@structor-dev/cli 0.1.0 → 0.2.1

package/scripts/lib.mjs

@@ -1,10 +1,22 @@
-import { access, readdir, readFile, stat } from "node:fs/promises";
+import { access, lstat, readdir, readFile, realpath, stat } from "node:fs/promises";
 import { constants as fsConstants } from "node:fs";
 import path from "node:path";
 import { fileURLToPath } from "node:url";
 
 export const repoRoot = path.resolve(path.dirname(fileURLToPath(import.meta.url)), "..");
 
+export const consumerRepoSignals = [
+  ".git",
+  "package.json",
+  "pyproject.toml",
+  "go.mod",
+  "Cargo.toml",
+  "pom.xml",
+  "build.gradle",
+  "Gemfile",
+  "composer.json",
+];
+
 export async function exists(filePath) {
   try {
     await access(filePath, fsConstants.F_OK);
@@ -56,7 +68,200 @@ export function isSameOrInsidePath(candidate, root) {
   return relative === "" || (!relative.startsWith("..") && !path.isAbsolute(relative));
 }
 
-export function assertSafeOutputRoot({
+export function isAbsolutePathString(candidate) {
+  return (
+    path.isAbsolute(candidate) ||
+    candidate.startsWith("/") ||
+    candidate.startsWith("\\") ||
+    /^[A-Za-z]:/.test(candidate)
+  );
+}
+
+export function pathHasTraversal(candidate) {
+  return candidate.split(/[\\/]+/).includes("..");
+}
+
+function pathSegments(candidate) {
+  return candidate.split(/[\\/]+/).filter(Boolean);
+}
+
+async function lstatIfExists(targetPath) {
+  try {
+    return await lstat(targetPath);
+  } catch (error) {
+    if (error?.code === "ENOENT") return null;
+    throw error;
+  }
+}
+
+export function workspaceRootForConfig(configDir, templateRepoRoot = repoRoot) {
+  const resolvedConfigDir = path.resolve(configDir);
+  const resolvedTemplateRepoRoot = path.resolve(templateRepoRoot);
+  return isSameOrInsidePath(resolvedConfigDir, resolvedTemplateRepoRoot)
+    ? path.dirname(resolvedTemplateRepoRoot)
+    : resolvedConfigDir;
+}
+
+export async function canonicalPathForWrite(targetPath) {
+  let currentPath = path.resolve(targetPath);
+  const missingSegments = [];
+
+  while (true) {
+    if (await exists(currentPath)) {
+      return path.join(await realpath(currentPath), ...missingSegments);
+    }
+
+    const parentPath = path.dirname(currentPath);
+    if (parentPath === currentPath) {
+      return path.join(currentPath, ...missingSegments);
+    }
+
+    missingSegments.unshift(path.basename(currentPath));
+    currentPath = parentPath;
+  }
+}
+
+export function assertSafeConsumerPath({
+  consumerName,
+  consumerPath,
+  workspaceRoot,
+  outputRoot = null,
+  repoRoot: templateRepoRoot = repoRoot,
+  allowTemplateRepoConsumer = false,
+}) {
+  const label = `Consumer path for ${consumerName}`;
+  const rejectedPath = path.resolve(workspaceRoot, consumerPath);
+  const segments = pathSegments(consumerPath);
+
+  if (isAbsolutePathString(consumerPath)) {
+    throw new Error(`${label} is unsafe: absolute consumer paths are not allowed.`);
+  }
+  if (pathHasTraversal(consumerPath)) {
+    throw new Error(`${label} is unsafe: relative traversal is not allowed.`);
+  }
+  if (segments.filter((segment) => segment !== ".").length === 0) {
+    throw new Error(`${label} is unsafe: path must name a consumer repository folder, not the workspace root.`);
+  }
+  if (segments.includes(".git") || pathContainsSegment(rejectedPath, ".git")) {
+    throw new Error(`${label} is unsafe: consumer paths must not contain a .git path segment.`);
+  }
+  if (!isSameOrInsidePath(rejectedPath, workspaceRoot)) {
+    throw new Error(`${label} is unsafe: path must stay inside the workspace ${workspaceRoot}.`);
+  }
