plugins/ruflo-metaharness/skills/harness-mcp-scan/SKILL.md
Calls harness mcp-scan to enumerate every declared MCP server + tool
and flag policy / permission / dependency issues. Never executes any
tool; pure static analysis.
Implementation: scripts/mcp-scan.mjs.
npx -p metaharness@latest harness mcp-scan <path> --json.findings[] with { severity, id, server, tool, message }.--fail-on <severity>: exit 1 when any finding is at or above that
level. Default high.| Severity | Rank |
|---|---|
| low | 1 |
| medium | 2 |
| high | 3 |
--fail-on high (default) only fails on HIGH; --fail-on medium also
fails on MEDIUM; --fail-on low fails on any finding.
- name: MCP static scan
run: node plugins/ruflo-metaharness/scripts/mcp-scan.mjs --fail-on high
The exit code is the only thing CI watches; the JSON output goes to artifacts for human review.
When harness binary is unavailable (no network, blocked registry),
emits structured { degraded: true, reason: 'metaharness-not-available' }
and exits 0. Ruflo continues — ADR-150 architectural constraint.