The execution event is the canonical input contract for starting any harness action — from UI, n8n, external system, or document watcher. Every component that wants to invoke an agent or tool must produce an event that conforms to this schema. The event is persisted to theDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/joseluis-dev/harness-ai/llms.txt
Use this file to discover all available pages before exploring further.
executions table before any processing begins, making it the immutable record of intent that the rest of the pipeline reacts to.
JSON Schema
Fields
source
Origin of the event. Allowed values:
astro— Harness Core UI (Telegram traffic routed through Harness Core also maps toastro).n8n— signed webhook from an n8n automation workflow.external_system— municipal system calling the harness directly.watcher— document-detection pipeline that monitors for new or changed files.
Identifier for the originating source — a URL, webhook ID, or watcher node identifier. Used for correlation and audit trail linkage.
actor
The kind of principal driving the execution.
user— a physical person with a resolved institutional identity.system— an automated process running without a human principal.
Institutional ID of the actor. Resolved via
mcp-identity-connector.get_user_context() before the event is created. For Telegram users, resolution maps telegram_user_id to the institutional identity.Top-level fields
Semantic description of the desired action (e.g.
"query_sql_view", "generate_report"). The policy engine uses this field to determine which restrictions and approval flows apply. Intent strings should be short verb-phrases and are validated against the tool registry.Arbitrary, intent-specific data for the execution. The shape is free-form but is validated with Pydantic v2 (runtime) or Zod (BFF) against the schema registered for the given
intent. Callers must not embed PII beyond what the intent schema permits.constraints
When
false (the default), the harness will only route to local or self-hosted providers. Setting this to true is accepted only if the originating agent has an explicit policy entry (policy.cloud_allowed=true) and risk_level is low. Any true value without that policy results in POLICY_DENIED.When
true (the default), the execution must generate audit_events rows throughout its lifecycle. Disabling audit requires an explicit policy exception; the default should not be overridden in production.Determines the approval and audit posture for this execution. Allowed values:
low, medium, high.low— standard flow; no human approval required.medium— elevated audit; no automatic human approval, but tooling may apply additional checks.high— activates the human approval flow viaapproval_requestsbefore the execution proceeds.
Default Constraints and What They Mean
The default constraint envelope —allow_cloud: false, require_audit: true, risk_level: "low" — directly encodes two non-negotiable architectural principles:
- Local-first: all processing happens on institutional infrastructure unless a policy exception explicitly permits a cloud provider.
- Full audit: every execution produces a traceable log of state transitions, tool calls, and actor decisions — no silent side effects.
constraints object receive these defaults automatically. Overriding any default requires a deliberate decision and is subject to policy engine evaluation at runtime.
Immutability and Persistence Rules
An execution event is immutable once created. If the intent or payload needs to change, a new event must be created with a new
execution_id. Any downstream correction is recorded as a new event linked to the original execution.Usage Rules Summary
- Every component that invokes an agent or tool must produce an event conforming to this schema — there is no alternative entry point.
- The event is persisted to the
executionstable before processing begins; the row exists even if a broker outage prevents immediate queueing. constraints.allow_cloud=trueis accepted only when the originating agent haspolicy.cloud_allowed=trueandrisk_levelislow.risk_level=highactivates theapproval_requestsflow; execution does not proceed until a human approves.- The
payloadfield never contains stack traces, internal paths, container IDs, environment variable names, or raw SQL table names.