Note on Terminology: An Agent Framework (e.g., LangChain, Google ADK) provides the library of primitives—the "lego blocks" for defining tools and loops. An Agent Harness is the product-specific engine built using those frameworks; it is the industrial machinery that enforces security, handles retries, and ensures task completion. You use a Framework to build a Harness.

Definition

An agent harness is the execution system surrounding a language model that converts model inference into reliable task completion through orchestration, tool control, context management, execution boundaries, verification, and operational feedback loops.

The harness is the operational substrate of the agent.

The model produces tokens. The harness produces work.

A harness includes:

  1. agent loop
  2. tool dispatch
  3. context and memory management
  4. execution sandboxing
  5. permission boundaries
  6. verification logic
  7. retry and repair loops
  8. multi-agent coordination
  9. evaluation systems
  10. tracing and observability
  11. prompt routing
  12. model routing
  13. completion criteria

The model is one component inside the harness. It is not the harness.

Formal Execution Model

A production agent executes through:

input
→ context construction
→ reasoning
→ tool selection
→ tool execution
→ verification
→ repair or completion
→ trace persistence

The model participates in reasoning. The harness controls the rest.

Agent = Model + Harness

For production systems:

Harness >> Model integration complexity

This matches the architecture of Cursor, Anthropic Claude Code, Factory Droid, and Replit Agent.

Model Layer vs Harness Layer

Model layer

Provides:

  1. reasoning
  2. generation
  3. summarization
  4. classification
  5. planning proposals
  6. tool selection proposals

Examples: OpenAI GPT-5 family, Anthropic Claude models, Google Gemini models.

The model is replaceable.

Harness layer

Provides:

  1. execution authority
  2. workflow enforcement
  3. tool permissions
  4. validation
  5. state persistence
  6. observability
  7. reliability guarantees

The harness is product-specific. It is not commoditized.

Evidence: Harness Quality Beats Model Substitution

In February 2026, the LangChain team reported that their open-source coding agent deepagents-cli improved from 52.8% to 66.5% on Terminal-Bench 2.0 while using the same underlying model (GPT-5.2-Codex). The model did not change. The harness changed.

+13.7 points
outside Top 30 → Top 5

Orchestration quality can exceed model substitution in practical performance.

Harness Planes

A production harness is composed of operational planes. A plane is a bounded subsystem responsible for one reliability domain.

The seven common planes:

Agent loop plane

Defines how the model repeatedly reasons and acts until termination.

Common patterns:

  1. ReAct (Reason + Act)
  2. plan-execute
  3. generate-test-repair
  4. planner-executor
  5. verifier-repair loop
  6. supervisor-worker
reason
→ choose tool
→ execute
→ inspect result
→ continue or terminate

Implementations: LangGraph (1.2.10), XState (1.2.9), or custom orchestration.

Tool plane

Defines how external capabilities are exposed to the model.

A tool entry has:

  1. name
  2. input schema
  3. execution boundary
  4. permission rules
  5. timeout policy
  6. retry policy
  7. audit trace

Examples: filesystem access, deployment systems, CRM operations, GitHub actions, MCP tools, shell execution.

Tool design optimises for LLM reliability, not human ergonomics. Replit reported function-calling reliability ceilings around argument complexity and moved parts of execution toward constrained-interpreter patterns rather than unrestricted argument-heavy function calling.

Context plane

Controls what information is visible to the model during reasoning.

Includes:

  1. retrieval
  2. summarisation
  3. memory
  4. progressive disclosure
  5. context compression
  6. scratchpads
  7. state snapshots

The objective is bounded relevance, not maximum context. Large context windows do not remove the requirement for retrieval architecture.

Sandbox plane

Isolates execution and prevents unsafe side effects.

Controls:

  1. filesystem boundaries
  2. network restrictions
  3. secret isolation
  4. temporary environments
  5. execution quotas
  6. destructive action controls

Implementations: Docker containers, devcontainers, isolated VMs, Kubernetes namespaces, ephemeral workspaces.

This is mandatory for production agents with write authority.

Permission plane

Determines whether a proposed action may execute.

LLM proposes
system validates
tool executes

Validation:

  1. role checks
  2. approval thresholds
  3. policy enforcement
  4. tenant boundaries
  5. least privilege
  6. audit requirements

For the deeper treatment of the LLM-event-boundary pattern, tool authority, and approval gates, see 1.1.1 State machines in agentic systems.

Evaluation plane

Measures whether the system is improving or regressing.

  1. offline evals
  2. regression testing
  3. online evals
  4. benchmark tracking
  5. hallucination detection
  6. failure replay
  7. task completion measurement

Without evaluation, harness improvement is unmeasurable.

Implementations: LangSmith, Braintrust, Arize Phoenix, custom TypeScript runners.