+  if (path.resolve(rejectedPath) === path.resolve(workspaceRoot)) {
+    throw new Error(`${label} is unsafe: path must not equal the workspace root ${workspaceRoot}.`);
+  }
+  if (!allowTemplateRepoConsumer && isSameOrInsidePath(rejectedPath, templateRepoRoot)) {
+    throw new Error(`${label} is unsafe: path must not equal or be inside the Structor template repo ${templateRepoRoot}.`);
+  }
+  if (outputRoot && isSameOrInsidePath(rejectedPath, outputRoot)) {
+    throw new Error(`${label} is unsafe: path must not equal or be inside the generated harness output ${outputRoot}.`);
+  }
+
+  return rejectedPath;
+}
+
+export async function hasConsumerRepositorySignal(consumerRoot) {
+  for (const signal of consumerRepoSignals) {
+    if (await exists(path.join(consumerRoot, signal))) return true;
+  }
+  return false;
+}
+
+export async function assertConfirmedConsumerRepository({
+  consumerName,
+  consumerRoot,
+  workspaceRoot,
+  outputRoot = null,
+  repoRoot: templateRepoRoot = repoRoot,
+  allowTemplateRepoConsumer = false,
+}) {
+  const label = `Consumer path for ${consumerName}`;
+  const info = await lstatIfExists(consumerRoot);
+  if (info === null) {
+    throw new Error(`Consumer repo path for ${consumerName} does not exist: ${consumerRoot}`);
+  }
+  if (info.isSymbolicLink()) {
+    throw new Error(`${label} is unsafe: symlinked consumer paths are not allowed: ${consumerRoot}.`);
+  }
+  if (!info.isDirectory()) {
+    throw new Error(`${label} is not a directory: ${consumerRoot}.`);
+  }
+
+  const canonicalWorkspaceRoot = await canonicalPathForWrite(workspaceRoot);
+  const canonicalConsumerRoot = await canonicalPathForWrite(consumerRoot);
+  if (!isSameOrInsidePath(canonicalConsumerRoot, canonicalWorkspaceRoot)) {
+    throw new Error(
+      `${label} is unsafe: resolved path escapes workspace ${canonicalWorkspaceRoot}: ${canonicalConsumerRoot}.`,
+    );
+  }
+
+  const canonicalTemplateRepoRoot = await canonicalPathForWrite(templateRepoRoot);
+  if (!allowTemplateRepoConsumer && isSameOrInsidePath(canonicalConsumerRoot, canonicalTemplateRepoRoot)) {
+    throw new Error(
+      `${label} is unsafe: resolved path must not equal or be inside the Structor template repo ${canonicalTemplateRepoRoot}.`,
+    );
+  }
+
+  if (outputRoot) {
+    const canonicalOutputRoot = await canonicalPathForWrite(outputRoot);
+    if (isSameOrInsidePath(canonicalConsumerRoot, canonicalOutputRoot)) {
+      throw new Error(
+        `${label} is unsafe: resolved path must not equal or be inside the generated harness output ${canonicalOutputRoot}.`,
+      );
+    }
+  }
+
+  if (!(await hasConsumerRepositorySignal(canonicalConsumerRoot))) {
+    throw new Error(
+      `${label} is not a confirmed consumer repository: ${consumerRoot} (expected one of ${consumerRepoSignals.join(", ")}).`,
+    );
+  }
+
+  return canonicalConsumerRoot;
+}
+
+async function firstSymlinkUnderRoot(targetPath, rootPath) {
+  const resolvedTarget = path.resolve(targetPath);
+  const resolvedRoot = path.resolve(rootPath);
+  if (!isSameOrInsidePath(resolvedTarget, resolvedRoot)) return null;
+
+  const relative = path.relative(resolvedRoot, resolvedTarget);
+  if (relative === "") return null;
+
+  let currentPath = resolvedRoot;
+  for (const segment of relative.split(path.sep)) {
+    currentPath = path.join(currentPath, segment);
+    const info = await lstatIfExists(currentPath);
+    if (info === null) return null;
+    if (info.isSymbolicLink()) return currentPath;
+  }
+
+  return null;
+}
+
+export async function assertSafeWriteTarget({ targetPath, rootPath, label = "Write target" }) {
