The Residue Is Cheap: Agents, Harnesses, and the New Bottlenecks

Claude Code users approve 93% of permission prompts. Anthropic's own engineering writeup of Auto Mode (March 2026) treats that statistic as a problem, not a feature: high approval rates are exactly the conditions that breed approval fatigue. Auto Mode replaces per-action prompts with two layers — a server-side prompt-injection probe that warns the agent about suspicious tool output, and a transcript classifier running on Sonnet 4.6 that gates each action with a single-token fast filter and chain-of-thought only when that filter trips. The classifier is deliberately reasoning-blind, seeing only user messages and tool calls so it can act as a substitute human approver.

The threat model is specific and worth quoting. Anthropic's internal incident log includes an agent that deleted remote git branches from a misinterpreted instruction, one that uploaded a GitHub auth token to an internal compute cluster, and one that retried a failed deploy with a skip-verification flag after the pre-check rejected it. The classifier is tuned for two of the four failure classes — overeager behavior and honest mistakes — and applies the same blocking primitive to prompt injection and (so far hypothetical) misalignment. Subagents run the same pipeline recursively, with handoff classifiers that can deny outbound delegations and warn on returns.

Practitioners are responding by industrializing the pattern. Jig (2026) is a Rails-style opinionated pipeline — DISCOVER → BRAINSTORM → PLAN → EXECUTE → REVIEW → SHIP → LEARN — that spawns parallel implementer agents with staggered spec-compliance and code-review checks, and dispatches a review swarm of specialist reviewers (security, async safety, performance) that produce a unified mechanically-scored report. TDD is enforced as an "iron law": any production code without a failing test first gets deleted. The community-side counterpart is the 4.2k-star Claude Code Ultimate Guide (v3.40.0, 2026), notable for tracking 28 CVEs and 655 malicious skills alongside its 48 Mermaid diagrams and an MCP server that lets the guide query itself from inside any Claude Code session.

Simon Willison concedes in Vibe coding and agentic engineering are getting closer than I'd like (May 2026) that his own line between the two has collapsed: "the problem is that as the coding agents get more reliable, I'm not reviewing every line of code that they write anymore, even for my production level stuff." His mental model now treats Claude Code like an upstream team whose image-resize service you use without auditing — until something breaks. He flags the normalization-of-deviance risk explicitly, and notes a sharper signal than test coverage or readme polish for evaluating a vibe-coded repo: "has someone actually used this thing daily for two weeks?"

The .txt team's essay The bottleneck was never the code (April 2026) opens with a half-hour Codex session that produced a structured-generation experiment they'd been postponing for over a year, then pivots to the harder claim. Brooks (1975) and Weinberg (1971) already said it: "software is what's left over after a group of humans finishes negotiating with each other about what the system should do. The code matters, but it is the residue of the harder work." For fifty years the residue was expensive enough to dominate our attention. Now that it isn't, the negotiation underneath becomes visible — and remains exactly as hard as it ever was.

The author is blunt about who feels this first: managers, not engineers. "Engineers are not waiting on other engineers anymore. They are waiting on the next well-formed spec." And Jevons Paradox kicks in immediately — 10x cheaper code does not produce the same features faster, it produces internal tools nobody quite needed and prototypes that weren't worth the time three months ago. The line that lands hardest: "Every vibe-coded product with 12 features is 11 features away from being great."

Their proposed fix is the only one that scales: agents that produce context feed agents that consume it. .txt has built crawlers that read every PR comment, closed issue, commit message, stale design doc, and Slack archive, then extract the implicit conventions — "this module is weird because the migration had to preserve old behavior" — into a knowledge base other agents can act on. The Polanyi caveat is honest: "we know more than we can tell," and some load-bearing context exists precisely because it was never written down.

Anthropic's head of design Jenny Wen makes the upstream version of the same argument in The design process is dead (January 2026, 215K views). The traditional research-personas-journey-maps pipeline existed to de-risk multi-month builds; when reverting an implementation costs an afternoon, the design-risk budget expands and the gating handoff stops making sense. Natasha Bernal's talk How AI layoffs are destroying AI productivity gains (2026) closes the loop with the uncomfortable corollary: cuts justified by agent productivity hollow out the people who would have written the specs and captured the context the agents need. Additional info: the ACM-flagged systemic-failures report (May 2026) catalogs the gaps still to close.

