@structor-dev/cli 0.1.0 → 0.2.1

package/scripts/check-config.mjs

@@ -3,13 +3,12 @@
 import path from "node:path";
 import { readFile } from "node:fs/promises";
 import {
-  assertSafeOutputRoot,
   collectFiles,
-  exists,
+  ConfigResolutionError,
   failIfErrors,
   readJson,
   repoRoot,
-  validateConfigShape,
+  resolveHarnessConfig,
 } from "./lib.mjs";
 
 const errors = [];
@@ -22,49 +21,39 @@ const configFiles = checkingExamples
   ? ["harness.config.example.json", ...(await collectFiles("examples", (file) => file.endsWith("harness.config.json")))]
   : [path.resolve(args[configArgIndex + 1])];
 
+function resolutionErrors(error) {
+  if (error instanceof ConfigResolutionError) return error.errors;
+  const message = error instanceof Error ? error.message : String(error);
+  return message.split("\n").filter(Boolean);
+}
+
 for (const configPath of configFiles) {
   const label = checkingExamples ? configPath : path.relative(process.cwd(), configPath);
   const config = checkingExamples
     ? await readJson(configPath)
     : JSON.parse(await readFile(configPath, "utf8"));
-  errors.push(...(await validateConfigShape(config, label)));
 
   if (checkingExamples && path.isAbsolute(config.output?.path ?? "")) {
     errors.push(`${label}: output.path must be relative for examples.`);
   }
-  if (!checkingExamples) {
-    const configDir = path.dirname(configPath);
-    const outputPath = config.output.path;
-    const outputRoot = path.resolve(configDir, outputPath);
-    const consumerRepos = Array.isArray(config.consumers)
-      ? config.consumers.map((consumer) => path.resolve(configDir, consumer.path))
-      : [];
-    try {
-      assertSafeOutputRoot({
-        outputPath,
-        outputRoot,
-        repoRoot,
-        workspaceRoot: configDir,
-        consumerRepos,
-        allowAbsoluteOutput,
-      });
-    } catch (error) {
-      errors.push(`${label}: ${error instanceof Error ? error.message : String(error)}`);
-    }
+
+  try {
+    await resolveHarnessConfig(config, {
+      label,
+      configPath: checkingExamples ? path.join(repoRoot, configPath) : configPath,
+      allowAbsoluteOutput,
+      requireExistingConsumers,
+    });
+  } catch (error) {
+    errors.push(...resolutionErrors(error));
   }
 
-  if (Array.isArray(config.consumers)) {
+  if (checkingExamples && Array.isArray(config.consumers)) {
     for (const consumer of config.consumers) {
+      if (typeof consumer?.path !== "string") continue;
       if (checkingExamples && path.isAbsolute(consumer.path)) {
         errors.push(`${label}: consumer path for ${consumer.name} must be relative in checked-in examples.`);
       }
-      if (requireExistingConsumers) {
-        const configDir = checkingExamples ? path.dirname(path.join(repoRoot, configPath)) : path.dirname(configPath);
-        const consumerPath = path.resolve(configDir, consumer.path);
-        if (!(await exists(consumerPath))) {
-          errors.push(`${label}: consumer path for ${consumer.name} does not exist: ${consumerPath}`);
-        }
-      }
     }
   }
 }