+  const resolvedTarget = path.resolve(targetPath);
+  const resolvedRoot = path.resolve(rootPath);
+  if (!isSameOrInsidePath(resolvedTarget, resolvedRoot)) {
+    throw new Error(`${label} is unsafe: target ${resolvedTarget} must stay inside ${resolvedRoot}.`);
+  }
+
+  const symlinkPath = await firstSymlinkUnderRoot(resolvedTarget, resolvedRoot);
+  if (symlinkPath !== null) {
+    throw new Error(`${label} is unsafe: symlinked write targets are not allowed (${symlinkPath}).`);
+  }
+
+  const canonicalRoot = await canonicalPathForWrite(resolvedRoot);
+  const canonicalTarget = await canonicalPathForWrite(resolvedTarget);
+  if (!isSameOrInsidePath(canonicalTarget, canonicalRoot)) {
+    throw new Error(`${label} is unsafe: resolved target escapes ${canonicalRoot}: ${canonicalTarget}.`);
+  }
+
+  return canonicalTarget;
+}
+
+export async function assertSafeOutputRoot({
   outputPath,
   outputRoot,
   repoRoot: templateRepoRoot,
@@ -68,22 +273,190 @@ export function assertSafeOutputRoot({
   if (path.isAbsolute(outputPath) && !allowAbsoluteOutput) {
     throw new Error(`Unsafe output path ${rejectedPath}: absolute output paths require --allow-absolute-output.`);
   }
-  if (isSameOrInsidePath(outputRoot, templateRepoRoot)) {
-    throw new Error(`Unsafe output path ${rejectedPath}: output must not equal or be inside the template repo ${templateRepoRoot}.`);
+  if (pathContainsSegment(rejectedPath, ".git")) {
+    throw new Error(`Unsafe output path ${rejectedPath}: output path must not contain a .git path segment.`);
   }
-  if (path.resolve(outputRoot) === path.resolve(workspaceRoot)) {
-    throw new Error(`Unsafe output path ${rejectedPath}: output must not equal the workspace root ${workspaceRoot}.`);
+
+  const symlinkPath = await firstSymlinkUnderRoot(outputRoot, workspaceRoot);
+  if (symlinkPath !== null) {
+    throw new Error(`Unsafe output path ${rejectedPath}: output path must not use symlinked output directories (${symlinkPath}).`);
+  }
+
+  const outputInfo = await lstatIfExists(outputRoot);
+  if (outputInfo?.isSymbolicLink()) {
+    throw new Error(`Unsafe output path ${rejectedPath}: output path must not use symlinked output directories (${rejectedPath}).`);
+  }
+
+  const canonicalOutputRoot = await canonicalPathForWrite(outputRoot);
+  const canonicalTemplateRepoRoot = await canonicalPathForWrite(templateRepoRoot);
+  const canonicalWorkspaceRoot = await canonicalPathForWrite(workspaceRoot);
+
+  if (!path.isAbsolute(outputPath) && !isSameOrInsidePath(canonicalOutputRoot, canonicalWorkspaceRoot)) {
+    throw new Error(
+      `Unsafe output path ${rejectedPath}: relative output paths must remain inside the workspace boundary ${canonicalWorkspaceRoot}.`,
+    );
+  }
+  if (isSameOrInsidePath(canonicalOutputRoot, canonicalTemplateRepoRoot)) {
+    throw new Error(`Unsafe output path ${rejectedPath}: output must not equal or be inside the template repo ${canonicalTemplateRepoRoot}.`);
+  }
+  if (canonicalOutputRoot === canonicalWorkspaceRoot) {
+    throw new Error(`Unsafe output path ${rejectedPath}: output must not equal the workspace root ${canonicalWorkspaceRoot}.`);
   }
   for (const consumerRoot of consumerRepos) {
-    if (isSameOrInsidePath(outputRoot, consumerRoot)) {
+    const canonicalConsumerRoot = await canonicalPathForWrite(consumerRoot);
+    if (isSameOrInsidePath(canonicalOutputRoot, canonicalConsumerRoot)) {
       throw new Error(
-        `Unsafe output path ${rejectedPath}: output must not equal or be inside configured consumer repo ${consumerRoot}.`,
