feat(harness-audit): add GitHub + deploy-target categories, big-phase Stop hook

Extends the deterministic /harness-audit engine with:
- GitHub Integration category (always-on): workflows, PR template, issue
  templates, CODEOWNERS, Dependabot/Renovate.
- Per-provider Integration categories (conditional via detector map):
  vercel, netlify, cloudflare, fly. Only scored when a provider marker
  is present (e.g. vercel.json, netlify.toml, wrangler.toml, fly.toml).
- Dynamic max_score (replaces hardcoded 70).
- New JSON output fields: applicable_categories[], category_count,
  rubric_version: "2026-05-19".
- Registers big-phase-nudge.js Stop hook in hooks/hooks.json: prints
  one nudge line when >=5 files OR >=200 non-lockfile lines OR a
  dependency-manifest change is detected. Aggregates metrics only,
  honors CLAUDE_QUIET=1 and ECC_PHASE_NUDGE_OFF=1.

Mirror docs updated. Rubric version bumped 2026-03-30 -> 2026-05-19.

scripts/harness-audit.js

@@ -11,8 +11,51 @@ const CATEGORIES = [
   'Eval Coverage',
   'Security Guardrails',
   'Cost Efficiency',
+  'GitHub Integration',
+  'Vercel Integration',
+  'Netlify Integration',
+  'Cloudflare Integration',
+  'Fly Integration',
 ];
 
+const PROVIDERS = {
+  Vercel: {
+    detect: (rootDir) =>
+      fileExists(rootDir, 'vercel.json') ||
+      fileExists(rootDir, '.vercel/project.json') ||
+      fileExists(rootDir, '.vercel'),
+    keyPattern: /vercel/i,
+    buildPattern: /vercel/i,
+    workflowPattern: /(vercel-action|vercel\s+(deploy|--prod))/i,
+  },
+  Netlify: {
+    detect: (rootDir) =>
+      fileExists(rootDir, 'netlify.toml') || fileExists(rootDir, '.netlify'),
+    keyPattern: /netlify/i,
+    buildPattern: /netlify/i,
+    workflowPattern: /(netlify\/actions|netlify\s+deploy)/i,
+  },
+  Cloudflare: {
+    detect: (rootDir) =>
+      fileExists(rootDir, 'wrangler.toml') || fileExists(rootDir, 'wrangler.jsonc'),
+    keyPattern: /\b(cloudflare|wrangler)\b/i,
+    buildPattern: /(wrangler|cloudflare)/i,
+    workflowPattern: /(cloudflare\/wrangler-action|wrangler\s+(deploy|publish))/i,
+  },
+  Fly: {
+    detect: (rootDir) => fileExists(rootDir, 'fly.toml'),
+    keyPattern: /fly[_-]?(api|io)/i,
+    buildPattern: /fly\s+(deploy|launch)/i,
+    workflowPattern: /(superfly\/flyctl-actions|flyctl\s+deploy|fly\s+deploy)/i,
+  },
+};
+
+function getApplicableProviders(rootDir) {
+  return Object.entries(PROVIDERS)
+    .filter(([_, spec]) => spec.detect(rootDir))
+    .map(([name]) => name);
+}
+
 function normalizeScope(scope) {
   const value = (scope || 'repo').toLowerCase();
   if (!['repo', 'hooks', 'skills', 'commands', 'agents'].includes(value)) {
@@ -465,6 +508,153 @@ function getRepoChecks(rootDir) {
       pass: fileExists(rootDir, 'commands/model-route.md'),
       fix: 'Add commands/model-route.md and route policies for cheap-default execution.',
     },
+    ...buildGithubChecks(rootDir),
+  ];
+}
+
+// All GitHub Integration checks are scoped to ['repo']: when a scoped audit
+// (--scope hooks|skills|commands|agents) runs, these checks correctly drop out.
+// Tests that assert the scope filter (e.g. "every check.path includes 'hooks'")
+// rely on this invariant — if you add a GitHub check with a broader scope,
+// audit the scope-filter test in tests/scripts/harness-audit.test.js too.
+function buildGithubChecks(rootDir) {
+  return [
+    {
+      id: 'github-workflows',
+      category: 'GitHub Integration',
+      points: 3,
+      scopes: ['repo'],
+      path: '.github/workflows/',
+      description: 'GitHub Actions workflows are checked in',
+      pass: hasFileWithExtension(rootDir, '.github/workflows', ['.yml', '.yaml']),
+      fix: 'Add at least one workflow under .github/workflows/ so CI runs on every PR.',
+    },
+    {
+      id: 'github-pr-template',
+      category: 'GitHub Integration',
+      points: 2,
+      scopes: ['repo'],
+      path: '.github/PULL_REQUEST_TEMPLATE.md',
+      description: 'A pull request template is configured',
+      pass:
+        fileExists(rootDir, '.github/PULL_REQUEST_TEMPLATE.md') ||
+        fileExists(rootDir, '.github/pull_request_template.md'),
+      fix: 'Add .github/PULL_REQUEST_TEMPLATE.md so PR descriptions follow a consistent shape.',
+    },
+    {
+      id: 'github-issue-templates',
+      category: 'GitHub Integration',
+      points: 2,
+      scopes: ['repo'],
+      path: '.github/ISSUE_TEMPLATE/',
+      description: 'Issue templates are configured',
+      pass: hasFileWithExtension(rootDir, '.github/ISSUE_TEMPLATE', ['.md', '.yml', '.yaml']),
+      fix: 'Add at least one issue template under .github/ISSUE_TEMPLATE/.',
+    },
+    {
+      id: 'github-codeowners',
+      category: 'GitHub Integration',
+      points: 1,
+      scopes: ['repo'],
+      path: '.github/CODEOWNERS',
+      description: 'A CODEOWNERS file routes reviews',
+      pass:
+        fileExists(rootDir, 'CODEOWNERS') ||
+        fileExists(rootDir, '.github/CODEOWNERS') ||
+        fileExists(rootDir, 'docs/CODEOWNERS'),
+      fix: 'Add a CODEOWNERS file so PRs auto-request the right reviewers.',
+    },
+    {
+      id: 'github-dep-updates',
+      category: 'GitHub Integration',
+      points: 2,
+      scopes: ['repo'],
+      path: '.github/dependabot.yml',
+      description: 'Automated dependency updates are configured',
+      pass:
+        fileExists(rootDir, '.github/dependabot.yml') ||
+        fileExists(rootDir, '.github/dependabot.yaml') ||
+        fileExists(rootDir, 'renovate.json') ||
+        fileExists(rootDir, '.github/renovate.json') ||
+        fileExists(rootDir, '.renovaterc'),
+      fix: 'Add a Dependabot or Renovate config so dependency updates land automatically.',
+    },
+  ];
+}
+
+function readAllWorkflowsText(rootDir) {
+  const dir = path.join(rootDir, '.github/workflows');
+  if (!fs.existsSync(dir)) {
+    return '';
+  }
+  let combined = '';
+  const stack = [dir];
+  while (stack.length > 0) {
+    const current = stack.pop();
+    const entries = fs.readdirSync(current, { withFileTypes: true });
+    for (const entry of entries) {
+      const nextPath = path.join(current, entry.name);
+      if (entry.isDirectory()) {
+        stack.push(nextPath);
+      } else if (entry.name.endsWith('.yml') || entry.name.endsWith('.yaml')) {
+        try {
+          combined += fs.readFileSync(nextPath, 'utf8') + '\n';
+        } catch (_error) {
+          // skip
+        }
+      }
+    }
+  }
+  return combined;
+}
+
+function buildProviderChecks(rootDir, provider, sharedContext) {
+  const spec = PROVIDERS[provider];
+  const { packageJson, envExample, workflowsText } = sharedContext;
+  const scriptsText = Object.values(packageJson.scripts || {}).join('\n');
+  const category = `${provider} Integration`;
+
+  return [
+    {
+      id: `${provider.toLowerCase()}-config`,
+      category,
+      points: 3,
+      scopes: ['repo'],
+      path: `${provider} config`,
+      description: `${provider} deployment config is checked in`,
+      pass: spec.detect(rootDir),
+      fix: `Commit ${provider} configuration so deploys are reproducible from source.`,
+    },
+    {
+      id: `${provider.toLowerCase()}-build-script`,
+      category,
+      points: 2,
+      scopes: ['repo'],
+      path: 'package.json scripts',
+      description: `package.json scripts reference ${provider}`,
+      pass: spec.buildPattern.test(scriptsText),
+      fix: `Add a build or deploy script in package.json that runs ${provider}.`,
+    },
+    {
+      id: `${provider.toLowerCase()}-env-doc`,
+      category,
+      points: 2,
+      scopes: ['repo'],
+      path: '.env.example',
+      description: `${provider} env keys are documented in .env.example`,
+      pass: spec.keyPattern.test(envExample),
+      fix: `Document ${provider} environment variables in .env.example.`,
+    },
+    {
+      id: `${provider.toLowerCase()}-workflow-uses`,
+      category,
+      points: 3,
+      scopes: ['repo'],
+      path: '.github/workflows/',
+      description: `A GitHub workflow uses the ${provider} action or CLI`,
+      pass: spec.workflowPattern.test(workflowsText),
+      fix: `Reference the ${provider} action or CLI from a workflow under .github/workflows/.`,
+    },
   ];
 }
 