package/scripts/check-examples.mjs

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+
+import { readFile, writeFile } from "node:fs/promises";
+import path from "node:path";
+import {
+  artifactTargetPath,
+  consumerEntrypointsForSettings,
+  enabledGeneratedArtifacts,
+  normalizeHarnessSettings,
+  workspaceEntrypointsForSettings,
+} from "./generated-harness-contract.mjs";
+import {
+  collectFiles,
+  failIfErrors,
+  readJson,
+  repoRoot,
+} from "./lib.mjs";
+
+const artifactPath = "examples/generated-harness-tree.md";
+const writeMode = process.argv.includes("--write");
+const exampleConfigs = await collectFiles("examples", (relativePath) => relativePath.endsWith("harness.config.json"));
+const expectedVariants = new Map([
+  ["openai-only", (config) => config.models.openai && !config.models.anthropic],
+  ["anthropic-only", (config) => !config.models.openai && config.models.anthropic],
+  ["openai-and-anthropic", (config) => config.models.openai && config.models.anthropic],
+]);
+const genericNamePattern = /^example-(frontend|api|worker|platform)$/;
+const errors = [];
+const configs = [];
+
+for (const configPath of exampleConfigs) {
+  const config = await readJson(configPath);
+  configs.push({ configPath, config });
+  assertGenericConfig(configPath, config);
+}
+
+for (const [variant, predicate] of expectedVariants) {
+  if (!configs.some(({ config }) => predicate(config))) {
+    errors.push(`examples must include an ${variant} harness.config.json variant.`);
+  }
+}
+
+const artifact = renderArtifact(configs);
+const artifactAbsolutePath = path.join(repoRoot, artifactPath);
+
+if (writeMode) {
+  await writeFile(artifactAbsolutePath, artifact);
+} else {
+  const current = await readFile(artifactAbsolutePath, "utf8").catch(() => "");
+  if (current !== artifact) {
+    errors.push(`${artifactPath} is stale. Run node scripts/check-examples.mjs --write.`);
+  }
+}
+
+failIfErrors("Examples check", errors);
+
+function assertGenericConfig(configPath, config) {
+  const names = [
+    config.project?.slug,
+    config.project?.harnessRepoName?.replace(/-structor$/, ""),
+    ...(config.consumers ?? []).flatMap((consumer) => [consumer.name, consumer.path?.replace(/^\.\//, "")]),
+  ].filter(Boolean);
+
+  for (const name of names) {
+    if (!genericNamePattern.test(name)) {
+      errors.push(`${configPath}: ${name} must use a generic example-* name.`);
+    }
+  }
+}
+
+function renderArtifact(items) {
+  const sections = items
+    .slice()
+    .sort(compareConfigs)
+    .map(({ configPath, config }) => renderSection(configPath, config));
+
+  return [
+    "# Generated Harness Tree Artifact",
+    "",
+    "This checked-in file is a text artifact for public inspection. It is not a generated harness directory, and no generated harness output is committed here.",
+    "",
+    "The tree below is derived from the checked-in example configs and `scripts/generated-harness-contract.mjs`. `npm run check:ci` verifies that this artifact stays synchronized with the expected generated file, workspace pointer, and consumer pointer surfaces.",
+    "",
+    ...sections,
+    "",
+  ].join("\n");
+}
+
+function compareConfigs(left, right) {
+  return variantRank(left.config) - variantRank(right.config)
+    || left.configPath.localeCompare(right.configPath);
+}
+
+function variantRank(config) {
+  if (config.models.openai && !config.models.anthropic) return 0;
+  if (!config.models.openai && config.models.anthropic) return 1;
+  return 2;
+}
+
+function renderSection(configPath, config) {
+  const settings = normalizeHarnessSettings(config);
+  const harnessRepoName = config.project.harnessRepoName;
+  const generatedFiles = [
+    ".structor/manifest.json",
+    ...enabledGeneratedArtifacts(settings).map(artifactTargetPath),
+  ].sort();
+  const workspaceEntrypoints = workspaceEntrypointsForSettings(settings).sort(compareEntrypoints);
+  const consumerEntrypoints = consumerEntrypointsForSettings(settings).sort(compareEntrypoints);
+  const lines = [
+    `## ${variantLabel(config)}`,
+    "",
+    `Source config: \`${configPath}\``,
+    "",
+    "```text",
+    "workspace/",
+    `  ${harnessRepoName}/`,
+  ];
+
+  for (const file of generatedFiles) {
+    lines.push(`    ${file}`);
+  }
+
+  for (const entrypoint of workspaceEntrypoints) {
+    lines.push(`  ${entrypoint.path}  # workspace pointer to ${harnessRepoName}/${entrypoint.source}`);
+  }
+
+  for (const consumer of config.consumers) {
+    lines.push(`  ${consumer.name}/`);
+    for (const entrypoint of consumerEntrypoints) {
+      lines.push(`    ${entrypoint.path}  # consumer pointer to ${harnessRepoName}/${entrypoint.source}`);
+    }
+  }
+
+  lines.push("```", "");
+  return lines.join("\n");
+}
+
+function compareEntrypoints(left, right) {
+  return left.path.localeCompare(right.path);
+}
+
+function variantLabel(config) {
+  if (config.models.openai && !config.models.anthropic) return "OpenAI-only example";
+  if (!config.models.openai && config.models.anthropic) return "Anthropic-only example";
+  return "OpenAI and Anthropic example";
+}

