Harness AI is organized as a multi-service Docker stack in which every component has a single, bounded responsibility. The system is designed so that external systems — human users, n8n automations, expediente workflows, ERP integrations — always enter through a single public entrypoint (Documentation Index
Fetch the complete documentation index at: https://mintlify.com/joseluis-dev/harness-ai/llms.txt
Use this file to discover all available pages before exploring further.
harness-core), and all downstream services operate exclusively on a private Docker network. This separation is not a preference: it is enforced by the compose topology, and deviating from it is a deployment constraint violation.
Service inventory
The full target stack consists of seven services. Phase 0 brings up the first four; subsequent phases add the remaining services as additive layers.| Service | Technology | Role | Host port |
|---|---|---|---|
harness-core | Astro SSR + @astrojs/node (Node 20+) | BFF — public entrypoint, policy enforcement, execution API, UI | :4321 |
runtime-python | FastAPI 0.115 + Pydantic v2 + SQLAlchemy async + RQ worker | Execution engine, job queue consumer, audit writer, RAG, tool resolution | None (internal) |
model-gateway | FastAPI | Local-first model routing (mock → vLLM → cloud under policy) | None (internal) |
mcp-auth-service | OAuth 2.1 Client Credentials, JWKS, introspection | Central token authority for all tools, MCPs, CLI wrappers, and webhooks | None (internal) |
postgres | PostgreSQL 16 | harness_db — business data: executions, audit_events, tool_registry, policy_library, embeddings | None (internal) |
postgres-auth | PostgreSQL 16 | harness_auth_db — auth plane: oauth_clients, oauth_scopes, oauth_tokens, oauth_policies, audit_auth_events | None (internal) |
redis | Redis 7 | RQ broker and operational cache | None (internal) |
Phase 0 starts four services:
postgres, redis, runtime-python, and harness-core. model-gateway is added in Phase 2. mcp-auth-service and postgres-auth seams are present in the compose file from Phase 0.b onward but are not active until Phase 0.b PR-2 wires them in.Network topology
Harness AI uses a single private Docker bridge network (harness-net) for inter-service communication. Only harness-core additionally publishes a port to the host.
harness-net bridge is the only network defined in the compose files. No service other than harness-core has a ports: mapping. This means runtime-python, model-gateway, mcp-auth-service, postgres, postgres-auth, and redis are unreachable from the host by design. Health for internal services is observed through Docker’s own healthcheck: directives and through the BFF’s aggregate /api/healthz endpoint.
Request flow
A typical execution request travels through the following path from the external caller to the first tool invocation:harness-core) is a thin façade: it never writes to harness_db directly. Every database write — executions, audit_events — is performed by runtime-python. This separation is a design invariant enforced across all phases.
Dual database isolation
The two PostgreSQL instances serve fundamentally different planes and must never share a server:harness_db (business and audit plane)
Managed by runtime-python via SQLAlchemy async. Contains:
executions— lifecycle records for every agentic jobaudit_events— immutable event trail written on every state transitiontool_registry— dynamic registry of all MCP servers, CLI tools, HTTP adapters, and webhookspolicy_library— governance rules evaluated before each executionmodel_prompts— versioned prompt templates- pgvector embeddings and RAG indexes
harness_auth_db (auth and permissions plane)
Managed exclusively by mcp-auth-service. Contains:
oauth_clients— registered technical clients (harness-core, runtime, admin panel, n8n, etc.)oauth_scopes— available scopes and their risk classificationsoauth_tokens— active and revoked Bearer tokensoauth_policies— per-client token issuance policiesaudit_auth_events— auth-plane audit trail (separate from business audit)
Separation of concerns
The architecture enforces explicit boundaries on what each component is and is not allowed to do:| Component | Must NOT do |
|---|---|
harness-core (BFF) | Enumerate MCPs, CLIs, or APIs in code; write directly to harness_db; authenticate external clients by itself |
mcp-auth-service | Know or apply business logic; issue tokens to clients in state != active |
| MCP servers / CLI wrappers | Implement their own OAuth; receive raw database connection strings from agents |
tool_registry | Contain authorization logic; it resolves tools by name but does not authorize their use |
| Admin panel (Astro) | Expose secrets to the browser; use static-only output for dynamically mutating internal views |
harness-core: the integration is registered as a new row in tool_registry, and the runtime resolves it by name at execution time.
Deeper dives
System Purpose
The full governance mandate: why Harness AI exists, what institutional problems it solves, and the design invariants that flow from the municipal context.
Auth Model
OAuth 2.1 Client Credentials flow, the
mcp-auth-service contract, auth-sdk usage in MCP servers and CLI wrappers, and the harness_auth_db schema.Tool Registry
How tools are registered, resolved by name, versioned, and activated/deactivated without modifying
harness-core. Covers MCP, CLI, HTTP, and webhook tool types.Harness Core
Implementation detail for the BFF: Astro SSR route structure, the execution API contract, identity resolution, constraint enforcement, and the UI execution pages.