3/5 - The Agent's Operating System: Harness Engineering Without the Hype
The model is not the agent. The agent is the model plus a runtime that assembles context, exposes tools, executes side effects, persists state, handles failure, verifies work, and leaves evidence for the next person or process. That runtime is the harness.
Calling the harness a wrapper understates the engineering. A wrapper forwards a request. A harness decides whether a tool call is authorized, whether its arguments satisfy a schema, how credentials are scoped, whether a retry can repeat a side effect, what state survives a restart, and what counts as a successful run. The model supplies suggestions; the harness supplies the boundary between suggestions and consequences.
The mental model: an operating system around inference
The harness should make the model useful without making it sovereign. It can offer tools as typed capabilities, route a model call, maintain a state machine, ask for approval, and verify outputs. It should not allow an untrusted string from a document or tool result to grant itself a credential or widen its authority.
Description: The layers are responsibilities, not necessarily separate services. A small application may implement them in one process. A larger platform may split policy, tool mediation, and durable state across services. The contract remains the same: the model can propose; the harness decides and records.
Tools are typed capabilities, not a bag of functions
A tool definition should include a stable name, version, argument schema, description, risk class, timeout, retry policy, and required permissions. Validate arguments before execution and validate results after execution. The tool service should receive a server-generated identity and scoped credential reference, not a raw secret copied from model output or client input.
Model Context Protocol, or MCP, standardizes a way for clients and servers to discover and invoke tools, resources, and prompts. It does not decide whether a caller is allowed to delete a record. That decision belongs to the harness and the system owning the resource. Treat the protocol as an interoperability boundary, then apply your own authentication, authorization, rate, and audit policy at that boundary.
A run is a state machine, not a log file
Represent the run explicitly: accepted, planning, awaiting approval, executing, verifying, paused, completed, failed, or cancelled. Persist transitions with an idempotency key and a monotonic revision. This avoids a familiar recovery bug where a worker restarts after the side effect but before the success record, then repeats the action because the log appears incomplete.
Reliability details that matter
Timeouts need a budget hierarchy. The request deadline should bound the run; each model and tool call should receive a smaller remaining budget; retries should include backoff and jitter and must never extend the original deadline. A retry is safe only when the operation is idempotent or the harness has a deduplication key and a way to determine whether the first attempt took effect.
Idempotency is more than a UUID in a header. The resource owner must use it to recognize a repeated intent. For a payment, deployment, or database mutation, record the key with the result and make the key scope explicit. For a read-only lookup, a repeat may be harmless. For a tool that sends an email, “try again” must not mean “send twice.”
Keep credentials server-side. The model can receive a description of a capability and a reference to its result, but it should not receive a long-lived cloud key. Use short-lived, least-privilege credentials and log the credential reference, not its value. Redact secrets and personal data from traces while keeping enough metadata to investigate the action.
Where harnesses fail
The most dangerous failure is a confused deputy: the agent is authorized to call the harness, and the harness accidentally uses that authority for a different user, tenant, or document. Bind identity to every tool call and verify scope at the final resource boundary. The second is a partial side effect: the tool succeeds, the worker crashes before recording it, and a retry duplicates it. Idempotency and reconciliation belong in the design, not only in incident response.
Verification is not the model asking itself whether it is done
Verification should be as independent as the task allows. A code agent can run tests. A data agent can validate a schema and check row counts. A deployment agent can query health, version, and rollout state. A second model can help judge quality, but deterministic checks should own hard invariants. The harness should distinguish “the model produced a plausible answer” from “the requested state is true.”
Observability needs a single trace identity across model calls, tool calls, approvals, retries, and state transitions. Capture duration, queue time, input and output token counts, tool latency, error class, policy decision, and cost. Do not record raw secrets or unrestricted sensitive content merely because it is convenient. A trace that cannot be safely retained is not a reason to disable all evidence; redact and retain the operational shape.
A production recipe
Start with one read-only tool and one deterministic verifier. Define the run state machine and a durable receipt before adding autonomy. Add a write tool only after you can simulate denial, timeout after side effect, duplicate request, worker restart, expired credential, malformed arguments, and partial dependency failure. Test the recovery path with fault injection. The happy path is the least interesting harness test.
Use a capability registry so tools can be disabled or versioned without rebuilding every agent. Add policy decisions as data with a reason and snapshot ID. Keep approvals bound to exact intent, resource, argument digest, expiry, and actor. If any of those change, require a new decision. This makes resume safe and makes an audit explainable.
Primary references
- Model Context Protocol specification
- OWASP LLM Top 10
- OpenAI Agents SDK
- The Anatomy of an Agent Harness
The takeaway
Harness engineering is the operating-system work around model inference. It turns suggestions into bounded capabilities, actions into audited state transitions, and failures into recoverable outcomes. If a system has real side effects, the harness is not an accessory. It is the part that makes the agent trustworthy enough to run.