package/scripts/check-placeholders.mjs

@@ -7,6 +7,8 @@ import { collectFiles, failIfErrors, repoRoot } from "./lib.mjs";
 const errors = [];
 const activeFiles = await collectFiles(".", (file) => {
   if (file.startsWith(".git/")) return false;
+  if (file.startsWith(".claude/worktrees/")) return false;
+  if (file.startsWith(".codex/worktrees/")) return false;
   if (file.startsWith("template/")) return false;
   return [".md", ".json", ".mjs"].some((suffix) => file.endsWith(suffix));
 });

package/scripts/check-public-hygiene.mjs

@@ -0,0 +1,249 @@
+#!/usr/bin/env node
+
+import { readdir, readFile, stat } from "node:fs/promises";
+import path from "node:path";
+import { exists, failIfErrors, repoRoot } from "./lib.mjs";
+
+const errors = [];
+
+const skippedDirectories = new Set([
+  ".git",
+  ".cache",
+  ".next",
+  ".turbo",
+  "coverage",
+  "dist",
+  "node_modules",
+  "tmp",
+  "temp",
+]);
+
+// Hygiene scanning is deny-list based: every publishable file is scanned for
+// secrets unless its extension is known-binary. An allow-list of extensions
+// silently skipped extensionless files (e.g. `prod-private-key`) that npm pack
+// would still publish, so we invert the check.
+const binaryExtensions = new Set([
+  ".png",
+  ".jpg",
+  ".jpeg",
+  ".gif",
+  ".webp",
+  ".ico",
+  ".bmp",
+  ".tiff",
+  ".pdf",
+  ".woff",
+  ".woff2",
+  ".ttf",
+  ".otf",
+  ".eot",
+  ".zip",
+  ".gz",
+  ".tgz",
+  ".tar",
+  ".bz2",
+  ".xz",
+  ".7z",
+  ".rar",
+  ".jar",
+  ".mp3",
+  ".mp4",
+  ".mov",
+  ".avi",
+  ".wav",
+  ".webm",
+  ".wasm",
+  ".node",
+  ".bin",
+  ".exe",
+  ".dll",
+  ".so",
+  ".dylib",
+  ".class",
+]);
+
+// Patterns for high-confidence secret material that must never be published.
+const secretPatterns = [
+  {
+    pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH |PGP |ENCRYPTED )?PRIVATE KEY-----/,
+    description: "a private key block",
+  },
+  { pattern: /\bsk_live_[A-Za-z0-9]{16,}/, description: "a Stripe live secret key" },
+  { pattern: /\brk_live_[A-Za-z0-9]{16,}/, description: "a Stripe live restricted key" },
+  { pattern: /\bAKIA[0-9A-Z]{16}\b/, description: "an AWS access key id" },
+  { pattern: /\bghp_[A-Za-z0-9]{36}\b/, description: "a GitHub personal access token" },
+  { pattern: /\bgithub_pat_[A-Za-z0-9_]{40,}/, description: "a GitHub fine-grained token" },
+  { pattern: /\bxox[baprs]-[A-Za-z0-9-]{10,}/, description: "a Slack token" },
+  { pattern: /\bAIza[0-9A-Za-z_-]{35}\b/, description: "a Google API key" },
+  { pattern: /\beyJ[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}\.[A-Za-z0-9_-]{10,}/, description: "a JWT" },
+];
+
+const allowedRepositoryUrls = new Set([
+  "https://github.com/nicolaycamacho/structor",
+  "https://github.com/nicolaycamacho/structor.git",
+  "git+https://github.com/nicolaycamacho/structor.git",
+]);
+
+const forbiddenProjectTermsEnvVar = "HARNESS_FORBIDDEN_PROJECT_TERMS";
+const configuredForbiddenProjectTerms = (process.env[forbiddenProjectTermsEnvVar] ?? "")
+  .split(",")
+  .map((term) => term.trim())
+  .filter(Boolean);
+
+const forbiddenProjectTermPatterns = [...new Set(configuredForbiddenProjectTerms)]
+  .map((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i"));
+
+await checkCommittedGeneratedOutput();
+
+const activeFiles = await collectPublishableFiles();
+for (const relativePath of activeFiles) {
+  const content = await readFile(path.join(repoRoot, relativePath), "utf8");
+  checkContent(relativePath, content);
+}
+
+failIfErrors("Public hygiene check", errors);
+
+async function checkCommittedGeneratedOutput() {
+  const generatedRoot = path.join(repoRoot, "generated");
+  if (await exists(generatedRoot)) {
+    errors.push("generated/ exists; generated harness output must not be committed.");
+  }
+
+  const entries = await readdir(repoRoot, { withFileTypes: true });
+  for (const entry of entries) {
+    if (!entry.isDirectory()) continue;
+    if (skippedDirectories.has(entry.name)) continue;
+
+    const manifestPath = path.join(repoRoot, entry.name, ".structor", "manifest.json");
+    if (await exists(manifestPath)) {
+      errors.push(`${entry.name}/ looks like generated harness output and must not be committed.`);
+    }
+  }
+}
+
+function shouldScanFile(relativePath) {
