What is harness.json?
harness.json is the per-target manifest. It is the source of truth for
which packs a repo (or, for -g installs, a machine) has installed and
pinned. It lives at the repo root, next to package.json, in the same
spot npm keeps its lockfile.
One exact version, never a range
harness.json records one exact version for each pack. That can be an
exact registry version like 1.2.0, or an exact git branch, tag, or
commit. It never records a range like "1.2.0 or newer". This means everyone who installs from the
same file gets exactly the same content, today or in a year. Nothing updates silently. Recording
an exact version this way is called a pin.
Receipts
Alongside the pins, the manifest records an install receipt: a sha256 per vendored file, per managed-region body, and per delivered capability artifact. That receipt is what drift detection compares against what's actually on disk.
The manifest's shape is fixed and checked on every write. A malformed
harness.json is rejected, and the error names the exact field that's
wrong. It is never silently accepted.
Example
{
"version": 1,
"target": { "kind": "repo", "id": "wrkflw" },
"packs": { "@acme/security-review": "1.0.0" }
}
The pin "1.0.0" means this repo always installs that exact registry version, never a newer one, until someone bumps it.