+        `Unsafe output path ${rejectedPath}: output must not equal or be inside configured consumer repo ${canonicalConsumerRoot}.`,
       );
     }
   }
-  if (pathContainsSegment(outputRoot, ".git")) {
+  if (pathContainsSegment(canonicalOutputRoot, ".git")) {
     throw new Error(`Unsafe output path ${rejectedPath}: output path must not contain a .git path segment.`);
   }
+
+  return canonicalOutputRoot;
+}
+
+export class ConfigResolutionError extends Error {
+  constructor(errors) {
+    super(errors.join("\n"));
+    this.name = "ConfigResolutionError";
+    this.errors = errors;
+  }
+}
+
+export function resolveClientSupport(config) {
+  return {
+    codexHooks: config.models.openai && (config.clientSupport?.codex?.hooks ?? true),
+    claudeRules: config.models.anthropic && (config.clientSupport?.claude?.rules ?? true),
+    claudeHooks: config.models.anthropic && (config.clientSupport?.claude?.hooks ?? false),
+    claudeSkills: config.models.anthropic && (config.clientSupport?.claude?.skills ?? false),
+  };
+}
+
+function configResolutionMessage(label, error) {
+  const message = error instanceof Error ? error.message : String(error);
+  return `${label}: ${message}`;
+}
+
+export async function resolveHarnessConfig(config, {
+  label = "harness config",
+  configPath = null,
+  configDir = configPath ? path.dirname(path.resolve(configPath)) : process.cwd(),
+  outputPath = config?.output?.path,
+  repoRoot: templateRepoRoot = repoRoot,
+  allowAbsoluteOutput = false,
+  requireExistingConsumers = false,
+  allowTemplateRepoConsumer = false,
+} = {}) {
+  const errors = await validateConfigShape(config, label);
+  if (errors.length > 0) {
+    throw new ConfigResolutionError(errors);
+  }
+
+  const resolvedConfigDir = path.resolve(configDir);
+  const workspaceRoot = workspaceRootForConfig(resolvedConfigDir, templateRepoRoot);
+  const requestedOutputRoot = path.resolve(resolvedConfigDir, outputPath);
+  const consumerRoots = [];
+
+  for (const consumer of config.consumers) {
+    try {
+      consumerRoots.push(assertSafeConsumerPath({
+        consumerName: consumer.name,
+        consumerPath: consumer.path,
+        workspaceRoot,
+        repoRoot: templateRepoRoot,
+        allowTemplateRepoConsumer,
+      }));
+    } catch (error) {
+      errors.push(configResolutionMessage(label, error));
+    }
+  }
+
+  let outputRoot = requestedOutputRoot;
+  try {
+    outputRoot = await assertSafeOutputRoot({
+      outputPath,
+      outputRoot: requestedOutputRoot,
+      repoRoot: templateRepoRoot,
+      workspaceRoot,
+      consumerRepos: consumerRoots,
+      allowAbsoluteOutput,
+    });
+  } catch (error) {
+    errors.push(configResolutionMessage(label, error));
+  }
+
+  if (errors.length > 0) {
+    throw new ConfigResolutionError(errors);
+  }
+
+  const canonicalWorkspaceRoot = await canonicalPathForWrite(workspaceRoot);
+  const canonicalTemplateRepoRoot = await canonicalPathForWrite(templateRepoRoot);
+  const consumers = [];
+  for (const consumer of config.consumers) {
+    try {
+      const consumerRoot = assertSafeConsumerPath({
+        consumerName: consumer.name,
+        consumerPath: consumer.path,
+        workspaceRoot,
+        outputRoot,
+        repoRoot: templateRepoRoot,
+        allowTemplateRepoConsumer,
+      });
+      const confirmedRoot = requireExistingConsumers
+        ? await assertConfirmedConsumerRepository({
+          consumerName: consumer.name,
+          consumerRoot,
+          workspaceRoot,
+          outputRoot,
+          repoRoot: templateRepoRoot,
+          allowTemplateRepoConsumer,
+        })
+        : null;