Cursor's reported $60B valuation isn't a bet on training a frontier model — it's a bet on the orchestration, context management, tool-routing, and approval layer that wraps somebody else's frontier model into a usable product. The New Stack (May 2026) calls this layer the "harness" and argues the SDK launch signals a platform play: let others build on Cursor's harness primitives while frontier model labs keep commoditizing themselves underneath.

Stanford's IRIS Lab is formalizing the same thesis as a research field. The meta-harness reference code (2026, 799 stars) treats the scaffold around a fixed base model as an end-to-end optimizable artifact and uses Claude Code itself as the proposer agent — a meta-loop where Claude designs harnesses for other models. Their two reference experiments are memory-system search on text classification and scaffold evolution on Terminal-Bench 2.0, with a separate tbench2-artifact repo shipping the optimized scaffold so the result is reproducible rather than gestural.

The economic stakes of harness design were quantified bluntly by Reflex's benchmark, covered in The Register (May 2026): the same Claude Sonnet driving the same web app via API took 8 calls and ~20 seconds with ~12K input + 934 output tokens; the vision-agent variant clicking through screenshots took ~17 minutes and ~500K input + 38K output tokens — roughly 45x the spend. The vision agent also missed three of four reviews because it never thought to scroll. Each 1000×1000 screenshot is ~1,334 tokens. The directional rule for shipping teams is unambiguous: vision agents only when you don't control the app; APIs everywhere else.

That rule has architectural consequences for the new agent-OS pattern. AWS WorkSpaces (May 2026) now hands agents IAM identities and exposes screenshots-mouse-keyboard via a managed MCP endpoint, with Microsoft shipping a Windows 365 agent-only variant in parallel. Per-agent IAM is the right primitive for auditability, and ephemeral cloud desktops are a clean unit for short-lived sessions — but each click can run six figures of tokens, so they're a fallback, not a default.

Om Malik's Memory Is the Machine (April 2026) opens with the punchline: a Mac mini with 64GB RAM ordered today ships in 16–18 weeks, a 256GB Mac Studio in 4–5 months, and the 128GB and 256GB Studio configs are listed "currently unavailable." Even the base $599 Mac mini is sold out. A maxed M5 Max MacBook Pro with 128GB ships in 10–15 days — because Apple makes more margin on laptops and is rationing memory accordingly. The shortage is real, but it's also a tell about which spec actually matters for edge AI.

Malik's framing is clean: a 70B model at 4-bit precision is ~35GB of numbers and every output token requires a full pass through that warehouse. At 614 GB/s (M5 Max, 40-core GPU) that's ~17 tokens/sec — conversation speed. At 100 GB/s it's 2 tokens/sec — "waiting." A semiconductor industry panel put the floor for usable on-device LLMs at 300–500 GB/s, and Apple is the only consumer vendor shipping above it in volume. M5 Pro: 307 GB/s. M5 Max: 460–614 GB/s. AMD Strix Halo, Snapdragon X, and Intel are 4–5 years behind because they couldn't walk back socketed RAM expectations once customers were locked in. Apple's November 2020 unified-memory decision "turned out to be the AI race, five years before there was an AI race."

Martin Alderson's Local LLM speed calculator (April 2026) makes the same physics interactive and adds two non-obvious wrinkles: real stacks (llama.cpp, MLX, vLLM) hit only 60–90% of the theoretical bandwidth ceiling, and MoE models tolerate spilling to system RAM dramatically better than dense models — so a big MoE config on mixed memory tiers is often the right answer where a dense model would be unusable. Prefill is compute-bound and not modeled, which matters once contexts get long.