@@ -589,9 +779,24 @@ function getConsumerChecks(rootDir) {
       pass: projectHooks.includes('PreToolUse') || projectHooks.includes('beforeSubmitPrompt') || fileExists(rootDir, '.claude/hooks.json'),
       fix: 'Add project-local hook settings or hook definitions for prompt/tool guardrails.',
     },
+    ...buildGithubChecks(rootDir),
+    ...collectProviderChecks(rootDir, packageJson),
   ];
 }
 
+function collectProviderChecks(rootDir, packageJson) {
+  const providers = getApplicableProviders(rootDir);
+  if (providers.length === 0) {
+    return [];
+  }
+  const sharedContext = {
+    packageJson: packageJson || {},
+    envExample: safeRead(rootDir, '.env.example') + safeRead(rootDir, '.env.sample'),
+    workflowsText: readAllWorkflowsText(rootDir),
+  };
+  return providers.flatMap(provider => buildProviderChecks(rootDir, provider, sharedContext));
+}
+
 function summarizeCategoryScores(checks) {
   const scores = {};
   for (const category of CATEGORIES) {
@@ -634,15 +839,19 @@ function buildReport(scope, options = {}) {
       points: check.points,
     }));
 
+  const applicableCategories = CATEGORIES.filter(name => categoryScores[name] && categoryScores[name].max > 0);
+
   return {
     scope,
     root_dir: rootDir,
     target_mode: targetMode,
     deterministic: true,
-    rubric_version: '2026-03-30',
+    rubric_version: '2026-05-19',
     overall_score: overallScore,
     max_score: maxScore,
     categories: categoryScores,
+    applicable_categories: applicableCategories,
+    category_count: applicableCategories.length,
     checks: checks.map(check => ({
       id: check.id,
       category: check.category,