The Death of Frameworks, The Rise of the Harness: Why Software Architecture is Moving to Upstream Agentic Runtimes

The Death of Frameworks, The Rise of the Harness

Most developers building AI agents today are stuck in the same loop. They pick a framework — CrewAI, LangGraph, Agno — and then spend the next three months writing glue code. Memory management. Context compaction. Infinite-loop guards. Sandboxing. Token streaming. Error recovery. By the time the "agent" is stable enough for production, the team has written more infrastructure than product.

This article argues that era is over.

Just as we stopped writing web servers from scratch and moved to containers and managed application runtimes, the AI industry is undergoing a parallel shift — from Agent Frameworks to Upstream Agent Harnesses, or what the next generation of architects is calling Agentic Runtimes. The modern agent is no longer code you write. It's a standalone runtime you configure, inject with skills, and connect to MCP providers. The engineering effort shifts from wiring neurons together to building clean, secure data interfaces.

By the end of this article you will have:

A clear mental model for the Agent = Model + Harness formula.
A working Python implementation of a minimal Agentic Runtime — event loop, hybrid memory, sandboxed execution.
An MCP client the runtime uses to discover external tools at startup.
A self-generating skill registry that lets your agent compound capabilities over time.
A runtime multi-agent spawner that isolates subagents instead of polluting context.
A 2026 CTO roadmap for choosing between Opinionated and Local-First harnesses.

All code in this article is available on GitHub: OneManCrew/death-of-frameworks-harness

Part 1: The Dead End of Agentic Glue Code

Ask any team that has taken an AI agent to production what their biggest pain point was. The answer is almost never the model itself. It's everything around the model.

The LLM is the engine. The problem is the chassis.

Here's what building a production-ready agent with a typical framework actually looks like:

State management — define, serialize, and restore agent state across turns. When the agent fails mid-task, you need to resume from a checkpoint, not restart from zero.
Context compaction — after enough turns, the context window fills up. You need policies for what to keep, what to summarize, and what to evict — without the agent losing its goal.
Loop detection — models hallucinate. They get stuck. They call the same tool 40 times. You need heuristics, circuit breakers, and retry budgets baked into the execution layer.
Secure sandboxing — an agent that can write code, execute shell commands, and access internal APIs is a serious attack surface. You need isolated execution, permission scoping, and audit trails.
Streaming and observability — users expect streaming responses; debugging requires structured traces. Neither is a one-liner.

With frameworks like LangGraph or CrewAI, you implement all of this yourself. Every team. Every project. From scratch.

The insight that changes everything: these are not application concerns. They are runtime concerns.

A web developer doesn't implement TCP connection pooling for every app they build. A backend engineer doesn't write a garbage collector per service. These problems were solved once, at the infrastructure layer, and abstracted away. Agentic infrastructure is at the same inflection point — most teams just haven't realized it yet.

Part 2: The New Formula — Agent = Model + Harness

Let's define the term that makes sense of this shift:

Agent = Model + Harness

The Model is the LLM: GPT-4o, Claude Sonnet, Llama 3, Gemini. It handles reasoning and language generation. It's swappable.

The Harness is everything else. It's the operating system of the AI era. A proper Harness provides:

Event loop — an autonomous, self-correcting plan/act/observe/retry cycle, without manual orchestration code.
Security sandbox — isolated execution environments (containers, WASM, or process isolation) for any tool that touches the filesystem, network, or external APIs.
Hybrid memory — episodic (what happened in past sessions), semantic (what the agent knows), and working (what it's doing right now), all managed automatically.
MCP client — native support for the Model Context Protocol, so the agent discovers and consumes external tool providers without hardcoded integrations.
Skill registry — a persistent store of learned capabilities the agent can reuse across tasks.

The critical architectural distinction: frameworks ask you to import them; harnesses ask you to run them.

With LangGraph, you write from langgraph.graph import StateGraph and build your execution logic inside your application. The framework is a dependency. Your code is the runtime.

With a harness like Claude Code, Hermes Agent, or OpenClaw, you run a process — hermes-agent start — and your application connects to it. The harness is the runtime. Your code is configuration.

