Quartz 4

Harness Engineering in AI Coding: From Auto Code Bot to Pull Request

11 min read

Overview

Harness engineering is the discipline of designing, building, and refining the runtime orchestration infrastructure that wraps around an AI model to transform it into an effective autonomous coding agent. The term entered formal industry vocabulary in early 2026 when both OpenAI and Anthropic began using it explicitly.

A harness is not the agent itself. It is the software system that governs how the agent operates: managing tools, memory, retries, human approvals, context engineering, sub-agent coordination, and safety enforcement. As one analysis put it: “SDKs, scaffolding, and frameworks answer the question of how you build an AI agent. A harness answers a different question entirely: how the agent runs” (Cobus Greyling).

MIT Technology Review named generative coding one of its 10 Breakthrough Technologies for 2026. AI now writes ~30% of Microsoft’s and Google’s code. As of Q1 2026, 41% of commits are AI-assisted and 90% of Fortune 100 companies have adopted AI coding tools.

The Central Thesis: The Harness Matters More Than the Model

The most important finding in this space is empirical: the same model produces radically different results in different harnesses.

ExperimentModelPoor ScaffoldGood ScaffoldDelta
SWE-bench LiteGPT-42.7% (RAG)28.3% (CodeR)+25.6 pts
CORE-BenchClaude Opus 4.542% (CORE-Agent)78% (Claude Code)+36 pts
Terminal Bench 2.0LangChain agent52.8%66.5% (Top 5)+13.7 pts
Vercel tool reductionSame model80% (15 tools)100% (2 tools)+20 pts

Sources: OpenAI SWE-bench Verified, Sayash Kapoor CORE-Bench analysis, Adam Baitch

The aggregate: scaffold accounts for ~22-point swing; model swaps account for ~1 point at the frontier. A mid-tier model in a great harness beats a frontier model in a bad one. Model-scaffold coupling is real but non-uniform — different models respond differently to different harnesses, and model developers have a systematic advantage in building scaffolds fine-tuned for their own models.

Historical Evolution

Era 1: Code Completion (2021-2022)

GitHub Copilot launched June 2021 powered by OpenAI Codex (GPT-3 descendant trained on 159GB of Python). It operated as inline autocomplete with no feedback loop — a single inference call per suggestion. Accuracy was modest: 43% correct on first try for Python functions (Wikipedia).

Era 2: Conversational Coding (2022-2023)

ChatGPT (Nov 2022) made conversational interaction mainstream. GitHub Copilot X (Mar 2023) brought chat, PR assistance, and GPT-4 integration. Cursor emerged as the first “AI-native editor.” The critical bottleneck was context — chat was only useful with proper project context.

Era 3: Autonomous Agents (2024-Present)

  • Devin (Cognition Labs, Mar 2024): “World’s first AI software engineer” — LLM + tools + memory in a sandboxed environment with shell, editor, and browser. Fixed 13.86% of SWE-bench issues autonomously (Cognition).
  • SWE-Agent (Princeton, May 2024): Introduced the Agent-Computer Interface (ACI) — custom interfaces designed for LM agents. Achieved 12.5% SWE-bench, 87.7% HumanEvalFix (Yang et al., NeurIPS 2024).
  • Claude Code (Anthropic, 2025): Single-threaded master loop with 14 tools. Deliberately simple: while(tool_use) loop for debuggability (ZenML).
  • OpenHands (ICLR 2025): Modular open-source SDK achieving 72% on SWE-bench Verified (Wang et al.).

The shift: prompts went from ephemeral (cursor position) to durable (CLAUDE.md, AGENTS.md) — more like giving a new teammate an operating manual than predicting the next line.

The Issue-to-PR Pipeline Architecture

The canonical AI coding workflow — receive issue, produce validated PR — exercises every harness subsystem:

Issue Ingestion → Context Gathering → Planning → Code Generation → Testing → PR Submission
       ↑                                                                          |
       └──────────────── Self-correction feedback loop ──────────────────────────┘

Core Architectural Components

1. Agentic Loops — The runtime backbone connecting reasoning, tools, and memory.

Lilian Weng’s foundational formulation: Agent = LLM + Memory + Planning + Tool Use (Weng, June 2023).

PatternHow It WorksBest For
ReActThought → Action → Observation cycleSimple, direct tasks
Plan-and-ExecuteFull plan upfront, then executeComplex multi-step tasks
Ralph LoopFresh session each round, state on diskLong-running iterations
HybridPlan-and-Execute at strategic level, ReAct at tacticalProduction agents

2. Tool Use — What makes agents agentic. Claude Code uses 14 tools (bash, file ops, web access, control flow). SWE-Agent’s key insight: tool design is a first-class engineering problem. CodeAct (ICML 2024) unified actions into executable Python, achieving 20% higher success with 30% fewer steps (Wang et al.).

3. Context Engineering — The most critical subsystem. Tobi Lutke (Shopify CEO) popularized the term: “the art of providing all the context for the task to be plausibly solvable by the LLM” (Simon Willison). Key strategies include progressive compaction (Claude Code triggers at ~92% context), scratchpads/progress files, structured context ordering, and minimum viable context.