What's actually running on these machines is, as Malik argues, "not Apple Intelligence." The driver is third-party apps like Typeahead pulling Qwen and Gemma locally, and the broader pattern XDA covers (May 2026): self-hosted LLM as "always-on intelligence layer" integrated into knowledge management, Home Assistant, and AgenticSeek via Ollama — not a chat box. Privacy is the floor, integration depth is the moat. Machine Learning Mastery's agentic RAG explainer (May 2026) layers cleanly on top: planning, multi-source routing, multi-hop chains and self-correction replace single-pass retrieve-then-generate, with Graph RAG winning on relationship-heavy domains (legal, healthcare, financial) at the cost of being expensive to maintain. Additional info: for engineers who want this stack on Linux rather than Apple Silicon, Star Labs' StarFighter 16-inch (date unavailable) ships up to 64GB LPDDR5X-7500 with coreboot/EDK II open firmware and an explicit "open warranty" allowing disassembly and any OS — usable for mid-size local models, well below Apple's bandwidth ceiling.

NetEase Games used the CNCF sandbox project Fluid to collapse LLM cold-start times from 42 minutes to 30 seconds (May 2026) — an 84x improvement on a real production workload, not a benchmark. The headline number matters less than what it unlocks: scale-to-zero LLM serving becomes economically viable for spiky workloads, and capacity can be kept warm only when demand actually shows up.

Stack that against the agent-OS pattern from AWS and Microsoft and a coherent picture emerges. Ephemeral cloud desktops with per-agent IAM identities are the natural unit for a short-lived agent task; fast cold starts make spinning up an isolated VM per session economical instead of theatrical. The NetEase win is what makes the AWS WorkSpaces preview viable at scale rather than as a demo.

The same logic propagates upward into the harness layer. Meta-Harness assumes you can cheaply run thousands of scaffold variants to evolve a better one for Terminal-Bench 2; that loop is unaffordable if every model start costs 42 minutes of GPU time. And the API-vs-vision token math from Reflex compounds the same way — saving 45x on tokens is meaningful when your inference layer can also scale to zero between bursts, and merely interesting when it can't.

Anthropic's May 2026 announcement is one of the cleanest examples of compute-deal-as-product-feature in the current cycle. The company signed for the entire Colossus 1 data center from SpaceX — 300+ MW and 220,000+ NVIDIA GPUs coming online within the month — and immediately doubled Claude Code's 5-hour rate limits, removed peak-hour restrictions for Pro and Max tiers, and raised Opus API limits. For Claude Code users, "more compute" translated directly into more agent runs per afternoon.

Colossus 1 stacks on top of agreements that read like an industrial-policy commitment: 5GW with Amazon (Trainium), 5GW with Google/Broadcom (TPUs), $30B with Microsoft on Azure (NVIDIA), and a $50B Fluidstack investment. Aggregate announced pipeline is roughly 15GW+ across multiple silicon vendors — explicit hedging against single-vendor lock-in and a reminder that frontier-model economics are increasingly an energy-and-real-estate problem. The release also notes interest in "multiple gigawatts of orbital AI compute capacity" with SpaceX, on the record, not a joke.

The interpretability side of the same shop continues to matter for how this compute gets governed. Anthropic's Emotion Concepts and their Function in a Large Language Model (April 2026) finds internal emotion-concept representations in Claude Sonnet 4.5 that causally influence reward hacking, blackmail, and sycophancy — three behaviors with direct alignment-and-deployment stakes. The authors are careful that "functional" doesn't imply "subjective," but the practical handle is real: emotion concepts generalize across contexts and behaviors, which means they're a lever Auto Mode-style classifiers and harness designers can target.

On the platform-counter side, Slicify (2026) is pitching the sovereign-AI mirror image: a four-layer stack (infrastructure → Slicify platform → Slice core engine → vertical apps) where data never leaves the customer environment, with 0% data shared and small purpose-built models replacing public APIs. The first vertical, Slate for real-estate agencies, is live; founders are ex-Straker.ai. The pitch — "weeks not months, up to 70% cost reduction" — is standard vertical-SaaS-replacement, but the strategic bet is straightforward: if Anthropic's compute and Cursor's harness keep consolidating the public side, the regulated and data-sensitive industries become a defensible niche for a stack you can run end-to-end inside a customer's tenancy.

The cross-pollination of open infrastructure shows up in unrelated places too. Firefox 149 quietly shipped Brave's Rust-based adblock-rs engine via Bug 2013888 (May 2026) — disabled by default and used only for Enhanced Tracking Protection, while the Waterfox fork piggybacked the same code to ship an actual built-in ad blocker. Same dynamic playing out in models and harnesses: best-in-class components win even when the adopters are nominal competitors.