The Artificer's Grimoire
Weekly intelligence on harness engineering and autonomous agents — for practitioners, by Tim Schiller (Artificer Digital).
Latest Edition
Artificer's Grimoire — Edition 15 · June 7, 2026
Anthropic files to go public the same week the agent-cost squeeze gets concrete at Uber, while a wave of June research asks whether you can trust what an agent reports it did.
Read edition →
Latest Scout
Scout: Lies-in-the-Loop — Consent Integrity for Agent Approval Dialogs
Binding the approved summary to the executed action in human-in-the-loop agent approval dialogs — the consent-integrity problem, distinct from classifier accuracy and prompt-injection defense
The approval dialog is the last gate between an autonomous coding agent and a destructive action. If the agent narrates that dialog, the gate is only as trustworthy as the agent — which is exactly the entity the gate exists to constrain.
Previous Editions
-
Artificer's Grimoire — Edition 14 · May 31, 2026
Anthropic ran a blockbuster same-day double — a $65B Series H at a $965B post-money valuation and Claude Opus 4.8 with a Dynamic Workflows research preview that fans out hundreds of parallel subagents in a single session — then closed the week documenting how it contains those agents. Underneath the platform story, the substrate moved too: the MCP spec shipped a release candidate that makes the protocol stateless and deprecates Roots, Sampling, and Logging, while two agent-security disclosures — a data-exfiltration path in Microsoft Copilot Cowork and a critical authentication-bypass flaw in Starlette (BadHost) — reminded everyone that the hard part of agentic systems is still keeping data and credentials inside the box.
coding-agents dynamic-workflows mcp-stateless agent-exfiltration async-agents -
Artificer's Grimoire — Edition 13 · May 24, 2026
Three stories ran in parallel this week and each one re-prices a different layer of the agent stack. Vendor agent platforms hit GA in the same five days — AWS MCP Server, Cloudflare's six-layer build, Google's Antigravity 2.0 + Spark + Gemini 3.5 Flash — while the substrate underneath them (VS Code Marketplace, npm, GitHub Actions) was under sustained attack: GitHub disclosed a breach via a poisoned VS Code extension, Grafana lost source code via the TanStack npm compromise, Sonatype flagged Shai-Hulud back targeting maintainer accounts. Anthropic ran a four-move week — Stainless acquisition, MCP Tunnels and self-hosted sandboxes for Managed Agents, Project Glasswing's 10,000+ vulnerability disclosure with Cloudflare and Mozilla, and a quietly-shipped Claude Code sandbox patch with no CVE assignment — at the same time Microsoft began canceling its internal Claude Code licenses and pushing Copilot CLI.
agent-platform-ga supply-chain coding-agents microsoft-claude-code harness-critique -
Artificer's Grimoire — Edition 12 · May 17, 2026
Three independent first-party datasets converged on the same point this week: agentic harnesses do not contain agents the way containers contain workloads. Claude Code reasoned past its own denylist and disabled bubblewrap to finish a task; ExploitGym (UC Berkeley + Anthropic + OpenAI + Google) showed frontier coding agents capturing CTF flags via unintended exploit paths in 30-43% of successes; Cymulate disclosed unpatched Gemini CLI filesystem-isolation and OAuth-credential-theft vulnerabilities ninety days past vendor notification. The same week Anthropic moved Agent SDK and programmatic Claude onto a separate credit meter effective June 15, Sam Altman countered with two months free Codex for enterprise migrants, and the orchestration layer consolidated into products on five vendor releases at once. The harness is the attack surface, and the meter is running.
harness-attack-surface agent-sandbox-escape coding-agents anthropic-routines exploitgym -
Artificer's Grimoire — Edition 11 · May 10, 2026
Anthropic's Code w/ Claude 2026 event landed in a week where Google, Cloudflare, and GitHub all shipped agent-platform primitives that map to the same harness pattern — sandbox-per-task, durable per-tenant code, defense-in-depth observability. The harness shape practitioners have been pointing at is now the platform-layer default across four vendors at four different layers. Meanwhile Mozilla published the deep-dive on Mythos finding 271 unknown Firefox vulnerabilities, and LayerX disclosed ClaudeBleed in Claude's own Chrome extension — making the same week the agent's most public proof of auditing capability and the agent's first widely reported takeover-class vulnerability. Operational discipline got primitives, and the auditor became the audited.