+      const canonicalConsumerRoot = confirmedRoot ?? await canonicalPathForWrite(consumerRoot);
+      if (!confirmedRoot) {
+        if (!isSameOrInsidePath(canonicalConsumerRoot, canonicalWorkspaceRoot)) {
+          throw new Error(
+            `Consumer path for ${consumer.name} is unsafe: resolved path escapes workspace ${canonicalWorkspaceRoot}: ${canonicalConsumerRoot}.`,
+          );
+        }
+        if (!allowTemplateRepoConsumer && isSameOrInsidePath(canonicalConsumerRoot, canonicalTemplateRepoRoot)) {
+          throw new Error(
+            `Consumer path for ${consumer.name} is unsafe: resolved path must not equal or be inside the Structor template repo ${canonicalTemplateRepoRoot}.`,
+          );
+        }
+        if (isSameOrInsidePath(canonicalConsumerRoot, outputRoot)) {
+          throw new Error(
+            `Consumer path for ${consumer.name} is unsafe: resolved path must not equal or be inside the generated harness output ${outputRoot}.`,
+          );
+        }
+      }
+      consumers.push({
+        config: consumer,
+        requestedRoot: consumerRoot,
+        root: canonicalConsumerRoot,
+        confirmedRoot,
+      });
+    } catch (error) {
+      errors.push(configResolutionMessage(label, error));
+    }
+  }
+
+  if (errors.length > 0) {
+    throw new ConfigResolutionError(errors);
+  }
+
+  return {
+    config,
+    configDir: resolvedConfigDir,
+    workspaceRoot,
+    outputPath,
+    requestedOutputRoot,
+    outputRoot,
+    support: resolveClientSupport(config),
+    consumers,
+  };
 }
 
 export function failIfErrors(title, errors) {
@@ -109,7 +482,63 @@ function typeName(value) {
   return typeof value;
 }
 
-function validateJsonSchema(value, schema, label, errors) {
+const SUPPORTED_SCHEMA_KEYWORDS = new Set([
+  "$id",
+  "$schema",
+  "additionalProperties",
+  "const",
+  "description",
+  "enum",
+  "items",
+  "minItems",
+  "minLength",
+  "pattern",
+  "properties",
+  "required",
+  "title",
+  "type",
+]);
+
+function collectUnsupportedSchemaKeywords(schema, label, errors) {
+  if (!isPlainObject(schema)) return;
+
+  for (const key of Object.keys(schema)) {
+    if (!SUPPORTED_SCHEMA_KEYWORDS.has(key)) {
+      errors.push(`${label} schema uses unsupported keyword ${key}.`);
+    }
+  }
+
+  if (Object.hasOwn(schema, "items") && !isPlainObject(schema.items)) {
+    errors.push(`${label}.items must be a schema object; tuple or boolean items are not supported.`);
+  } else if (isPlainObject(schema.items)) {
+    collectUnsupportedSchemaKeywords(schema.items, `${label}[]`, errors);
+  }
+
+  if (
+    Object.hasOwn(schema, "additionalProperties") &&
+    typeof schema.additionalProperties !== "boolean"
+  ) {
+    errors.push(`${label}.additionalProperties must be a boolean; schema-valued additionalProperties is not supported.`);
+  }
+
+  if (Object.hasOwn(schema, "properties") && !isPlainObject(schema.properties)) {
+    errors.push(`${label}.properties must be an object of schema objects.`);
+  } else if (isPlainObject(schema.properties)) {
+    for (const [key, propertySchema] of Object.entries(schema.properties)) {
+      if (!isPlainObject(propertySchema)) {
+        errors.push(`${label}.${key} schema must be an object.`);
+        continue;
+      }
+      collectUnsupportedSchemaKeywords(propertySchema, `${label}.${key}`, errors);
+    }
+  }
+}
+
+function jsonSchemaValueEquals(actual, expected) {
+  return Object.is(actual, expected);
+}
+
+function validateJsonSchemaValue(value, schema, label, errors) {
   const expectedType = schema.type;
   if (expectedType) {
     const validType =
