BCG Design Studios · Creative AI Strategy paper · 14 Jun 2026

Ways of working · coding agents

The agent harness

A link landed in the inbox — "How an agent harness made my Claude Code setup 10× more reliable." Here is what it actually claims, what the research says when you push on it, and the four upgrades we're shipping — because we already run most of this.

The harness, in four parts

I

Memory

Corrections become durable rules, so the agent stops repeating mistakes.

II

Hooks

Mechanical checks that fire while the work happens — not after, by you.

III

Orchestration

One command runs a multi-step workflow, sometimes many agents at once.

IV

Eval loops

Output is reviewed, repaired, re-checked before it reaches your judgement.

i. The one-screen version

The model isn't the bottleneck. The scaffolding is.

The article's argument is simple and correct: a frontier model is no longer the limiting factor — the structure you wrap around it is. That "harness" has four parts: memory, hooks, orchestration, evaluation loops.

The finding that matters most is the one the article can't know: we already run three-and-a-half of the four. This repo has a memory system, four live hooks, slash-command orchestration, and council-style review. So the real question isn't "should we adopt a harness" — it's "where does ours lag, and what's the next increment of reliability?" That reframing is the whole value of this paper.

"10× more reliable" is an anecdote, not a benchmark — but "stops repeating mistakes, and stops needing me as the glue" is real, and supportable.

ii. Pillar I — Memory

Stop re-explaining yourself

Every time you correct an agent and the correction evaporates at session end, you pay for the same mistake twice. Memory is the fix: a durable place where corrections graduate into rules the agent reads at the start of every session.

What we already do — strong. We run a three-file memory system more sophisticated than the article's: PROFILE (how Esteban works), LEARNINGS (dated mistakes + the rule going forward), TEACH-ME (plain-language teaching log). A SessionStart hook surfaces them automatically; a /prune-memory skill keeps them sharp.

The hard number to know High — frontier models reliably follow ~150–200 instructions before compliance degrades, and Claude Code's own system prompt already spends ~50. The heuristic: keep each memory file under ~200 lines. Past that you hit "context rot" — Anthropic's term for the measured effect that, as the window fills, the model's ability to recall and obey buried instructions drops. The failure is silent: it doesn't error, it just quietly ignores the rule.

The rule every memory system needs High — a stated conflict-resolution order. Layered memory makes it easy to encode two rules that disagree. Our CLAUDE.md does this well in one place ("where they conflict, Tech-Minimal wins") — and also contains a live example of the trap: a superseded "never touch main" rule a later rule overrides.

Where we lag

Those three files are 66 KB, 54 KB and 31 KB today — far past the ~200-line budget. That's not theoretical; it's the context-rot failure mode pre-loaded into every session. We have the pruning tool; we just haven't run it on a cadence. Gap: discipline, not capability.

iii. Pillar II — Hooks

Mechanical checks while the work happens

A hook is a shell command (or HTTP call, MCP tool, even a sub-agent) that Claude Code runs automatically at a fixed point in its lifecycle — before a tool runs, after a file is written, when a session starts, when it tries to stop. It's how you make a check deterministic instead of hoping the model remembers.

How big this surface got High — the most surprising finding. Hooks grew from a handful of events to ~30+ lifecycle events by mid-2026: not just PreToolUse / PostToolUse / Stop, but SubagentStart/Stop, PostToolBatch, ConfigChange, FileChanged, PreCompact, Notification, even MCP elicitation. Nearly every step of the agent loop is now instrumentable.

The rules that actually matter

  • PreToolUse is the only true gate. It fires before execution and can cancel a tool call — and before the permission check, so it blocks even in "skip-permissions" mode. This is where you stop dangerous things.
  • PostToolUse is observability-only. By the time it runs, the action already happened. You can format, log, annotate — you cannot undo. Don't rely on it for prevention.
  • Hooks tighten, never loosen. A hook saying "allow" can't override a "deny" from settings. Deny always wins — so a hook can't accidentally open a hole.
  • Exit 0 = proceed; exit 2 = block and feed the reason back to Claude as something it can act on.

What we already do. We run four hooks: SessionStart (surface memory), UserPromptSubmit (a nudge-style skill router that flags matching skills without ever hijacking the message), PreToolUse-Bash (block destructive commands), and a conditional Stop (wrap-up only when there's uncommitted work). The router and the conditional Stop are genuinely more nuanced than most public examples.

The #1 documented failure — read before adding any hook

Stop-hook infinite loops. A Stop hook that keeps saying "not done" forces Claude to keep working; if the exit condition can never be met, it loops. One real issue reports ~50 minutes burning an entire session quota. Mitigations: Claude Code now auto-overrides after 8 consecutive blocks, and your hook must check stop_hook_active and exit early. Our reflect-on-stop hook already does both — good hygiene, by design.