+  if (relativePath === "scripts/check-public-hygiene.mjs") {
+    return false;
+  }
+  if (relativePath === "package-lock.json") {
+    return false;
+  }
+  return !binaryExtensions.has(path.extname(relativePath).toLowerCase());
+}
+
+// Scan exactly the set of files npm would publish (the package.json `files`
+// allow-list plus the always-included package.json), so extensionless secret
+// files inside published directories are caught while local-only files such as
+// `.git` or `*.local.json` are not falsely flagged.
+async function collectPublishableFiles() {
+  const pkg = JSON.parse(await readFile(path.join(repoRoot, "package.json"), "utf8"));
+  const entries = new Set(["package.json", ...(Array.isArray(pkg.files) ? pkg.files : [])]);
+  const files = new Set();
+
+  async function walk(currentRelativePath) {
+    const dirEntries = await readdir(path.join(repoRoot, currentRelativePath), { withFileTypes: true });
+    for (const entry of dirEntries) {
+      const relativePath = path.posix.join(currentRelativePath, entry.name);
+      if (entry.isDirectory()) {
+        if (!skippedDirectories.has(entry.name)) await walk(relativePath);
+      } else if (entry.isFile() && shouldScanFile(relativePath)) {
+        files.add(relativePath);
+      }
+    }
+  }
+
+  for (const entry of entries) {
+    const normalized = entry.replace(/\/+$/, "");
+    const absolute = path.join(repoRoot, normalized);
+    if (!(await exists(absolute))) continue;
+    const stats = await stat(absolute);
+    if (stats.isDirectory()) {
+      await walk(normalized);
+    } else if (shouldScanFile(normalized)) {
+      files.add(normalized);
+    }
+  }
+
+  return [...files].sort();
+}
+
+function checkContent(relativePath, content) {
+  const hasPersonalPath =
+    /\/Users\/[^/\s]+/.test(content) ||
+    /\/home\/[^/\s]+/.test(content) ||
+    /[A-Za-z]:\\Users\\[^\\\s]+/.test(content);
+  if (hasPersonalPath) {
+    errors.push(`${relativePath} contains an obvious local personal path.`);
+  }
+
+  if (/[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/i.test(content)) {
+    errors.push(`${relativePath} contains an email address.`);
+  }
+
+  for (const { pattern, description } of secretPatterns) {
+    if (pattern.test(content)) {
+      errors.push(`${relativePath} contains ${description}.`);
+    }
+  }
+
+  for (const repoUrl of findRepositoryUrls(content)) {
+    if (allowedRepositoryUrls.has(repoUrl)) continue;
+    if (isPrivateLookingRepositoryUrl(repoUrl)) {
+      errors.push(`${relativePath} contains a private-looking repository URL: ${repoUrl}`);
+    }
+  }
+
+  for (const pattern of forbiddenProjectTermPatterns) {
+    if (pattern.test(content)) {
+      errors.push(`${relativePath} contains a configured forbidden project term.`);
+      break;
+    }
+  }
+}
+
+function findRepositoryUrls(content) {
+  const urls = new Set();
+  const patterns = [
+    /\b(?:git\+)?https:\/\/(?:github|gitlab|bitbucket)\.[^\s`'")<>]+\/[^\s`'")<>]+\/[^\s`'")<>]+/gi,
+    /\bgit@(?:github|gitlab|bitbucket)\.[^:\s]+:[^\s`'")<>]+\/[^\s`'")<>]+/gi,
+    /\bssh:\/\/git@(?:github|gitlab|bitbucket)\.[^\s`'")<>]+\/[^\s`'")<>]+\/[^\s`'")<>]+/gi,
+  ];
+
+  for (const pattern of patterns) {
+    for (const match of content.matchAll(pattern)) {
+      urls.add(match[0].replace(/[.,;:]+$/, ""));
+    }
+  }
+
+  return urls;
+}
+
+function isPrivateLookingRepositoryUrl(repoUrl) {
+  if (/^git@/i.test(repoUrl) || /^ssh:\/\//i.test(repoUrl)) return true;
+  if (/\b(internal|private|proprietary|confidential)\b/i.test(repoUrl)) return true;
+  if (!isAllowedPublicRepositoryUrl(repoUrl)) {
+    return true;
+  }
+  return false;
+}
+
+function isAllowedPublicRepositoryUrl(repoUrl) {
+  const normalizedRepoUrl = repoUrl.replace(/^git\+/i, "");
+  let url;
+  try {
+    url = new URL(normalizedRepoUrl);
+  } catch {
+    return false;
+  }
+
+  if (url.protocol !== "https:" || url.hostname !== "github.com") return false;
+
+  const segments = url.pathname.split("/").filter(Boolean);
+  const [owner, repo] = segments;
+  const normalizedRepo = repo?.replace(/\.git$/i, "");
+  return owner === "nicolaycamacho" && normalizedRepo === "structor";
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}

