Corgea · juangaitanv · May 27, 2026 · May 27, 2026 · May 27, 2026 · Jun 3, 2026
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -17,10 +17,17 @@ jobs:
 
       - name: Setup Rust
         uses: dtolnay/rust-toolchain@stable
+        with:
+          components: llvm-tools-preview
+
+      - name: Install cargo-llvm-cov
+        uses: taiki-e/install-action@cargo-llvm-cov
+
+      - name: Install cargo-deny
+        uses: taiki-e/install-action@cargo-deny
 
       - name: Cache cargo
         uses: Swatinem/rust-cache@v2
 
-
-      - name: Run unit tests
-        run: cargo test
+      - name: CI gate
+        run: ./harness ci
diff --git a/.gitignore b/.gitignore
@@ -3,5 +3,9 @@
 .DS_Store
 .dccache
 *.zip
+*.profraw
 node_modules/
 /packages/*/vendor/
+
+.claude/
+CLAUDE.md
diff --git a/AGENTS.md b/AGENTS.md
@@ -0,0 +1,24 @@
+# AGENTS.md
+
+This subproject is the Corgea developer CLI (Rust → npm + pip via maturin).
+
+## Commands
+
+- After edits: `./harness check` — clippy fix, format, tests, suppression report
+- Pre-commit: `./harness pre-commit` — staged Rust files only (auto via git hook)
+- CI: `./harness ci` — strict clippy (`-D warnings`), format check, dep policy (`cargo deny`: advisories + licenses + sources + bans), tests + coverage gate (min 13%)
+- Deny: `./harness deny` — `cargo deny --locked check` (vulns, licenses, sources, bans) per `deny.toml`
+- Coverage: `./harness coverage [--min=N]` — cargo-llvm-cov; HTML report under `target/llvm-cov/`; fails if line coverage < N (default 13)
+- Lint: `./harness lint` — clippy + format check, no fixes
+- Test: `./harness test` — `cargo test`
+- Fix: `./harness fix` — clippy fix + format
+- Setup: `./harness setup-hooks` — install `.git/hooks/pre-commit`
+- Auto-format: `./harness post-edit` — runs `cargo fmt` on changed Rust files (wire into your editor/agent's post-edit hook)
+
+Add `--verbose` to stream raw command output instead of the quiet summary.
+
+Coverage needs LLVM's `llvm-cov`/`llvm-profdata`. On a rustup toolchain, run
+`rustup component add llvm-tools-preview`. On a non-rustup toolchain (e.g.
+Homebrew Rust) those are missing, so point cargo-llvm-cov at a system LLVM:
+`LLVM_COV="$(brew --prefix llvm)/bin/llvm-cov" LLVM_PROFDATA="$(brew --prefix llvm)/bin/llvm-profdata" ./harness coverage`.
+CI uses its own toolchain and is unaffected.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -2,6 +2,10 @@
 name = "corgea"
 version = "1.8.8"
 edition = "2021"
+# Distributed via maturin → npm + pip, never `cargo publish`ed to crates.io.
+# Marks the crate private so `cargo deny` skips license checks on our own
+# LGPL-2.1 source (see deny.toml `[licenses] private = { ignore = true }`).
+publish = false
 
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
@@ -17,6 +21,8 @@ reqwest = { version = "0.12.23", default-features = false, features = [
     "system-proxy",
 ] }
 toml = "0.8.8"
+log = "0.4"
+env_logger = "0.11"
 serde = { version = "1.0.195", features = ["derive"] }
 serde_json = "1.0.111"
 serde_derive = "1.0.195"

diff --git a/deny.toml b/deny.toml
@@ -0,0 +1,43 @@
+# cargo-deny policy for the corgea CLI.
+# Run: ./harness deny   (CI runs it strict via ./harness ci)
+
+[advisories]
+version = 2
+# RustSec DB: fail on vulnerable/unmaintained/unsound/yanked crates.
+yanked = "deny"
+# ignore = []  # add "RUSTSEC-YYYY-NNNN" with a justification comment if ever needed
+
+[licenses]
+version = 2
+# SPDX ids allowed to ship in the distributed binary. All permissive.
+# Copyleft exceptions must stay crate-scoped below.
+allow = [
+    "MIT",
+    "Apache-2.0",
+    "Apache-2.0 WITH LLVM-exception",
+    "BSD-3-Clause",
+    "Unicode-3.0",
+    "Unlicense",
+    "0BSD",
+    "CC0-1.0",
+    "MIT-0",
+    "Zlib",
+    "BSL-1.0",
+]
+# option-ext is file-level MPL-2.0 and comes transitively via `dirs`.
+exceptions = [{ crate = "option-ext", allow = ["MPL-2.0"] }]
+# The `corgea` crate's own LICENSE file is LGPL-2.1; it ships only as a binary
+# (never `cargo publish`ed) so it's marked `publish = false` in Cargo.toml,
+# which makes it "private" and exempt from these dep-license rules.
+private = { ignore = true }
+confidence-threshold = 0.9
+
+[bans]
+# Duplicate versions are common & low-risk in a 310-crate tree → warn, don't fail.
+multiple-versions = "warn"
+wildcards = "warn"
+
+[sources]
+# Lock the supply chain to crates.io. Any git / alt-registry dep fails the gate.
+unknown-registry = "deny"
+unknown-git = "deny"