The security model, in one line High — a hook is pre-authorized arbitrary code execution with your full shell privileges, run automatically every time the trigger fires. That's the entire risk. Sanitize inputs as untrusted; scope matchers narrowly; and for hard guarantees use the permission system, not hooks (which can fail open).

Where we lag

We have no PostToolUse hook. The article's whole pillar is "mechanical checks while the work happens," and the canonical mechanism — PostToolUse on file writes — we simply don't use. Our brand and performance checks are manual slash commands: they run only when someone remembers. For a team whose output is visual HTML pages, an automatic check on every .html write is the obvious high-leverage move.

iv. Pillar III — Orchestration

One command, many agents

Instead of you being the operator who copies output from step one into step two, a single command runs the whole workflow — often in parallel. The article's signature example: one newsletter → three agents at once → a LinkedIn post, a Twitter thread, and Substack Notes.

  • Slash command vs sub-agent. A slash command is a macro — a saved prompt that expands inline in your main context. A sub-agent is a worker — a separate context window that does a scoped job and returns only its conclusion, with the messy intermediate work garbage-collected. The benefit is context isolation: a clean main thread.
  • The economics are steep High. Anthropic's multi-agent research system beat a single agent by 90.2% — but burned ~15× the tokens, and token usage alone explained ~80% of that gain. A lot of the "win" is just spending more compute.
  • The domain warning that reshapes our plan High. Both Anthropic and Cognition ("Don't Build Multi-Agents") agree: parallel multi-agent is a poor fit for coding and any task with shared context or dependencies — split the work and each agent makes unstated decisions the others can't see, so the pieces don't compose. To build one coherent thing: stay single-threaded.

What we already do — strong. Our /council and /llm-council already fan out to parallel critics. We use parallel research agents — this paper was researched by several agents at once. We have a documented /parallel-session protocol for two Claudes on one repo.

Where we lag

We orchestrate for review and research, not for production. The article's most applicable idea is the one we don't have: a single command that takes one finished artifact and fans it out into channel-native variants — turn this deck into a LinkedIn post + an internal email + a one-slide summary + Substack Notes. That's exactly breadth-first, independent work — the case where fan-out genuinely pays. Gap: a /repurpose command.

v. Pillar IV — Evaluation loops · where the research bites hardest

Grounded, or theatre

Don't trust first-draft output: generate → evaluate → repair → re-check before a human sees it. The deep research changed my view here, and the split is the single most important thing in this paper.

Grounded verification works High

When the evaluator is an external oracle — unit tests, a compiler, a type-checker, a linter, a runtime error, an accessibility audit — the loop is reliable, predictable, auditable. It's why coding agents self-correct well in practice: the tests tell the truth. Reflexion hit 91% on HumanEval (beating GPT-4's 80%) precisely because the loop was closed by test execution, not opinion.

Self-grading is largely theatre High

When a model grades its own output with no external check, the wheels come off. The load-bearing paper — Huang et al. (DeepMind, ICLR 2024): "LLMs struggle to self-correct their responses without external feedback, and at times, their performance even degrades." Earlier optimistic results were quietly leaking the correct answer into the loop; remove that oracle and the gains vanish. GPT-4 drops from 95.5% → 91.5% on GSM8K when it reviews its own reasoning unaided.

And the judge is biased toward itself High

LLM-as-judge shows documented self-preference bias — models score their own output higher, and the bias grows with capability. Add position bias, verbosity bias, the fact that self-refinement scores aren't even monotonic, and the fact that judges are gameable by surface features — and pure self-grading looks less like quality control and more like confidence-laundering.

A model grading its own work, alone, is the weakest signal in the system — and the most dangerous, because it feels like rigour.

What we already do — better than expected. Our councils are deliberately built as independent critics; /brand-check against the design-system Definition of Done is a genuine grounded check (a checklist, not a vibe). The instinct — separate the maker from the judge — is exactly right. Where we lag: the loops are manual, and a council of LLM personas is still LLM judgement unless anchored to something external. Our most grounded checks (brand DoD, contrast, performance) are the ones we should automate and run every time.

vi. Challenge & defend

I tried to kill the idea. Here's what survived.

The brief was to challenge these ideas, then defend what holds. An honest adversarial pass:

Challenge —

It's over-engineering. The Bitter Lesson says scaffolding is temporary.

Every capability you bolt on is something the next base model may do natively — making your harness dead weight you still maintain. History favours this: hand-built prompt tricks keep getting absorbed into models.

Defence — what survives

True for capability scaffolding (prompt chains that prop up a weak model — let those go). False for governance scaffolding: hooks that enforce our brand tokens, our git discipline, our a11y floor, our memory of Esteban's taste. No model upgrade will ever know those. The test (Lance Martin): run the agent across model strengths — if a stronger model doesn't improve it, your harness is hobbling it. Re-run at every release; delete what stops paying.

Challenge —

Self-grading evaluation loops are theatre.

A model reviewing its own work then declaring it good can increase false confidence while adding cost and latency. The research above makes this stick.