This is not a subtle distinction. It's the difference between writing a database driver and running PostgreSQL.

A minimal Harness in Python

The cleanest way to internalize the model is to build the smallest possible Harness yourself. Below is a stripped-down runtime that demonstrates every concern a real harness handles: event loop, hybrid memory, sandbox-bounded tool execution, loop detection, and observability hooks.

harness_runtime.py

"""
A minimal Agentic Runtime ("Harness").
 
The harness owns the event loop, the memory hierarchy, the sandbox, and the
loop-detection heuristics. The model is treated as a swappable component.
"""
 
from __future__ import annotations
 
import asyncio
import json
import logging
import time
from collections import deque
from dataclasses import dataclass, field
from typing import Any, Awaitable, Callable, Protocol
 
logger = logging.getLogger("harness")
 
 
# ---------------------------------------------------------------------------
# Model interface — swappable, NOT a framework dependency
# ---------------------------------------------------------------------------
 
class ModelClient(Protocol):
    """Anything that can take a list of messages + tool schemas and return
    a structured action. The harness does not care which provider it is."""
 
    async def complete(
        self,
        messages: list[dict[str, Any]],
        tools: list[dict[str, Any]],
    ) -> dict[str, Any]: ...
 
 
# ---------------------------------------------------------------------------
# Hybrid memory: working / episodic / semantic
# ---------------------------------------------------------------------------
 
@dataclass
class HybridMemory:
    working: deque[dict[str, Any]] = field(default_factory=lambda: deque(maxlen=40))
    episodic: list[dict[str, Any]] = field(default_factory=list)
    semantic: dict[str, str] = field(default_factory=dict)
    max_working_tokens: int = 8000
 
    def append(self, message: dict[str, Any]) -> None:
        self.working.append(message)
        self.episodic.append({"ts": time.time(), **message})
 
    def compact(self, summarizer: Callable[[list[dict[str, Any]]], str]) -> None:
        """Compaction policy: when working memory is too large, summarize the
        oldest half into a single semantic note and drop those raw turns."""
        size = sum(len(json.dumps(m)) for m in self.working)
        if size < self.max_working_tokens * 4:  # rough char->token ratio
            return
        half = len(self.working) // 2
        old = [self.working.popleft() for _ in range(half)]
        summary = summarizer(old)
        key = f"summary:{int(time.time())}"
        self.semantic[key] = summary
        self.working.appendleft({"role": "system", "content": f"[memory] {summary}"})
        logger.info("compacted %d turns into semantic note %s", half, key)
 
    def render(self) -> list[dict[str, Any]]:
        sem = [{"role": "system", "content": f"[fact] {v}"}
               for v in list(self.semantic.values())[-5:]]
        return sem + list(self.working)
 
 
# ---------------------------------------------------------------------------
# Sandbox: every tool call is wrapped in a controlled environment
# ---------------------------------------------------------------------------
 
ToolFn = Callable[[dict[str, Any]], Awaitable[Any]]
 
 
@dataclass
class Sandbox:
    timeout_s: float = 20.0
    max_output_chars: int = 16_000
    deny_list: tuple[str, ...] = ("subprocess.Popen", "os.system", "eval", "exec")
 
    async def run(self, tool: ToolFn, args: dict[str, Any]) -> Any:
        # 1) static argument inspection
        flat = json.dumps(args, default=str).lower()
        for bad in self.deny_list:
            if bad.lower() in flat:
                raise PermissionError(f"sandbox: blocked unsafe argument '{bad}'")
 
        # 2) bounded execution
        try:
            result = await asyncio.wait_for(tool(args), timeout=self.timeout_s)
        except asyncio.TimeoutError as e:
            raise TimeoutError(f"sandbox: tool exceeded {self.timeout_s}s") from e
 
        # 3) output truncation — protects context window
        s = json.dumps(result, default=str)
        if len(s) > self.max_output_chars:
            s = s[: self.max_output_chars] + "\n…[truncated]"
            return json.loads(s) if s.startswith("{") else s
        return result
 
