Behavior

Dependency inference

If no requirements.txt or pyproject.toml exists, Harden infers dependencies from bare imports. The inferred list is saved at:

.harden/state/requirements.inferred.txt

This inference is used for both lock and analyze.

OSV responses are cached at:

.harden/state/osv_cache.json

Default TTL is 24 hours. Override with:

export HARDEN_OSV_CACHE_TTL_SECONDS=0

harden generate --fail-on-critical exits non-zero if critical CVEs are detected. This is intended for CI gating.