays at 04:17 UTC
jobs:
oia-audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
- run: node plugins/ruflo-metaharness/scripts/oia-audit.mjs --alert-on-worst high
--alert-on-worst high fails the job on any HIGH-severity finding;
drift below HIGH is logged but doesn't block.
Each audit run stores under metaharness-audit:audit-<iso-ts>. To list
recent audits:
npx @claude-flow/cli@latest memory list --namespace metaharness-audit --limit 10
To diff two audits (drift detection):
A=$(npx ... memory retrieve --key audit-2026-06-01... --namespace metaharness-audit)
B=$(npx ... memory retrieve --key audit-2026-06-15... --namespace metaharness-audit)
# Compare composite.worst, components.threatModel.worst, etc.
A future ADR can wire this into a dedicated cost-diff-style diff
viewer specifically for audit drift.
harness-threat-model — the underlying threat-model componentharness-mcp-scan — the underlying MCP-scan componentharness-score + harness-genome — readiness metrics (orthogonal to audit)