 
# ---------------------------------------------------------------------------
# The Harness itself — the event loop owns everything
# ---------------------------------------------------------------------------
 
@dataclass
class Harness:
    model: ModelClient
    memory: HybridMemory = field(default_factory=HybridMemory)
    sandbox: Sandbox = field(default_factory=Sandbox)
    tools: dict[str, ToolFn] = field(default_factory=dict)
    schemas: list[dict[str, Any]] = field(default_factory=list)
    max_steps: int = 25
    loop_window: int = 4  # detect identical actions within last N steps
 
    def register_tool(self, name: str, fn: ToolFn, schema: dict[str, Any]) -> None:
        self.tools[name] = fn
        self.schemas.append(schema)
 
    def _summarize(self, msgs: list[dict[str, Any]]) -> str:
        # Real harnesses call the model here; we keep it deterministic.
        return f"Earlier the agent performed {len(msgs)} steps."
 
    def _detect_loop(self, recent: list[str]) -> bool:
        tail = recent[-self.loop_window:]
        return len(tail) == self.loop_window and len(set(tail)) == 1
 
    async def run(self, goal: str) -> str:
        self.memory.append({"role": "user", "content": goal})
        action_log: list[str] = []
 
        for step in range(self.max_steps):
            self.memory.compact(self._summarize)
            decision = await self.model.complete(
                messages=self.memory.render(),
                tools=self.schemas,
            )
 
            # Terminal: model returned a final answer
            if decision.get("type") == "final":
                self.memory.append({"role": "assistant", "content": decision["content"]})
                return decision["content"]
 
            # Tool call path
            name = decision["name"]
            args = decision.get("args", {})
            signature = f"{name}:{json.dumps(args, sort_keys=True, default=str)}"
            action_log.append(signature)
 
            if self._detect_loop(action_log):
                logger.warning("loop detected on %s — forcing reflection", name)
                self.memory.append({
                    "role": "system",
                    "content": "You repeated the same action. Reflect and choose differently.",
                })
                continue
 
            if name not in self.tools:
                self.memory.append({"role": "tool", "name": name,
                                    "content": f"unknown tool '{name}'"})
                continue
 
            try:
                result = await self.sandbox.run(self.tools[name], args)
                self.memory.append({"role": "tool", "name": name,
                                    "content": json.dumps(result, default=str)})
            except Exception as e:
                logger.exception("tool %s failed", name)
                self.memory.append({"role": "tool", "name": name,
                                    "content": f"ERROR: {type(e).__name__}: {e}"})
 
        return "step budget exhausted"

A few points are worth highlighting because they capture the philosophy, not just the implementation:

The ModelClient is a Protocol, not a concrete class. Swap GPT for Claude for Llama with zero changes elsewhere.
HybridMemory.compact() is automatic. Application code never asks "is the context full?" — that's a runtime concern.
Sandbox.run() is the only path to tools. Every call has a timeout, an output cap, and a deny-list. The application can't accidentally bypass it.
Loop detection and step budgeting live in the harness, not the prompt. The model isn't asked to "please not loop"; the runtime simply prevents it.

The application code that uses this harness is now trivial: a configuration plus a goal. That is exactly the point.

Part 3: The Skills Revolution and the MCP Protocol

If the Harness is the OS, then Skills and MCP Servers are the package manager and the filesystem.

Dynamic Skills: agents that learn to do something once

Traditional frameworks use hardcoded tools — a Python function decorated with @tool that the agent can call. This works in demos and breaks at scale. Modern harnesses introduce self-generated skills: the ability for an agent to write, test, and store a reusable capability as a first-class artifact.

The pattern, popularized by closed-loop learning research from groups like Nous Research, looks like this:

The agent encounters a novel task (e.g., "parse this obscure API response format").
It writes code to solve it, executes it in the sandbox, and validates the result.
If successful, the harness serializes the solution into the skill registry.
On future tasks with the same pattern, the agent retrieves the skill instead of rediscovering it.

The result: agents that get measurably better at their job over time, without fine-tuning. Knowledge compounds at the infrastructure layer — not in the model weights.

