Artificer’s Grimoire — Edition 3 · March 15, 2026

A2A hits v1.0.0, Anthropic drops the long-context premium on 1M tokens, autoresearch demonstrates autonomous optimization in production, and security researchers take the first hard look at what happens when agents run unsupervised.

Must Read

A2A Protocol Reaches v1.0.0

Source: a2aproject/A2A on GitHub · 2026-03-12 Tags: a2a, protocol, agent-communication, breaking-changes

The Agent-to-Agent protocol ships its first stable release under Linux Foundation governance (repo moved from google/A2A to a2aproject/A2A). Breaking changes consolidate push notification configs, pluralize API names, and clean up the task schema. gRPC transport is now official alongside HTTP+SSE and WebSocket.

Why it matters: This is the milestone that makes A2A integration planning viable. With v1.0.0, the API surface is stable enough to build against without expecting breaking changes every month. Combined with MCP handling agent-to-tool communication, the two-protocol stack (MCP + A2A) is now the de facto standard for the agentic ecosystem. Anyone building agent infrastructure should target both. Anyone who was waiting for “the spec to settle” — it just did.

See also: A2A Protocol Tech Update on DEV — community summary of the v1.0.0 landscape.

Autoresearch: 120 Autonomous Experiments on Shopify’s Liquid Engine

Source: Simon Willison · 2026-03-13 Tags: autoresearch, recursive-optimization, production, autonomous-agents

Shopify CEO Tobias Lütke used Andrej Karpathy’s “autoresearch” pattern — an autoresearch.md prompt file plus a shell script — to have a coding agent run ~120 semi-autonomous experiments against Shopify’s Liquid template engine. The PR lists 93 commits. Result: 53% faster parsing, 61% fewer allocations. Pure-byte optimizations the agent discovered included replacing StringScanner with String#byteindex for a 12% parse time reduction.

Why it matters: This is the clearest demonstration yet that autonomous agents can do meaningful optimization work when given a tight feedback loop (run benchmarks → try changes → measure → repeat). The pattern is dead simple — a prompt file describing the goal and a script that returns measurable results. It’s not recursive self-improvement in the AGI sense; it’s a well-scoped autonomous search over a defined optimization space. But it works, and it scales. Any team with a measurable optimization target should evaluate this pattern.

1M Context Window GA at Standard Pricing

Source: Simon Willison · 2026-03-13 Tags: claude, anthropic, long-context, pricing, economics

Anthropic made 1M context generally available for Opus 4.6 and Sonnet 4.6 at standard pricing — no long-context premium. OpenAI charges more above 272K tokens for GPT-5.4; Google charges more above 200K for Gemini 3.1 Pro. The HN thread hit 1,180 points.

Why it matters: This removes one of the last economic arguments against large-context agent sessions. Context-heavy workflows — ingesting full codebases, long specification documents, multi-file analysis — no longer carry a pricing penalty on Anthropic models. The constraint on context usage shifts from “how much can we afford?” to “how much actually helps?” — which, given the research showing quality degradation past 40% utilization, is the more interesting engineering question.

Agent System Prompt Security: Arbiter Finds 152 Issues Across Claude Code, Codex CLI, Gemini CLI

Source: arXiv: 2603.08993 — Tony Mason · 2026-03-09 Tags: security, system-prompts, interference-detection, claude-code

Arbiter combines formal evaluation rules with multi-model LLM scouring to detect interference patterns in system prompts. Applied to three major coding agents, it found 152 findings in undirected analysis and 21 hand-labeled interference patterns in directed analysis. Key finding: prompt architecture (monolithic vs flat vs modular) correlates with observed failure class but not severity. Multi-model evaluation discovers categorically different vulnerability classes than single-model analysis. One finding in Gemini CLI’s memory system matched a bug Google had already patched.

Why it matters: This is the first serious security research on coding agent system prompts, and the results should make everyone uncomfortable. 152 findings across three production agents means no one has this figured out. The correlation between architecture and failure class — but not severity — suggests there’s no “safe” prompt design pattern, only tradeoffs in where failures manifest. Anyone designing production agent prompts should read this paper and run multi-model evaluation against their own prompts.

Test-Driven AI Agent Definition: Compiling Prompts from Behavioral Specs

Source: arXiv: 2603.08806 — Tzafrir Rehan · 2026-03-09 Tags: sdd, testing, agent-prompts, specification-gaming

TDAD treats agent prompts as compiled artifacts: engineers write behavioral specs, a coding agent converts them to executable tests, a second agent iteratively refines the prompt until tests pass. To combat specification gaming, it introduces hidden test splits, semantic mutation testing (generating faulty prompt variants to check test suite detection), and spec evolution scenarios.