package/scripts/check-schemas.mjs

@@ -0,0 +1,42 @@
+#!/usr/bin/env node
+
+import { readdir, readFile } from "node:fs/promises";
+import path from "node:path";
+import { failIfErrors, repoRoot } from "./lib.mjs";
+
+const schemasDirectory = "schemas";
+const activeSchemas = new Set([
+  "contract-manifest.schema.json",
+  "harness-config.schema.json",
+]);
+
+const entries = await readdir(path.join(repoRoot, schemasDirectory), { withFileTypes: true });
+const errors = [];
+
+for (const entry of entries) {
+  if (!entry.isFile() || !entry.name.endsWith(".schema.json")) continue;
+
+  const relativePath = `${schemasDirectory}/${entry.name}`;
+  if (!activeSchemas.has(entry.name)) {
+    errors.push(`${relativePath} is not an active Structor schema contract.`);
+  }
+
+  const content = await readFile(path.join(repoRoot, relativePath), "utf8");
+  if (content.includes("example.com")) {
+    errors.push(`${relativePath} must not use placeholder example.com identifiers.`);
+  }
+
+  try {
+    JSON.parse(content);
+  } catch {
+    errors.push(`${relativePath} must be valid JSON.`);
+  }
+}
+
+for (const schemaName of activeSchemas) {
+  if (!entries.some((entry) => entry.isFile() && entry.name === schemaName)) {
+    errors.push(`${schemasDirectory}/${schemaName} is missing.`);
+  }
+}
+
+failIfErrors("Schema check", errors);