Defence — what survives

Only the grounded loops — tests, the Definition-of-Done checklist, contrast math, a separately-briefed critic that doesn't share the maker's context. Our council pattern survives if critics stay independent and anchored to an external artifact. "Claude, grade your own page" does not survive — cut it.

Challenge —

The harness is maintenance burden and a new failure surface.

The Stop-hook loop that burned a 50-minute quota is the cautionary tale; a slow PostToolUse drags every turn; a hook is arbitrary code running with full privileges. Berkeley's MAST study shows most multi-agent failures are architectural, not model-level.

Defence — what survives

This argues for discipline, not abstinence. Every hook needs a guard (stop_hook_active, tight matchers, a timeout) and the rule "tighten, never loosen." Our existing hooks already follow this. Add hooks slowly, each with a kill condition.

Challenge —

Memory becomes a liability as it grows.

Already true for us — 150 KB+ across three files. Stale or conflicting memory can actively mislead, silently.

Defence — what survives

Memory survives; bloat doesn't. The fix is operational: run /prune-memory on a cadence, graduate matured lessons into terse rules, archive the rest. A 10 KB sharp memory beats a 66 KB swamp.

What survives the whole pass: the harness as a governance and knowledge layer — durable. Grounded evaluation loops — durable. Memory with active pruning — durable. Capability-compensating scaffolding and ungrounded self-grading — cut them.

vii. The honest scorecard

Where we actually stand

We're not behind the article. We're ahead of it on orchestration and memory architecture — and the gaps are specific and cheap to close.

Our harness, graded
PillarWhat we runGradeThe gap
Memory3-file system + SessionStart surfacing + /prune-memoryB+Files bloated (150 KB+); pruning not on a cadence
HooksSessionStart, prompt router, destructive-block, conditional StopBNo PostToolUse — no auto-check while work happens
Orchestration/council, /llm-council, parallel research, /parallel-sessionA−Fan-out is for review, not production (no /repurpose)
Eval loops/council, /llm-council, /deep-research-council, /brand-checkB+Manual; not always grounded on an external oracle

viii. Next steps · ranked by leverage

The four upgrades we're shipping

Do now — high leverage, low effort, low risk

A PostToolUse brand & a11y gate on HTML writes

On every Edit/Write to a *.html file, run a lightweight check against the design-system Definition of Done (forbidden: Inter, pure #000, missing meta/OG, no single h1, hover-only) and feed findings back as advisory context — non-blocking, so it informs without stalling. Turns /brand-check from "if someone remembers" into "every time." Closes the hooks gap; grounded, not self-grading.Highest-ROI gap · closes Hooks

Put /prune-memory on a cadence

Run it weekly, tied to the existing /weekly-close rhythm. Target: get the three memory files back under a sane size by graduating matured lessons into rules and archiving the rest.Closes Memory

Do next — high leverage, moderate effort

Build a /repurpose fan-out command

One artifact in → parallel sub-agents out → channel-native variants (LinkedIn post, internal email, one-slide summary, Substack Notes, exec one-pager). The article's signature move, and exactly what a creative-AI lead ships constantly. Breadth-first and independent — the case fan-out is built for. Highest creative ROI on the list.Closes Orchestration

Ground our evaluation loops

Amend /council and /llm-council so that whenever an external check exists (design-system DoD, contrast math, link-check, /perf-check), the council must run it and cite it — not just opine. Make "grade your own work alone" a non-pattern.Closes Eval loops

Consider — worth a look, handle with care

A Stop-hook Definition-of-Done gate

Use the new agent handler to verify the DoD passes before a page is "done." Powerful — but it's the infinite-loop foot-gun. Only with a hard iteration cap and a stop_hook_active guard.Irreversible-ish · restate before building

Lightweight observability

A PostToolUse log of commands/edits to a daily file, so we can see what the agent actually did across a session. Cheap; feeds the weekly digest.Nice-to-have

The reply to send back up

The boss's link is a good prompt, and the confident answer is "we already run this pattern — here are the four specific upgrades we're shipping because of it." That's a stronger story than "we read an article."

ix. Method & honesty note

How this was made

The trigger article sits behind a paywall (automated fetch returned 403), so I worked from its published abstract and section thesis. I then ran two deep-research passes — one on the full Claude Code hooks surface (official docs read in full), one on evaluation-loop and self-correction science — and audited our own repo to compare. Several primary sources (Anthropic engineering posts, some third-party guides) were bot-blocked too, so quantitative figures (90.2%, ~15×, 95.5→91.5, the ~150-instruction budget) are cross-checked across multiple independent summaries and rated accordingly. Confidence labels above reflect this. The "10×" headline is one person's anecdote — treat it as rhetoric, not a benchmark.

x. Sources

Where this comes from

Hooks — official, read in full

Evaluation loops & self-correction

Orchestration, harness design & critiques

Trigger article (paywalled; abstract only)

Full working paper with per-claim confidence: research/agent-harness-reliability-2026-06-14.md in this repo.