Show, don't tell: hardcoded edges vs declarative skills

The quickest way to feel the difference is a side-by-side. Here is the same capability — "refund a customer" — implemented in a typical framework versus injected as a declarative skill into a harness.

Before — LangGraph with hardcoded edges and brittle state plumbing:

refund_workflow_langgraph.py

from langgraph.graph import StateGraph, END
from typing import TypedDict
 
class RefundState(TypedDict):
    order_id: str
    eligibility: str | None
    refund_id: str | None
    notification_sent: bool
 
def check_eligibility(state: RefundState) -> RefundState:
    state["eligibility"] = orders_db.check(state["order_id"])  # custom client
    return state
 
def issue_refund(state: RefundState) -> RefundState:
    if state["eligibility"] != "approved":
        raise ValueError("not eligible")
    state["refund_id"] = payments.refund(state["order_id"])  # another client
    return state
 
def notify(state: RefundState) -> RefundState:
    email.send(state["order_id"], state["refund_id"])         # yet another client
    state["notification_sent"] = True
    return state
 
graph = StateGraph(RefundState)
graph.add_node("check",  check_eligibility)
graph.add_node("refund", issue_refund)
graph.add_node("notify", notify)
graph.add_edge("check",  "refund")
graph.add_edge("refund", "notify")
graph.add_edge("notify", END)
graph.set_entry_point("check")
app = graph.compile()

Every node is hardcoded. Every transition is hardcoded. Three different SDK clients live inside the agent process. When marketing wants to add a "goodwill credit" branch, an engineer changes the graph, reviews PRs, ships a release.

After — a declarative skill the harness consumes at runtime:

skills/refund_customer.json

{
  "name": "refund_customer",
  "description": "Issue a refund for a customer order with eligibility check and notification.",
  "triggers": ["refund", "return", "chargeback", "reimburse"],
  "instructions": "1) Call internal-crm.get_order to fetch the order. 2) Verify eligibility per refund-policy. If not eligible, propose goodwill credit instead. 3) Call payments.issue_refund. 4) Call comms.send_email with template 'refund_confirmation'. Stop and ask the user before any refund > $500.",
  "required_mcp_tools": [
    "internal-crm.get_order",
    "payments.issue_refund",
    "comms.send_email"
  ],
  "approval_threshold_usd": 500,
  "success_count": 47,
  "failure_count": 1
}

No Python. No graph. No SDK clients in-process. The harness retrieves the skill on the keyword "refund," injects the instructions into context, and discovers the three required tools through MCP. Marketing's new "goodwill credit" branch is a one-line edit to the JSON — no PR, no release, no deploy.

The operational delta from running this in production for a quarter is not subtle:

Metric	Framework (LangGraph)	Harness + Skills + MCP
New capability lead time	1–2 sprints (PR, review, release)	hours (edit JSON, hot-reload)
Tokens per turn (avg, post-compaction)	~6,400	~2,100 (≈67% reduction)
Tool integrations duplicated across agents	N agents × M tools	1 MCP server, N consumers
Engineering time on glue code	~60–80%	~10–15%
Mean time to recover from a stuck loop	manual restart	automatic (loop detector + reflection)

The 67% context-window reduction comes from two harness-level mechanisms working together: (1) automatic compaction of working memory into semantic notes once a soft token budget is exceeded, and (2) skills replacing dozens of pre-loaded tool schemas with a single retrieved instruction block. Neither is something you should be re-implementing per project.

skill_registry.py

"""
A persistent skill registry. Skills are reusable, abstract capabilities the
agent has learned. They are NOT prompts — they are structured artifacts the
harness retrieves on demand and injects only when relevant.
"""
 
from __future__ import annotations
 
import hashlib
import json
import time
from dataclasses import asdict, dataclass, field
from pathlib import Path
 
 
@dataclass
class Skill:
    name: str
    description: str           # used for retrieval — short, intent-focused
    triggers: list[str]        # keywords / task patterns that activate this skill
    instructions: str          # how to perform the task
    code: str | None = None    # optional executable companion (validated before use)
    success_count: int = 0
    failure_count: int = 0
    created_at: float = field(default_factory=time.time)
 