package/scripts/check-template-files.mjs

@@ -1,110 +1,27 @@
 #!/usr/bin/env node
 
 import path from "node:path";
-import { exists, failIfErrors, repoRoot } from "./lib.mjs";
+import { collectFiles, exists, failIfErrors, repoRoot } from "./lib.mjs";
+import {
+  generatedHarnessContractErrors,
+  generatedHarnessTemplatePaths,
+} from "./generated-harness-contract.mjs";
 
-const requiredFiles = [
-  "template/AGENTS.md.tpl",
-  "template/CLAUDE.md.tpl",
-  "template/.claude/CLAUDE.md.tpl",
-  "template/.claude/rules/harness-client-surfaces.md.tpl",
-  "template/.claude/settings.json.tpl",
-  "template/.codex/hooks.json.tpl",
-  "template/README.md.tpl",
-  "template/ai/AGENTS.md.tpl",
-  "template/ai/HUB.md.tpl",
-  "template/ai/context.md.tpl",
-  "template/ai/HARNESS.md.tpl",
-  "template/ai/HARNESS-ENGINEERING.md.tpl",
-  "template/ai/READINESS.md.tpl",
-  "template/ai/QUALITY.md.tpl",
-  "template/ai/DECISIONS.md.tpl",
-  "template/ai/PRODUCT-SUMMARY.md.tpl",
-  "template/ai/PRODUCT.md.tpl",
-  "template/ai/ARCHITECTURE.md.tpl",
-  "template/ai/DESIGN.md.tpl",
-  "template/ai/WORKFLOW.md.tpl",
-  "template/ai/VERSIONING.md.tpl",
-  "template/ai/CODEX-HOOKS.md.tpl",
-  "template/ai/RUNNER-SAFETY.md.tpl",
-  "template/ai/RUNNER-READINESS.md.tpl",
-  "template/ai/AGENT-GARBAGE-COLLECTION.md.tpl",
-  "template/ai/knowledge-manifest.json.tpl",
-  "template/ai/workspace/REPOS.md.tpl",
-  "template/ai/workspace/SYSTEM-MAP.md.tpl",
-  "template/ai/workspace/SESSION-BOOTSTRAP.md.tpl",
-  "template/ai/workspace/LOCAL-STACK.md.tpl",
-  "template/ai/workspace/TEST-STRATEGY.md.tpl",
-  "template/ai/model-overlays/openai/AGENTS.md.tpl",
-  "template/ai/model-overlays/anthropic/CLAUDE.md.tpl",
-  "template/consumer/AGENTS.md.tpl",
-  "template/consumer/CLAUDE.md.tpl",
-  "template/consumer/.claude/CLAUDE.md.tpl",
-  "template/workspace/AGENTS.md.tpl",
-  "template/workspace/CLAUDE.md.tpl",
-  "template/workspace/.claude/CLAUDE.md.tpl",
-  "template/workspace/.claude/rules/harness-client-surfaces.md.tpl",
-  "template/workspace/.claude/settings.json.tpl",
-  "template/ai/contracts/README.md.tpl",
-  "template/ai/contracts/repo-boundaries.md.tpl",
-  "template/ai/contracts/app-legibility.md.tpl",
-  "template/ai/contracts/api-boundary.md.tpl",
-  "template/ai/contracts/security-boundary.md.tpl",
-  "template/ai/contracts/repo-boundaries.contract.json.tpl",
-  "template/ai/contracts/app-legibility.contract.json.tpl",
-  "template/ai/contracts/api-boundary.contract.json.tpl",
-  "template/ai/contracts/security-boundary.contract.json.tpl",
-  "template/ai/contracts/codex-hooks.md.tpl",
-  "template/ai/contracts/codex-hooks.contract.json.tpl",
-  "template/ai/contracts/release-flow.md.tpl",
-  "template/ai/contracts/release-flow.contract.json.tpl",