Why it matters: This is SDD applied to agent prompt engineering, and it’s the convergence we’ve been watching for. The insight that prompts should be tested like code — with regression suites, mutation testing, and hidden evaluation sets — addresses the “small prompt changes cause silent regressions” problem that every production agent team eventually hits. The natural adoption pattern: spec → compile prompt → test → deploy, with automated regression detection on prompt changes.

Security Architecture of GitHub Agentic Workflows

Source: GitHub Blog · 2026-03-12 Tags: agent-security, sandboxing, threat-model, governance, reference-architecture

GitHub publishes the full security architecture behind its agentic workflows in Actions. The design assumes agents will attempt to escape their sandbox, read secrets, and abuse legitimate channels. Three defensive layers: substrate (kernel-enforced VM isolation, chroot jails, read-only filesystems), configuration (declarative policies, firewalled egress, MCP gateway proxying), and planning (staged writes with deterministic vetting before any side effect executes). LLM auth tokens never reach agent containers — all API traffic routes through an isolated proxy.

Why it matters: This is the most concrete agent security reference architecture publicly available. The “stage and vet all writes” pattern — where every agent output passes through deterministic analysis (operation filtering, content moderation, secret removal) before execution — is the missing piece most agent frameworks don’t have. The three-layer isolation model is directly applicable to anyone building multi-tenant agent infrastructure. Bookmark this alongside the Arbiter and OpenClaw papers for a complete picture of where agent security stands in March 2026.

Worth Scanning

Autonomous Context Compression (LangChain) — Deep Agents SDK lets models compress their own context at opportune times. Production-ready implementation of the context management pattern every long-running agent needs.
The Anatomy of an Agent Harness (LangChain) — Defines “Agent = Model + Harness” and derives core harness components. Useful vocabulary for architectural discussions.
Comprehension Debt (Addy Osmani) — Google Chrome engineer coins the gap between code that exists and code the team understands. Complements Willison’s “AI should help us produce better code” from the same week.
Context Engineering: From Prompts to Corporate Multi-Agent Architecture (arXiv) — Formalizes CE as a standalone discipline with five quality criteria: relevance, sufficiency, isolation, economy, provenance. Frames context as the agent’s operating system.
Google Developer Knowledge API + MCP Server (Google) — MCP server providing machine-readable access to Firebase, Google Cloud, and Android docs. The documentation-as-context pattern every platform will eventually need.
AI-Generated PR Spam Is Killing Open Source (Simon Willison) — Jazzband sunsetting because AI PRs made open membership untenable. Only 1 in 10 AI PRs meets standards. Curl shut down its bug bounty (confirmation rate <5%). GitHub shipped a kill switch to disable PRs entirely.
“MCP Is Dead; Long Live MCP” (HN, 246 points) — Practitioner critique of MCP’s growing pains for production use. The 188-comment thread is a useful catalogue of real pain points around authentication, server lifecycle, and error handling.
“Coding After Coders” (NYT Magazine via Willison) — Clive Thompson’s epic piece, 70+ developer interviews. Captures the mainstream narrative around AI-assisted development in March 2026.
OpenClaw Security Analysis: 17% Defense Rate (arXiv) — 47 adversarial scenarios across MITRE ATT&CK categories. Average defense rate 17%, highly susceptible to sandbox escape. Validates defense-in-depth over trusting the model alone.

New Tools & Repos

Context Gateway — Python/TypeScript — Open-source proxy that compresses agent context using SLMs before it hits the LLM, conditioned on tool-call intent.
Claudetop — TypeScript — htop-style real-time cost monitoring for Claude Code sessions. 51 HN points.
GitAgent — TypeScript — Open standard defining AI agents as git repos (agent.yaml + SOUL.md + SKILL.md). Exports to Claude Code, CrewAI, Google ADK, LangChain, OpenAI Agents SDK.
Arbiter — Research framework for detecting interference patterns in LLM agent system prompts using multi-model evaluation.