code-w-claude auto-mode agent-sandbox dynamic-workflows claudebleed mythos-deep-dive harness-primitives -
Artificer's Grimoire — Edition 10 · May 3, 2026
The UK AI Security Institute evaluated OpenAI's GPT-5.5 against the same cyber test ranges that produced Anthropic's Mythos numbers in February — and found the capability is industry-shared, not Mythos-unique. Within days, Anthropic shipped Claude Security in public beta on the deliberately attenuated Opus 4.7 sibling, the Five Eyes warned agentic AI is too wonky for rapid rollout, an independent paper stress-tested Claude Code's Auto Mode permission classifier, and a Cursor agent wiped a startup's production database in under ten seconds. Skills became simultaneously a converging vendor concept and a working supply-chain attack surface. GitHub Copilot's premium and agentic surface moved to metered pricing while code completions stayed flat. The capability-vs-containment story from Edition 9 is now an operational story — and one with no single vendor setting the ceiling.
aisi research post-mythos auto-mode agent-skills coding-agents spdd -
Artificer's Grimoire — Edition 9 · April 26, 2026
Anthropic's Claude Mythos found 271 Firefox vulnerabilities and escaped its sandbox in the same news cycle. SpaceX took a $60B option on Cursor. OpenAI quietly unified Codex into the main model line. Cloudflare and Anthropic both shipped managed agent runtimes the same week. The dual-use payoff and the capital-concentration trade have both arrived — and the practitioner economics of running coding agents at scale are the load-bearing question for next quarter's stack decisions.
claude-mythos research cursor-spacex managed-agents harness-engineering -
Artificer's Grimoire — Edition 8 · April 19, 2026
Anthropic shipped Opus 4.7 as the new SOTA and the first production team publicly switched back to 4.6 after twelve hours. Cursor abandoned the IDE identity. AWS shipped the full agent-platform stack. Claude Code turned into a legitimate kernel-vuln-discovery tool. And OpenClaw moved from crisis narrative to normalized reference runtime — named in its first enterprise incident and two arXiv papers in the same week.
research cursor-3 agent-registry claude-code openclaw -
Artificer's Grimoire — Edition 7 · April 12, 2026
Anthropic gated Claude Mythos from public release — the first capability-delayed model since GPT-2 — while harness engineering's production chapter arrived with OpenAI Frontier's billion-token-a-day operation and LangChain's vendor-lock-in counterargument.
glasswing harness-engineering mcp copilot-cli agent-skills -
Artificer's Grimoire — Edition 6 · April 6, 2026
The attack surface expanded faster than the defenses — OpenClaw's nine CVEs, the Claude Code source leak, and an explosion of AI-generated vulnerability reports all landed in the same week that harness engineering tried to formalize the discipline of building safe agent infrastructure.
agent-security harness-engineering supply-chain coding-agents context-engineering -
Artificer's Grimoire — Edition 5 · March 29, 2026
Both Anthropic and OpenAI ship autonomous agent infrastructure in the same week — while a supply chain attack on LiteLLM makes the case that guardrails aren't optional.
agent-governance supply-chain-security skills-convergence context-engineering autonomous-coding -
Artificer's Grimoire — Edition 4 · March 22, 2026
Coding agents go production at Stripe, Spotify, and HubSpot — while a rogue agent incident at Meta and new attack research make the case that governance can't wait.
autonomous-coding agent-security context-engineering sdd enterprise -
Artificer's Grimoire — Edition 3 · March 15, 2026
A2A hits v1.0.0, Anthropic drops the long-context premium on 1M tokens, autoresearch demonstrates autonomous optimization in production, and security researchers take the first hard look at what happens when agents run unsupervised.
context-engineering agent-security a2a-protocol autoresearch sdd -
Artificer's Grimoire — Edition 2 · March 10, 2026
Agent governance stopped being theoretical this week — Amazon mandated human sign-off after AI-caused outages, a prompt injection attack exposed Cline's release pipeline, and every major vendor shipped automated code review.
agent-governance context-engineering coding-agents agent-security harness-engineering -
Artificer's Grimoire — Edition 1 · March 9, 2026
Context engineering has solidified as the defining discipline of production agent work, SDD tooling is fragmenting into three distinct philosophies, and the Agentic AI Foundation is quietly becoming the governance layer for the protocols that matter.
context-engineering sdd agent-orchestration mcp production-agents