-  "template/ai/contracts/github-safety.md.tpl",
-  "template/ai/contracts/github-safety.contract.json.tpl",
-  "template/ai/templates/README.md.tpl",
-  "template/ai/templates/task-brief-template.md.tpl",
-  "template/ai/templates/issue-template.md.tpl",
-  "template/ai/templates/fixtures/issues/valid-ready.md.tpl",
-  "template/ai/templates/fixtures/issues/invalid-placeholder.md.tpl",
-  "template/ai/templates/fixtures/issues/invalid-protected-surface.md.tpl",
-  "template/ai/specs/README.md.tpl",
-  "template/ai/skills/README.md.tpl",
-  "template/ai/skills/review-architecture.md.tpl",
-  "template/ai/skills/review-security.md.tpl",
-  "template/ai/skills/review-contract-drift.md.tpl",
-  "template/ai/skills/review-governance-drift.md.tpl",
-  "template/ai/plans/README.md.tpl",
-  "template/ai/plans/tech-debt.md.tpl",
-  "template/scripts/validate-governance.mjs.tpl",
-  "template/scripts/check-template-governance.mjs.tpl",
-  "template/scripts/check-readiness.mjs.tpl",
-  "template/scripts/check-task-template.mjs.tpl",
-  "template/scripts/check-issue-template.mjs.tpl",
-  "template/scripts/check-knowledge-manifest.mjs.tpl",
-  "template/scripts/check-plans.mjs.tpl",
-  "template/scripts/check-review-skills.mjs.tpl",
-  "template/scripts/check-garbage-collection.mjs.tpl",
-  "template/scripts/check-contract-manifests.mjs.tpl",
-  "template/scripts/generate-html-views.mjs.tpl",
-  "template/scripts/check-html-views.mjs.tpl",
-  "template/scripts/check-codex-hooks.mjs.tpl",
-  "template/scripts/check-claude-compatibility.mjs.tpl",
-  "template/scripts/check-overlay-drift.mjs.tpl",
-  "template/scripts/bootstrap-codex-worktree.mjs.tpl",
-  "template/scripts/check-worktrees.mjs.tpl",
-  "template/scripts/check-worktree-bootstrap-fixtures.mjs.tpl",
-  "template/scripts/lib/worktree-bootstrap.mjs.tpl",
-  "template/scripts/fixtures/worktrees/README.md.tpl",
-  "template/scripts/bootstrap-workspace.mjs.tpl",
-  "template/scripts/check-workspace.mjs.tpl",
-  "template/scripts/hooks/codex-hook.mjs.tpl",
-  "template/scripts/hooks/lib/codex-hooks-core.mjs.tpl"
-];
+const requiredFiles = generatedHarnessTemplatePaths();
+const declared = new Set(requiredFiles);
+const actualTemplateFiles = await collectFiles("template", (relativePath) => relativePath.endsWith(".tpl"));
+const errors = generatedHarnessContractErrors();
 
-const errors = [];
 for (const relativePath of requiredFiles) {
   if (!(await exists(path.join(repoRoot, relativePath)))) {
     errors.push(`missing ${relativePath}`);
   }
 }
 
+for (const relativePath of actualTemplateFiles) {
+  if (!declared.has(relativePath)) {
+    errors.push(`${relativePath} is not declared in scripts/generated-harness-contract.mjs`);
+  }
+}
+
 failIfErrors("Template file check", errors);