@@ -126,6 +555,10 @@ function validateJsonSchema(value, schema, label, errors) {
     errors.push(`${label} must be ${JSON.stringify(schema.const)}.`);
   }
 
+  if (Array.isArray(schema.enum) && !schema.enum.some((allowed) => jsonSchemaValueEquals(value, allowed))) {
+    errors.push(`${label} must be one of ${schema.enum.map((allowed) => JSON.stringify(allowed)).join(", ")}.`);
+  }
+
   if (typeof value === "string") {
     if (schema.minLength !== undefined && value.length < schema.minLength) {
       errors.push(`${label} must be at least ${schema.minLength} character(s).`);
@@ -141,7 +574,7 @@ function validateJsonSchema(value, schema, label, errors) {
     }
     if (schema.items) {
       for (const [index, item] of value.entries()) {
-        validateJsonSchema(item, schema.items, `${label}[${index}]`, errors);
+        validateJsonSchemaValue(item, schema.items, `${label}[${index}]`, errors);
       }
     }
   }
@@ -162,12 +595,17 @@ function validateJsonSchema(value, schema, label, errors) {
     }
     for (const [key, propertySchema] of Object.entries(properties)) {
       if (Object.hasOwn(value, key)) {
-        validateJsonSchema(value[key], propertySchema, `${label}.${key}`, errors);
+        validateJsonSchemaValue(value[key], propertySchema, `${label}.${key}`, errors);
       }
     }
   }
 }
 
+export function validateJsonSchema(value, schema, label, errors) {
+  collectUnsupportedSchemaKeywords(schema, label, errors);
+  validateJsonSchemaValue(value, schema, label, errors);
+}
+
 export async function validateConfigShape(config, label) {
   const errors = [];
   const schema = await readJson("schemas/harness-config.schema.json");
@@ -180,9 +618,21 @@ export async function validateConfigShape(config, label) {
   const names = new Set();
   if (Array.isArray(config.consumers)) {
     for (const [index, consumer] of config.consumers.entries()) {
+      if (!isPlainObject(consumer)) continue;
       const prefix = `${label}.consumers[${index}]`;
       if (names.has(consumer.name)) errors.push(`${prefix}.name is duplicated.`);
       names.add(consumer.name);
+      if (typeof consumer.path === "string") {
+        if (isAbsolutePathString(consumer.path)) {
+          errors.push(`${prefix}.path must be relative to the workspace; absolute paths are not allowed.`);
+        }
+        if (pathHasTraversal(consumer.path)) {
+          errors.push(`${prefix}.path must not contain relative traversal segments.`);
+        }
+        if (pathSegments(consumer.path).filter((segment) => segment !== ".").length === 0) {
+          errors.push(`${prefix}.path must name a consumer repository folder, not the workspace root.`);
+        }
+      }
     }
   }
 

package/scripts/rendered-config.mjs

@@ -0,0 +1,109 @@
+import path from "node:path";
+
+const rawSlugPattern = /^[a-z0-9][a-z0-9-]*$/;
+
+export function markdownText(value) {
+  const normalized = String(value).replace(/\s+/g, " ").trim();
+  const escaped = normalized.replace(/[\\`*_{}\[\]<>()#+!|>~]/g, "\\$&");
+  return escaped.replace(/^([-+]) /, "\\$1 ").replace(/^(\d+)([.)]) /, "$1\\$2 ");
+}
+
+export function markdownCodeSpan(value) {
+  const text = String(value)
+    .replace(/\r/g, "\\r")
+    .replace(/\n/g, "\\n")
+    .replace(/\t/g, "\\t");
+  const longestBacktickRun = Math.max(0, ...Array.from(text.matchAll(/`+/g), (match) => match[0].length));
+  const delimiter = "`".repeat(longestBacktickRun + 1);
+  const padding = text.startsWith("`") || text.endsWith("`") || text.startsWith(" ") || text.endsWith(" ") ? " " : "";
+  return `${delimiter}${padding}${text}${padding}${delimiter}`;
