ManintheCrowds
diff --git a/‎.cursor/skills/agent-native-architecture/references/dynamic-context-injection.md‎
Lines changed: 4 additions & 0 deletions b/‎.cursor/skills/agent-native-architecture/references/dynamic-context-injection.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎.cursor/state/daily/2026-03-22.md‎
Lines changed: 0 additions & 7 deletions b/‎.cursor/state/daily/2026-03-22.md‎
Lines changed: 0 additions & 7 deletions
diff --git a/‎.cursor/state/decision-log.md‎
Lines changed: 0 additions & 17 deletions b/‎.cursor/state/decision-log.md‎
Lines changed: 0 additions & 17 deletions
diff --git a/‎.cursor/state/handoff_latest.md‎
Lines changed: 0 additions & 47 deletions b/‎.cursor/state/handoff_latest.md‎
Lines changed: 0 additions & 47 deletions
diff --git a/‎.cursor/state/scope_brain_map_gap_closure.md‎
Lines changed: 0 additions & 31 deletions b/‎.cursor/state/scope_brain_map_gap_closure.md‎
Lines changed: 0 additions & 31 deletions
diff --git a/‎.github/workflows/ci.yml‎
Lines changed: 30 additions & 0 deletions b/‎.github/workflows/ci.yml‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 19 additions & 0 deletions b/‎.gitignore‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 8 additions & 0 deletions b/‎.pre-commit-config.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 5 additions & 3 deletions b/‎README.md‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎capabilities.harness.yaml‎
Lines changed: 2 additions & 0 deletions b/‎capabilities.harness.yaml‎
Lines changed: 2 additions & 0 deletions
@@ -336,3 +336,7 @@ When adding new features:
 - [ ] New capabilities are documented in system prompt
 - [ ] User vocabulary for the feature is mapped
 </checklist>
+
+## OpenHarness (portable bundle)
+
+The checklist above targets product apps with a live runtime. For the **OpenHarness** repo (markdown + `state/` + manifest), map checklist bullets to concrete files and scripts: see [`docs/OPENHARNESS_CONTEXT_MAP.md`](../../../../docs/OPENHARNESS_CONTEXT_MAP.md).
@@ -0,0 +1,30 @@
+# Lightweight checks for docs/scripts parity (no SCP package required for contract hash step).
+name: CI
+
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+
+jobs:
+  verify:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install PyYAML
+        run: pip install PyYAML
+
+      - name: Script index parity (CHEATSHEET + YAML + disk)
+        run: python scripts/verify_script_index.py
+
+      - name: Skills README vs SKILL.md descriptions
+        run: python scripts/verify_skills_readme.py
+
+      - name: SCP contract fingerprint
+        run: python scripts/verify_contract_hash.py
@@ -1,2 +1,21 @@
 # Local PDF extraction working copies (large; not for version control)
 docs/research/_extract*.txt
+
+# Secrets and environment (do not commit)
+.env
+.env.*
+!.env.example
+
+# Keys and certificates (common filenames)
+*.pem
+*.key
+*.p12
+id_rsa
+id_rsa.pub
+*.pfx
+
+# Local MCP config (secrets); do not commit. See docs/MCP_TRANSPARENCY.md, docs/MCP_PRIVATE_HOST.md
+.cursor/mcp.json
+
+# Private session state at repo root (use root state/ for public schema + synthetic examples)
+.cursor/state/
@@ -38,3 +38,11 @@ repos:
         files: ^(\.cursor/skills/README\.md|\.cursor/skills/.*/SKILL\.md)$
         pass_filenames: false
         stages: [pre-commit]
+
+      - id: verify-contract-hash
+        name: SCP contract SHA-256 fingerprint
+        entry: python scripts/verify_contract_hash.py
+        language: system
+        files: ^docs/contracts/scp_mcp_v1\.(md|sha256)$
+        pass_filenames: false
+        stages: [pre-commit]
@@ -63,7 +63,7 @@ See [docs/CANONICAL_AGENT_BUNDLE.md](docs/CANONICAL_AGENT_BUNDLE.md) and [docs/V
 