    @property
    def confidence(self) -> float:
        total = self.success_count + self.failure_count
        return self.success_count / total if total else 0.5
 
    def fingerprint(self) -> str:
        return hashlib.sha256(
            (self.name + self.instructions + (self.code or "")).encode()
        ).hexdigest()[:12]
 
 
class SkillRegistry:
    """File-backed registry: one JSON file per skill, retrieval by trigger match."""
 
    def __init__(self, root: str | Path = "./skills") -> None:
        self.root = Path(root)
        self.root.mkdir(parents=True, exist_ok=True)
 
    # --- persistence -------------------------------------------------------
 
    def save(self, skill: Skill) -> Path:
        path = self.root / f"{skill.name}.json"
        path.write_text(json.dumps(asdict(skill), indent=2), encoding="utf-8")
        return path
 
    def all(self) -> list[Skill]:
        skills: list[Skill] = []
        for p in self.root.glob("*.json"):
            data = json.loads(p.read_text(encoding="utf-8"))
            skills.append(Skill(**data))
        return skills
 
    # --- retrieval ---------------------------------------------------------
 
    def find(self, query: str, top_k: int = 3, min_confidence: float = 0.4) -> list[Skill]:
        q = query.lower()
        scored: list[tuple[float, Skill]] = []
        for s in self.all():
            if s.confidence < min_confidence:
                continue
            score = sum(1 for t in s.triggers if t.lower() in q)
            if score:
                scored.append((score + s.confidence, s))
        scored.sort(key=lambda x: x[0], reverse=True)
        return [s for _, s in scored[:top_k]]
 
    # --- learning loop -----------------------------------------------------
 
    def record_outcome(self, name: str, success: bool) -> None:
        path = self.root / f"{name}.json"
        if not path.exists():
            return
        data = json.loads(path.read_text(encoding="utf-8"))
        if success:
            data["success_count"] += 1
        else:
            data["failure_count"] += 1
        path.write_text(json.dumps(data, indent=2), encoding="utf-8")
 
    def promote(self, skill: Skill) -> Skill:
        """Called by the harness after a successful novel task: stores the
        distilled skill so the next agent run starts smarter."""
        existing = {s.name for s in self.all()}
        if skill.name in existing:
            self.record_outcome(skill.name, success=True)
            return skill
        self.save(skill)
        return skill

Notice what is not in this code: there is no LangChain dependency, no framework-specific Tool decorator, no orchestration glue. A skill is just a JSON document with metadata. Any harness, today or three years from now, can read it.

MCP: the API layer for intelligence

Before MCP, integrating an agent with internal data required custom tool definitions, custom auth middleware, and custom schema converters — and then re-doing all of it when you switched models or frameworks.

Model Context Protocol standardizes the interface between agents and data sources the same way REST standardized the interface between services. An MCP Server exposes resources and tools. An MCP Client (your harness) discovers and calls them. The LLM in the middle reasons about which tool to use and when.

The organizational impact is the part most engineers miss, and it's actually more important than the protocol itself. MCP decouples the data team from the agent team.

Team	Pre-MCP responsibility	Post-MCP responsibility
Data / Infra	Build internal services + write LangChain tools per agent project	Ship one secure MCP Server per data domain. Done.
Platform / AI	Wire each agent to each data source by hand, per framework	Pick a harness. Point it at the MCP registry.
Product	Wait on engineering for any new capability	Author skills declaratively, ship in hours

Before MCP, every agent project required your data team to ship a custom integration in the agent's framework dialect — LangChain tools today, AutoGen tools tomorrow, whatever the next framework demands next quarter. After MCP, the data team builds one server per domain (CRM, payments, observability, code-search), and every harness in the company — Claude Code on the laptop, Hermes on the cluster, the next runtime nobody has heard of yet — consumes the same servers.

This is the same shift REST drove inside engineering orgs in the 2010s. Backend teams stopped exposing language-specific RPC stubs and started shipping HTTP APIs that any client could consume. MCP does the same thing for agents. The data team is no longer downstream of the agent team. They're a peer that ships infrastructure.

