What is harness.json?

harness.json is the per-target manifest. It is the source of truth for which packs a repo (or, for -g installs, a machine) has installed and pinned. It lives at the repo root, next to package.json, in the same spot npm keeps its lockfile.

One exact version, never a range

harness.json records one exact version for each pack. That can be an exact registry version like 1.2.0, or an exact git branch, tag, or commit. It never records a range like "1.2.0 or newer". This means everyone who installs from the same file gets exactly the same content, today or in a year. Nothing updates silently. Recording an exact version this way is called a pin.

Receipts

Alongside the pins, the manifest records an install receipt: a sha256 per vendored file, per managed-region body, and per delivered capability artifact. That receipt is what drift detection compares against what's actually on disk.

The manifest's shape is fixed and checked on every write. A malformed harness.json is rejected, and the error names the exact field that's wrong. It is never silently accepted.

Example

{
  "version": 1,
  "target": { "kind": "repo", "id": "wrkflw" },
  "packs": { "@acme/security-review": "1.0.0" }
}

The pin "1.0.0" means this repo always installs that exact registry version, never a newer one, until someone bumps it.