Add harness app: agent orchestrator with cluster deployment

- Next.js app for orchestrating coding agent benchmarks (Claude Code, Codex, OpenCode)
- Dockerfile installs git, gh CLI, and agent CLIs for headless execution
- K8s deployment with workspace volume, sealed credentials for Claude + OpenCode
- Traefik IngressRoute at harness.coreworlds.io with internal-only middleware + TLS
- CI pipeline path filter for harness builds
- Fix OpenCode runtime flags (subcommand-based headless mode)

infra/kubernetes/platform/traefik/certificate-internal.yaml

@@ -36,3 +36,16 @@ spec:
     kind: ClusterIssuer
   dnsNames:
     - longhorn.coreworlds.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: harness-tls
+  namespace: platform
+spec:
+  secretName: harness-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - harness.coreworlds.io

infra/kubernetes/platform/traefik/ingressroute-harness.yaml

@@ -0,0 +1,22 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: harness
+  namespace: platform
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`harness.coreworlds.io`)
+      kind: Rule
+      middlewares:
+        - name: internal-only
+          namespace: platform
+      services:
+        - name: harness
+          namespace: apps
+          port: 80
+  tls:
+    secretName: harness-tls

infra/kubernetes/platform/traefik/kustomization.yaml

@@ -7,5 +7,6 @@ resources:
   - ingressroute-argocd.yaml
   - ingressroute-grafana.yaml
   - ingressroute-longhorn.yaml
+  - ingressroute-harness.yaml
   - certificate-internal.yaml
   - servicemonitor.yaml