Nobody writes glue code. Nobody duplicates integration logic. The harness handles discovery, auth delegation, schema parsing, and retry logic.

mcp_client.py

"""
A minimal MCP-style client. In production you would use an official MCP SDK,
but the contract is small enough to illustrate from scratch:
 
    GET  /mcp/tools         -> list of tool schemas
    POST /mcp/call          -> { name, args } -> { result | error }
 
The harness registers EVERY discovered tool through its sandbox, so MCP servers
get the same loop/timeout/output-cap protections as in-process tools.
"""
 
from __future__ import annotations
 
import asyncio
from dataclasses import dataclass
from typing import Any
 
import httpx
 
 
@dataclass
class MCPServer:
    name: str
    url: str
    auth_header: str | None = None  # e.g. "Bearer …" — usually delegated by harness
 
 
class MCPClient:
    def __init__(self, servers: list[MCPServer], timeout_s: float = 15.0) -> None:
        self.servers = servers
        self._client = httpx.AsyncClient(timeout=timeout_s)
 
    async def aclose(self) -> None:
        await self._client.aclose()
 
    def _headers(self, srv: MCPServer) -> dict[str, str]:
        h = {"Content-Type": "application/json"}
        if srv.auth_header:
            h["Authorization"] = srv.auth_header
        return h
 
    # --- discovery ---------------------------------------------------------
 
    async def discover(self) -> list[dict[str, Any]]:
        """Returns a flat list of tool schemas, namespaced by server name so
        two servers can expose tools with the same local name without conflict."""
        async def _one(srv: MCPServer) -> list[dict[str, Any]]:
            r = await self._client.get(f"{srv.url}/mcp/tools",
                                       headers=self._headers(srv))
            r.raise_for_status()
            tools = r.json().get("tools", [])
            for t in tools:
                t["name"] = f"{srv.name}.{t['name']}"
                t["__server__"] = srv.name
            return tools
 
        results = await asyncio.gather(*[_one(s) for s in self.servers],
                                       return_exceptions=True)
        flat: list[dict[str, Any]] = []
        for r in results:
            if isinstance(r, Exception):
                continue
            flat.extend(r)
        return flat
 
    # --- invocation --------------------------------------------------------
 
    async def call(self, namespaced_name: str, args: dict[str, Any]) -> Any:
        server_name, _, local = namespaced_name.partition(".")
        srv = next((s for s in self.servers if s.name == server_name), None)
        if srv is None:
            raise ValueError(f"unknown MCP server '{server_name}'")
        r = await self._client.post(
            f"{srv.url}/mcp/call",
            headers=self._headers(srv),
            json={"name": local, "args": args},
        )
        r.raise_for_status()
        payload = r.json()
        if "error" in payload:
            raise RuntimeError(payload["error"])
        return payload.get("result")

Wiring this into the Harness is one function. The harness registers each MCP tool as a sandbox-wrapped callable:

wire_mcp.py

async def wire_mcp(harness: Harness, mcp: MCPClient) -> None:
    """Attach all MCP tools to the harness. The harness sandbox still applies."""
    schemas = await mcp.discover()
    for schema in schemas:
        name = schema["name"]
 
        async def _call(args, _name=name):
            return await mcp.call(_name, args)
 
        harness.register_tool(name, _call, schema)

That's the full integration. The agent now has access to every internal MCP server you operate, and your data team can ship new capabilities without a single change to agent code.

A declarative configuration is the new application

This is what an agent application looks like in the harness era — a YAML file:

harness_config.yaml

model:
  provider: anthropic
  name: claude-sonnet-4-5
  temperature: 0.2
 
mcp_servers:
  - name: internal-crm
    url: https://mcp.internal/crm
    auth: oidc
 
  - name: code-executor
    url: https://mcp.internal/sandbox
    auth: mtls
 
skills:
  registry: ./skills
  auto_learn: true
  min_confidence: 0.4
 
memory:
  episodic: postgres://memory@db/episodic
  semantic: qdrant://memory:6333/agent-1
  max_working_tokens: 8000
 
runtime:
  max_steps: 25
  step_timeout_s: 20
  loop_window: 4

No framework imports. No orchestration code. A declarative description of what the agent can talk to, what it knows, and how aggressively it should run. This is the same architectural leap as moving from ssh && systemctl restart myapp.service to kubectl apply -f deployment.yaml.