 ## Private wellbeing / survival corpora
 
-Do **not** commit purchased PDFs or full extracted text to this harness. Use a private path; run **SCP on extracted text** before any RAG or handoff. Canonical playbook: `local-proto` repo `docs/HUMAN_WELLBEING_CORPUS.md` and `docs/SURVIVAL_MEDICAL_RAG_DISCLAIMER.md` (sibling layout under the same workspace root). Decision: `.cursor/state/decision-log.md` (2026-03-20).
+Do **not** commit purchased PDFs or full extracted text to this harness. Use a private path; run **SCP on extracted text** before any RAG or handoff. Canonical playbook: `local-proto` repo `docs/HUMAN_WELLBEING_CORPUS.md` and `docs/SURVIVAL_MEDICAL_RAG_DISCLAIMER.md` (sibling layout under the same workspace root). For decision history in this repo, prefer root [`state/decision-log.md`](state/decision-log.md); use a private `.cursor/state/` checkout for material that must not ship publicly.
 
 ## Pre-commit
 
@@ -91,7 +91,9 @@ When extending harness or adding components, use [docs/DELINEATION.md](docs/DELI
 
 ## Public vs private
 
-This repo is a **public** reference: use **synthetic** handoff examples ([docs/examples/HANDOFF_EXAMPLE_SYNTHETIC.md](docs/examples/HANDOFF_EXAMPLE_SYNTHETIC.md)), not real session state. Keep real handoffs and experimental work in a **private** workspace; see [docs/PUBLIC_AND_PRIVATE_HARNESS.md](docs/PUBLIC_AND_PRIVATE_HARNESS.md).
+This repo is a **public** reference: use **synthetic** handoff examples ([docs/examples/HANDOFF_EXAMPLE_SYNTHETIC.md](docs/examples/HANDOFF_EXAMPLE_SYNTHETIC.md)), not real session state. Root [`state/`](state/) holds **schema + synthetic placeholders** suitable for cloning; keep real handoffs, `daily/`, archives, and decision logs with identifying detail in a **private** workspace or fork. **`.cursor/state/`** is gitignored here so local session files are not committed by mistake; see [docs/PUBLIC_AND_PRIVATE_HARNESS.md](docs/PUBLIC_AND_PRIVATE_HARNESS.md).
+
+**Secrets:** `.gitignore` excludes `.env*`, common key filenames, and `.cursor/mcp.json`. Do not commit credentials; use env vars or a private config path per [docs/MCP_PRIVATE_HOST.md](docs/MCP_PRIVATE_HOST.md).
 
 ## OpenAtlas (related app, not in this repo)
 
@@ -108,7 +110,7 @@ This repo is a **public** reference: use **synthetic** handoff examples ([docs/e
 - [INTENT_ENGINEERING.md](docs/INTENT_ENGINEERING.md)
 - [HANDOFF_FLOW.md](docs/HANDOFF_FLOW.md) (includes **Definition of done** for P1 verification + dual gates)
 - [PUBLIC_AND_PRIVATE_HARNESS.md](docs/PUBLIC_AND_PRIVATE_HARNESS.md)
-- [CANONICAL_AGENT_BUNDLE.md](docs/CANONICAL_AGENT_BUNDLE.md), [VERIFY_NOT_TRUST.md](docs/VERIFY_NOT_TRUST.md), [MCP_TRANSPARENCY.md](docs/MCP_TRANSPARENCY.md)
+- [CANONICAL_AGENT_BUNDLE.md](docs/CANONICAL_AGENT_BUNDLE.md), [VERIFY_NOT_TRUST.md](docs/VERIFY_NOT_TRUST.md), [MCP_TRANSPARENCY.md](docs/MCP_TRANSPARENCY.md), [GOVERNANCE.md](docs/GOVERNANCE.md)
 - [contracts/scp_mcp_v1.md](docs/contracts/scp_mcp_v1.md), [SCP_ENV_AND_TRUST.md](docs/SCP_ENV_AND_TRUST.md)
 - [AUTHORITY_MODEL.md](docs/AUTHORITY_MODEL.md)
 - [state/README.md](state/README.md)
 
@@ -44,6 +44,8 @@ harness_capability:
     - verify_canonical_bundle.ps1
     - update_canonical_bundle_hashes.ps1
     - check_docs_portfolio_links.py
+    - list_capabilities.py
+    - verify_contract_hash.py
     - verify_script_index.py
     - verify_skills_readme.py