Papers

Building Effective AI Coding Agents for the Terminal (OPENDEV) — Nghi D. Q. Bui — Dual-agent terminal coding agent with adaptive context compaction and automated cross-session memory. (Covered in Edition 1; updated version with new results.)
Context Engineering: From Prompts to Corporate Multi-Agent Architecture — Vera Vishnyakova — Formalizes context engineering as a discipline with five quality criteria and introduces intent/specification engineering layers.
Arbiter: Detecting Interference in LLM Agent System Prompts — Tony Mason — Multi-model framework finding 152 interference patterns across Claude Code, Codex CLI, and Gemini CLI system prompts.
TDAD: Compiling Tool-Using Agents from Behavioral Specifications — Tzafrir Rehan — Test-driven methodology for agent prompt engineering with hidden test splits and semantic mutation testing.
iSWE Agent: Java Issue Resolution via Rule-Based + Model-Based Hybrid — Ganhotra et al. — SOTA on Java splits of Multi-SWE-bench by combining static analysis tools with LLM-based agents.
Memory for Autonomous LLM Agents — Pengfei Du — Comprehensive survey formalizing agent memory as a write-manage-read loop with a three-dimensional taxonomy.
Increasing Intelligence in AI Agents Can Worsen Collective Outcomes — Neil F. Johnson — First study treating AI agents as real populations where diversity and RL increase system overload under resource scarcity.
SWE-AGI: Specification-Driven Construction Benchmark — Zhang et al. — Spec-driven benchmark requiring 1K-10K lines of implementation. GPT-5.3-codex solves 86.4%, Claude Opus 4.6 solves 68.2%.
LLM2SMT: AI Agent Builds Complete SMT Solver With Zero Human Code — Janota & Olšák — Coding agent builds a DPLL(T) SMT solver competitive on SMT-LIB benchmarks, including Lean proof generation.

Ecosystem Watch

OpenHands 1.5.0 — Ships a planning agent, task list panel with real-time status, slash command menu, and mid-conversation Git repo attachment. The planning agent separating plan from execution mirrors the dual-agent pattern now appearing everywhere. Still single-user/local-first.
GitHub Spec Kit 0.3.0 — Adds pluggable preset system with catalog and resolver, specify doctor health diagnostics, and Kimi Code CLI support. Three releases this week (0.2.0 → 0.2.1 → 0.3.0) signals active investment. SDD tooling is maturing from templates to configurable ecosystems.
Gemini CLI — Plan Mode (read-only analysis before execution), Conductor Automated Reviews (checking implementations against plans), workflow hooks (v0.26.0+), structured extension settings stored in system keychain. Reaching feature parity with Claude Code’s plan mode.
Claude Code March Updates — Voice mode (/voice, 5% rollout), /loop for recurring monitoring, Opus 4.6 default with 1M context, ultrathink, MCP elicitation. The /loop command creates lightweight session-level cron jobs — a pattern worth evaluating for autonomous monitoring.
CrewAI 1.10.2 — Dynamic tool injection during execution (token savings) and MCP tool resolution fixes. Pre-release, but the dynamic tool search pattern is notable.
Apple Xcode 26.3 — Agentic coding support with Claude Agent and OpenAI Codex integration. Apple entering the space signals mainstream adoption is complete.

The Long View

This week’s security research — Arbiter’s 152 system prompt findings, OpenClaw’s 17% defense rate, the Jazzband sunsetting — forms a coherent warning that the industry is shipping agent autonomy faster than it’s shipping agent safety.

The pattern is consistent. GitHub ships a kill switch to disable PRs because AI spam overwhelmed open membership models. Curl shuts down its bug bounty because AI-generated reports are mostly noise. An open-source coding agent framework relies almost entirely on the backend LLM for security, and researchers demonstrate a 17% defense rate against standard attack categories. The most widely-deployed coding agents have 152 detectable interference patterns in their system prompts.

None of this means agents are useless. The autoresearch results and LLM2SMT demonstrate genuinely impressive autonomous capability. But the gap between “what agents can build” and “how safely they can operate” is widening, not narrowing. The teams that get this right — defense-in-depth, constrained outputs, comprehensive logging, human review gates — will be the ones whose agents are still trusted in production six months from now. GitHub’s agentic workflow security architecture paper is the closest thing to a blueprint we’ve seen. Study it.

Governance infrastructure — checkpoints, kill switches, human-in-the-loop gates — isn’t a nice-to-have. This week’s evidence suggests it’s table stakes.

The Artificer’s Grimoire is a curated intelligence feed from Artificer Digital. Built by practitioners, for practitioners.

Artificer's Grimoire — Edition 3 · March 15, 2026