4. Sandboxing — Claude Code uses macOS sandbox-exec + Linux bubblewrap; OpenAI Codex uses containers with network disabled by default; Devin runs in fully sandboxed cloud environments. Dual isolation (filesystem + network) reduces exploitable attack surface from prompt injection by 95% (Anthropic).

5. Verification Loops — The differentiator between toy demos and production systems. TDD has experienced a renaissance as the ideal AI workflow — tests provide binary, unambiguous feedback signals. Elastic’s self-correcting CI saved 20 dev days/month by having agents automatically fix build failures (Elastic Labs).

6. Doom Loop Prevention — Agents can get stuck repeating failed actions. Solutions: iteration caps (max_turns), action signature detection, loop-triggered reflection, and budget limits (max_budget_usd) (Addy Osmani).

Major Tools and Platforms

Devin (Cognition Labs)

Compound AI system with Planner, Coder, and Critic models. PR merge rate improved from 34% to 67% over 2025. Goldman Sachs piloted it alongside 12,000 developers, reporting potential 3-4x productivity gains. Cognition valued at ~$10.2B. Devin 2.0 introduced parallel instances and Interactive Planning. Strengths: well-defined tasks, security fixes (20x efficiency), migrations. Weaknesses: ambiguous tasks, mid-task requirement changes (Cognition).

Claude Code (Anthropic)

20K (Anthropic Engineering).

GitHub Copilot Coding Agent

Issue assignment triggers agent in secure GitHub Actions environment. Creates draft PRs on copilot/ branches. Cannot self-approve or merge — human review mandatory. Extensible via agents.md files, MCP, hooks, and vision (can see issue screenshots). Available on Pro, Business, and Enterprise plans (GitHub Blog).

Cursor

29.3B valuation. 40,000 NVIDIA engineers. Agent mode with 5-step cycle. Parallel execution: up to 8 agents via git worktrees. Hierarchical multi-agent architecture (Planners → Workers → Judges) scaled to 1M+ lines. Cloud agents run on dedicated VMs — 35% of Cursor PRs generated by agents. Automations (Mar 2026): agents triggered by code changes, Slack, or timers (Cursor Blog).

OpenAI Codex

Cloud sandboxes with GPT-5.3-Codex. Control-plane architecture routing tasks to execution surfaces. 25-hour stress test: 13M tokens, 30K lines generated. AGENTS.md support and MCP integration. Network disabled by default. Subagents inherit sandbox rules (OpenAI).

Other Notable Tools

ToolKey Differentiator
Amazon Q DeveloperJava/NET migration agents, 66% SWE-Bench
Windsurf/CascadeAcquired by Cognition for ~$250M, #1 LogRocket ranking
CodeRabbit2M+ repos, 13M PRs reviewed, 46% bug detection accuracy
CodegenAutonomous PR generation from Jira/Linear tickets, SOC 2
QodoMulti-repo context engine, air-gapped deployment
OpenHandsLeading open-source agent, 69K GitHub stars, MIT license

Guardrails and Verification

Pre-Generation Guardrails

  • TDD-first: Write tests, tell agent “do not return until all tests pass”
  • Repository configuration: CLAUDE.md / AGENTS.md encode conventions and safety rules
  • Permission tiers: Claude Code offers Normal, Plan, Auto-accept, and Bypass modes
  • Temperature control: Lower settings reduce hallucinations by ~50%

Security Landscape

OWASP Top 10 for Agentic Applications (Dec 2025) — first industry-standard risk framework (OWASP):

  • ASI01: Agent Goal Hijack (prompt injection)
  • ASI02: Tool Misuse (destructive parameters)
  • ASI03: Identity & Privilege Abuse
  • ASI04: Supply Chain Vulnerabilities
  • ASI05: Insufficient Sandboxing
  • ASI09: Human-Agent Trust Exploitation

Slopsquatting: ~20% of AI-recommended packages don’t exist. 43% repeat across queries, making them predictable attack vectors (Socket.dev).

Prompt Injection: GitHub Copilot CVE-2025-53773 achieved remote code execution via poisoned code comments. Attack success rates >85% against state-of-the-art defenses (Fortune).

AI Code Quality Gap

Issue TypeAI vs. Human Ratio
Overall issues per PR1.7x more
Security vulnerabilities2.74x higher
Readability issues3x higher
Error handling gaps2x more
Excessive I/O operations8x more

Source: CodeRabbit 2026 Report

Production Guardrail Architecture

Layer 1: Pre-generation    → Prompt design, context filtering, permission scoping
Layer 2: Generation-time   → Sandboxed execution, network isolation, tool restrictions
Layer 3: Pre-commit        → IDE linting, Codacy Guardrails, AI self-review
Layer 4: CI/CD             → Standard tests + AI-specific evals, security scanning
Layer 5: Code review       → Multi-agent review + human approval gates
Layer 6: Post-merge        → Feature flags, canary deployment, automated rollback
Layer 7: Production        → Runtime monitoring, anomaly detection, kill switches

The merge button stays human. Every major tool funnels work through human approval. GitHub: “AI augments developer judgment; it can’t replace it” (GitHub Blog).