Observability plane

Records runtime behavior for debugging, audit, and optimisation.

Required traces:

  1. prompts
  2. model outputs
  3. tool calls
  4. tool failures
  5. retries
  6. approval events
  7. completion criteria
  8. execution cost
  9. latency
  10. failure classification

Implementations: OpenTelemetry, LangSmith, Helicone, Grafana, Prometheus, Cloud Logging.

Claude Code, Cursor, and enterprise internal systems all depend on harness observability rather than prompt inspection alone.

Verification

Verification determines whether work is complete and correct.

Completion is not model confidence. Completion is external validation.

Examples:

  1. tests pass
  2. deployment health green
  3. file exists
  4. contract parsed correctly
  5. support ticket resolved
  6. expected schema validated

Verification is the most important production boundary. A system without verification is prompt automation, not an agent.

Failure-to-Harness Conversion

Harness improvement is the process of converting repeated failure classes into deterministic system behavior.

failure observed
→ root cause isolated
→ harness rule added
→ future failure prevented

Examples:

  1. add lint rule
  2. add retry policy
  3. add validation schema
  4. add approval checkpoint
  5. add context rule
  6. add specialised sub-agent
  7. add tool wrapper

This is the compounding mechanism of agent systems. Mitchell Hashimoto described this as the practical definition of harness engineering in early 2026.

Why Harnesses Compound

Model improvement

Model improvement is vendor-controlled and externally released.

GPT-5.2 → GPT-5.3

This resets baseline capability. It is not owned by the product team.

Harness improvement

Harness improvement is internally accumulated.

prompt repair
+ tool validation
+ approval logic
+ eval improvements
+ routing optimisation

This persists across model changes. It compounds. It is the primary source of defensibility.

Framework Layer vs Product Harness

Framework

Examples: LangChain, Vercel AI SDK, CrewAI, LangGraph, XState.

Frameworks provide primitives. They do not provide product correctness.

Product harness

Examples: Claude Code, Cursor, Devin, Factory Droid, Sourcegraph Amp, Replit Agent, Vercel v0.

These are opinionated systems built on top of frameworks.

Every serious production system adds a custom harness layer.

Harness and Vendor Lock-In

Harness architecture determines model portability. If orchestration depends on one provider's runtime assumptions, model substitution becomes expensive.

Good:

tool contracts stable
model replaceable
routing abstracted

Bad:

business logic embedded in vendor-specific prompt or runtime behavior

Model abstraction belongs at the harness boundary, not inside prompts.

Reference Architecture

Node / TypeScript

  1. LangGraph or XState
  2. Fastify or NestJS
  3. Postgres
  4. Redis
  5. BullMQ
  6. OpenTelemetry
  7. Zod
  8. Docker
  9. LangSmith or Braintrust

Google Cloud

  1. Cloud Run
  2. Pub/Sub
  3. Firestore
  4. BigQuery
  5. Vertex AI
  6. IAM
  7. Secret Manager
  8. Cloud Logging

On-Prem

  1. Kubernetes
  2. Postgres
  3. Redis
  4. Ollama
  5. vLLM
  6. Prometheus
  7. Grafana
  8. Vault

The harness architecture remains the same. Only infrastructure changes.

Build Decision

Use a stock harness

Use Claude Code, Codex CLI, or Cursor directly when:

  1. prototyping
  2. low operational risk
  3. evaluation maturity is low
  4. workflow economics are unclear

Extend an existing harness

Use hooks, MCP servers, AGENTS.md, sub-agents, and custom tool layers when:

  1. domain constraints exist
  2. permissions matter
  3. evaluation is stable
  4. product behavior must be repeatable

Build a custom harness

Build when:

  1. sustained evaluation gap exceeds operational threshold
  2. token economics dominate margins
  3. audit requirements exceed stock systems
  4. domain-specific tools are core product value
  5. model portability is strategic

The threshold is operational, not ideological.

Final Rule

The model provides intelligence. The harness provides reliability.

The model is replaceable. The harness is the product.

Cross-references

  • 1.1.1 State machines in agentic systems — orchestration patterns and distributed-systems concerns underlying the permission, sandbox, and verification planes.
  • 1.2.10 LangGraph — primary framework for the agent loop plane in JS/TS.
  • 1.2.9 XState — alternative framework for deterministic transition control inside the agent loop plane.
  • Headless agent runtime (this submodule's neighbour) — execution-tier concerns that overlap with the harness's permission, observability, and persistence planes.

References

  1. LangChain deepagents-cli — Terminal-Bench 2.0 result, February 2026
  2. Anthropic Claude Code — claude.com/claude-code
  3. Cursor — cursor.com
  4. LangGraph (JS) — docs.langchain.com/oss/javascript/langgraph/overview
  5. LangSmith — smith.langchain.com
  6. OpenTelemetry — opentelemetry.io