validate-harness
validate-harness is a Codex skill that runs five sequential release-readiness checks on a scaffolded harness: file structure validation, witness signature verification, hardcoded filesystem path scanning, MCP server configuration validation, and GCP Secret Manager credential verification. Use it before release to catch common deployment blockers in one command, with the option to skip GCP checks or specify custom secret names.
git clone --depth 1 https://github.com/ruvnet/agent-harness-generator /tmp/validate-harness && cp -r /tmp/validate-harness/.claude-plugin/skills/validate-harness ~/.claude/skills/validate-harnessSKILL.md
# validate-harness > Codex skill that runs the 5 release-readiness gates from `harness validate`. ## What it checks | # | Check | What it does | |---|-------|--------------| | 1 | `doctor` | File shape + manifest sha256 + at-least-one host artifact | | 2 | `verify` | Witness manifest signature (Ed25519) — skipped if no witness yet | | 3 | `path-guard` | Scans your TS/JS/Rust files for hardcoded `/tmp/`, `C:\`, `/Users/`, `/home/` — the original Windows `/tmp` bug regression class | | 4 | `mcp` | `.mcp/servers.json` entries have `name` + `command` | | 5 | `secrets` | `gcloud auth list` + project + `NPM_TOKEN` exist in GCP Secret Manager | Each check reports `PASS` / `FAIL` / `WARN` with a one-line detail. Exits 1 if any FAIL. ## Usage from Codex ``` /validate-harness /validate-harness path=./my-harness /validate-harness path=./my-harness skip_gcp=true /validate-harness secret=NPM_TOKEN_DEV ``` ## Equivalent CLI ```bash harness validate ./my-harness --skip-gcp --secret=NPM_TOKEN_DEV ``` ## Why this exists Before iter 20, you needed to remember to run `harness doctor`, `harness verify`, `harness secrets check`, and `node scripts/path-guard.mjs` separately. This is the single release-readiness gate.
Diff two scaffolded harnesses (ADR-031). Reports manifest meta drift + host list + per-file fingerprint changes (added/removed/changed). Exits 0 IDENTICAL, 1 DRIFT, 2 missing manifest. Use --bundle for the ADR-031 schema-1 JSON envelope.
Scaffold your own focused AI agent harness — pick host (Claude Code, Codex, pi.dev, Hermes), template, agents, skills, and ship a npm-publishable harness with its own npx CLI. Use when a user asks to "create my own agent harness", "scaffold a harness", "make a custom Claude Code plugin like ruflo", or "build a vertical AI assistant for X".
Kernel-version skew check (ADR-027). Reports manifest surface + manifest kernel + installed kernel + verdict (match/patch-diff/minor-diff/major-diff). Exits 1 on minor/major skew with a copy-pasteable `npm install @metaharness/kernel@X.Y.Z` next step. Exits 2 if no .harness/manifest.json at path.
Scaffold a ready-made AI agent harness in one command from the 19 published @metaharness/* example packages — 9 host integrations (Claude Code, Codex, Hermes, pi.dev, OpenClaw, RVM, Copilot, OpenCode, GitHub Actions) + 10 vertical pods (devops, research, trading, support, legal, coding, education, sales, gaming, repo-maintainer).
GCP Secret Manager integration: validate setup, fetch values, or confirm an NPM_TOKEN is non-revoked via `npm whoami`. Used for publish-time token rotation without long-lived keys in CI.
List the available harness templates and what each one ships with. Use when the user asks "what templates are available", "what verticals does the harness generator support", or "show me what I can scaffold".
Emit .harness/oia-manifest.json declaring layer alignment with the OIA v0.1 9-layer reference architecture. Self-describes the harness's MCP wiring, witness signing, audit log, identity posture (always 'none' at v0.1). --check verifies an existing manifest, --dry-run prints without writing, --json emits to stdout.
Publish a generated harness to npm — runs the smoke test, signs the witness manifest, and dispatches `npm publish --provenance` from your tagged release.