Benchmarks: The Measurement Crisis

SWE-Bench Verified (March 2026)

AgentScore
Claude Opus 4.580.9%
Gemini 3.1 Pro80.6%
MiniMax M2.5 (open-weight)80.2%
Claude 4 Sonnet77.2%
GPT-574.9%
OpenHands (Claude Sonnet 4.5)72.0%

Source: Epoch AI

Six models now score within 0.8 points. The differentiators are cost, scaffolding, and workflow fit rather than raw model capability.

The Contamination Problem

OpenAI found frontier models can reproduce verbatim gold patches for SWE-Bench Verified tasks. They stopped reporting Verified scores and recommend SWE-Bench Pro instead — 1,865 tasks from 41 repos requiring ~107 lines across 4.1 files. Top scores drop to ~57%, revealing real-world difficulty (Scale Labs).

Cutting Edge: Multi-Agent and Continuous Coding

The C Compiler Experiment

16 Claude Opus 4.6 agents built a 100,000-line Rust-based C compiler from scratch in 2 weeks for $20K. It compiles Linux 6.9, QEMU, FFmpeg, SQLite, PostgreSQL, Redis, and Doom. When agents overwrote each other’s fixes, a custom test harness enabled effective parallelism. Key lesson: “fully autonomous development comes with real risks — it’s easy to see tests pass and assume the job is done” (Anthropic).

Emerging Patterns

  • AGENTS.md: Adopted by 60,000+ open-source projects, now a Linux Foundation project alongside MCP
  • MCP: 97M monthly SDK downloads; running an MCP server is “almost as popular as running a web server” (The New Stack)
  • A2A Protocol: Google’s agent-to-agent communication standard, 150+ supporting organizations
  • GitHub Agentic Workflows: CI/CD + coding agents, defining workflows in Markdown

From Vibe Coding to Agentic Engineering

Andrej Karpathy coined “vibe coding” (Feb 2025) — Collins Dictionary Word of the Year. By early 2026, he declared it passe, proposing “agentic engineering”: “programming via LLM agents with more oversight and scrutiny” (The New Stack).

What Works and What Doesn’t

What Works

  1. Well-scoped, repetitive tasks: Bug fixes, test generation, dependency upgrades, migrations — saving 25-45 min/task
  2. Code review augmentation: AI for first-pass (speed, summaries) + human for architecture — cuts review load 20-30%
  3. Self-healing CI: Agents responding to build failures automatically (Elastic, Nx)
  4. Parallel execution with git isolation: Worktrees as standard for preventing conflicts
  5. Repository-specific config: CLAUDE.md / AGENTS.md dramatically improve output quality

What Doesn’t Work

  1. Ambiguous, open-ended tasks: Every tool struggles with vague requirements
  2. “Drop-in replacement” mentality: Individual gains don’t translate to company-wide metrics
  3. Trusting without verification: AI catches only 10% of issues humans find while generating 2.4x more suggestions
  4. Code review bottleneck: Faster generation shifts pressure downstream to reviewers
  5. Security without governance: 23.7% increase in vulnerabilities in AI-assisted code

The Productivity Paradox

METR’s randomized controlled trial: experienced developers were 19% slower with AI tools, despite believing they were 20% faster. Software engineering is not typing — it’s thinking. AI tools can create a “thinking decelerator” through debugging, verifying, and context-switching overhead (MIT News).

Key Academic Papers

PaperVenueContribution
ReAct (Yao et al.)ICLR 2023Thought-Action-Observation loop
SWE-bench (Jimenez et al.)ICLR 2024Defined the issue-to-PR benchmark
SWE-Agent (Yang et al.)NeurIPS 2024Agent-Computer Interface (ACI)
CodeAct (Wang et al.)ICML 2024Executable Python as unified action space
OpenHands (Wang et al.)ICLR 2025Modular open-source agent platform
Agentless (Xia et al.)FSE 2025Simple 3-phase pipeline matching agents
OPENDEV (Bui)arXiv 2026Scaffolding vs. harness distinction

Predictions: 2027 and Beyond

  1. AI pair programming becomes default — every developer works with at least one AI agent
  2. Multi-agent orchestration matures into production infrastructure via MCP/A2A
  3. Continuous autonomous coding expands — agents monitoring repos 24/7 within bounded constraints
  4. The IDE transforms into an agent control center; code editing becomes secondary
  5. Supervised autonomy is the near-term equilibrium — full autonomy for well-defined tasks, human oversight at decision points
  6. Open-source models close the gap — the 2-6% deficit narrows further
  7. Reliability remains the bottleneck — the shift from “AI can write code” to “AI can ship code” depends on solving hallucination, context management, and security at scale
  8. The engineer’s role shifts from execution to intent, constraints, and orchestration

The winner of the next phase will not be the company with the best model, but the one that builds the best operating system for software development — the harness that makes AI agents safe, reliable, and composable at scale.

Graph View

Backlinks