+}
+
+export function javascriptLiteral(value) {
+  return JSON.stringify(value);
+}
+
+export function jsonLiteral(value) {
+  return JSON.stringify(value, null, 2);
+}
+
+export function javascriptBoolean(value) {
+  return value ? "true" : "false";
+}
+
+export function rawSlug(value, label) {
+  const text = String(value);
+  if (!rawSlugPattern.test(text)) {
+    throw new Error(`${label} must be a safe slug before raw template rendering.`);
+  }
+  return text;
+}
+
+export function markdownPathCodeSpan(value) {
+  return markdownCodeSpan(String(value).replaceAll(path.sep, "/"));
+}
+
+function consumerList(consumers) {
+  return consumers.map((consumer) => `- ${markdownCodeSpan(consumer.name)}: ${markdownText(consumer.purpose)}`).join("\n");
+}
+
+function validationList(validation) {
+  const entries = Object.entries(validation ?? {});
+  if (entries.length === 0) return "- No local validation commands documented yet.";
+  return entries.map(([name, command]) => `- ${markdownText(name)}: ${markdownCodeSpan(command)}`).join("\n");
+}
+
+function consumerNames(consumers) {
+  return consumers.map((consumer) => rawSlug(consumer.name, "consumer.name"));
+}
+
+function consumerConfig(resolvedConsumers, outputRoot) {
+  const generatedWorkspaceRoot = path.dirname(outputRoot);
+  return resolvedConsumers.map(({ config: consumer, root: consumerRoot }) => {
+    return {
+      ...consumer,
+      name: rawSlug(consumer.name, "consumer.name"),
+      workspacePath: path.relative(generatedWorkspaceRoot, consumerRoot).replaceAll(path.sep, "/") || ".",
+    };
+  });
+}
+
+export function renderedGeneratedScriptHashes(hashes) {
+  return jsonLiteral(hashes);
+}
+
+export function harnessTemplateValues(config, support, resolvedConsumers, outputRoot) {
+  return {
+    PROJECT_NAME: markdownText(config.project.name),
+    PROJECT_NAME_CODE: markdownCodeSpan(config.project.name),
+    PROJECT_NAME_JSON: javascriptLiteral(config.project.name),
+    PROJECT_SLUG: rawSlug(config.project.slug, "project.slug"),
+    HARNESS_REPO_NAME: rawSlug(config.project.harnessRepoName, "project.harnessRepoName"),
+    CONSUMER_REPOS_LIST: consumerList(config.consumers),
+    CONSUMER_REPO_NAMES_JSON: javascriptLiteral(consumerNames(config.consumers)),
+    CONSUMER_CONFIG_JSON: jsonLiteral(consumerConfig(resolvedConsumers, outputRoot)),
+    PRIMARY_CONSUMER_NAME: rawSlug(config.consumers[0].name, "consumer.name"),
+    MODEL_OPENAI_ENABLED: javascriptBoolean(config.models.openai),
+    MODEL_ANTHROPIC_ENABLED: javascriptBoolean(config.models.anthropic),
+    CLIENT_CODEX_HOOKS_ENABLED: javascriptBoolean(support.codexHooks),
+    CLIENT_CLAUDE_RULES_ENABLED: javascriptBoolean(support.claudeRules),
+    CLIENT_CLAUDE_HOOKS_ENABLED: javascriptBoolean(support.claudeHooks),
+    CLIENT_CLAUDE_SKILLS_ENABLED: javascriptBoolean(support.claudeSkills),
+  };
+}
+
+export function consumerEntrypointValues(config, consumer, harnessRelativePath) {
+  const harnessPath = (relativePath) => markdownPathCodeSpan(`${harnessRelativePath}/${relativePath}`);
+
+  return {
+    PROJECT_NAME: markdownText(config.project.name),
+    CONSUMER_NAME: markdownText(consumer.name),
+    CONSUMER_PURPOSE: markdownText(consumer.purpose),
+    CONSUMER_VALIDATION_LIST: validationList(consumer.validation),
+    HARNESS_AGENTS_PATH: harnessPath("AGENTS.md"),
+    HARNESS_CLAUDE_PATH: harnessPath("CLAUDE.md"),
+    HARNESS_AI_AGENTS_PATH: harnessPath("ai/AGENTS.md"),
+    HARNESS_AI_HUB_PATH: harnessPath("ai/HUB.md"),
+    HARNESS_AI_CONTEXT_PATH: harnessPath("ai/context.md"),
+  };
+}