verify-witness
GitHub验证脚手架 harness 的 Ed25519 witness 签名,快速确认发布者身份。专用于 CI、联邦握手及多签流程,比完整校验更轻量。支持严格模式与非严格模式,返回 VALID/INVALID 结果。
触发场景
安装
npx skills add ruvnet/metaharness --skill verify-witness -g -y
SKILL.md
Frontmatter
{
"name": "verify-witness",
"description": "Verify the Ed25519 witness manifest of a scaffolded harness. Fast yes\/no signature check that proves the publisher signed this exact file set — separate from the full release-readiness umbrella in validate-harness."
}
verify-witness
Codex skill: Ed25519 witness manifest verification for a scaffolded harness.
What it does
Reads .harness/witness.json, validates the Ed25519 signature against the embedded public key, and reports VALID / INVALID with a one-line reason.
Distinct from validate-harness:
validate-harnessis the umbrella — doctor + verify + path-guard + mcp + secretsverify-witnessis only the signature check — fast yes/no for CI / federation handshakes / multi-signer workflows
Usage from Codex
/verify-witness
/verify-witness path=./my-harness
/verify-witness path=./my-harness strict=false
Equivalent CLI
harness verify ./my-harness
Why it's separate from validate-harness
When two harnesses federate (iter 9), they need to confirm each other's witness signatures BEFORE doing the full release-readiness check. Splitting this surface lets federation peers run a fast signature handshake without paying for the full validate sweep.
Also: CI workflows that only care about signature integrity (e.g. mirroring a published harness to a private registry) can call this skill instead of the heavier umbrella.
What's checked
| Check | Detail |
|---|---|
| File present | .harness/witness.json exists |
| Manifest shape | All required fields (harness, version, entries, public_key, signature) |
| Signature | Ed25519 verify against the embedded public key |
| Strict mode | If strict=true and no witness, exit non-zero. If false, soft-skip with PASS |
Exit 0 = signature VALID. Exit 1 = INVALID / missing (strict mode).
版本历史
- 6e1902b 当前 2026-07-05 11:04