Part 4: From Code Multi-Agent to Runtime Multi-Agent

The shift from framework to harness changes how multi-agent systems are architected.

The old model — Code Multi-Agent. Agent A calls Agent B as a Python function. They share in-process memory. They run in the same event loop. One crash kills both. One context overflow corrupts both. Scaling means bigger machines, not more machines.

The new model — Runtime Multi-Agent. Closer to microservices.

The primary harness receives a complex task. It determines that a subtask requires a specialized capability. Instead of calling a function, it spawns an isolated subagent:

A new container or serverless invocation starts — a fresh harness instance with its own context window.
The primary agent communicates with it via a clean API (JSON over HTTP, or an MCP interface).
The subagent completes its task and returns a structured result.
The container stops. No context pollution. No resource leak.

Primary Harness
     │
     ├──► [Spawn] Code Review Subagent (ephemeral container)
     │         └──► Returns: { verdict: "approved", comments: [...] }
     │
     ├──► [Spawn] Data Extraction Subagent (ephemeral container)
     │         └──► Returns: { records: [...], confidence: 0.94 }
     │
     └──► [Synthesize] Final result from subagent outputs

Below is a runtime-level spawner. It uses Docker as the boundary, but the same code maps cleanly to Kubernetes Jobs, AWS Lambda, or Modal:

subagent_spawner.py

"""
Runtime-level multi-agent: spawn a fresh harness in an isolated container,
talk to it via a clean API, then tear it down. No shared memory, no shared
context window, no leakage between primary and subagent.
"""
 
from __future__ import annotations
 
import asyncio
import json
import secrets
from dataclasses import dataclass
from typing import Any
 
import httpx
 
 
@dataclass
class SubagentSpec:
    image: str = "ghcr.io/onemancrew/hermes-agent:latest"
    role: str = "generic"             # passed as env var; selects skill subset
    timeout_s: float = 120.0
    cpu: str = "1"
    memory_mb: int = 1024
 
 
class SubagentSpawner:
    """Thin wrapper over a container runtime. Replace the docker calls with
    the orchestrator of your choice — the contract is identical."""
 
    def __init__(self, network: str = "agent-net") -> None:
        self.network = network
        self._client = httpx.AsyncClient(timeout=30)
 
    async def _docker(self, *args: str) -> str:
        proc = await asyncio.create_subprocess_exec(
            "docker", *args,
            stdout=asyncio.subprocess.PIPE,
            stderr=asyncio.subprocess.PIPE,
        )
        stdout, stderr = await proc.communicate()
        if proc.returncode != 0:
            raise RuntimeError(f"docker {args[0]} failed: {stderr.decode()}")
        return stdout.decode().strip()
 
    async def run_task(self, spec: SubagentSpec, goal: str,
                       inputs: dict[str, Any] | None = None) -> dict[str, Any]:
        name = f"subagent-{secrets.token_hex(4)}"
        token = secrets.token_urlsafe(24)
 
        # 1) start the ephemeral harness
        await self._docker(
            "run", "-d", "--rm",
            "--name", name,
            "--network", self.network,
            "--cpus", spec.cpu,
            "--memory", f"{spec.memory_mb}m",
            "-e", f"AGENT_ROLE={spec.role}",
            "-e", f"AGENT_TOKEN={token}",
            spec.image,
        )
 
        try:
            # 2) wait for the harness to come up
            url = f"http://{name}:8080"
            for _ in range(30):
                try:
                    r = await self._client.get(f"{url}/health", timeout=2)
                    if r.status_code == 200:
                        break
                except httpx.HTTPError:
                    await asyncio.sleep(0.5)
            else:
                raise TimeoutError(f"subagent {name} never became ready")
 
            # 3) submit the task
            r = await self._client.post(
                f"{url}/run",
                headers={"Authorization": f"Bearer {token}"},
                content=json.dumps({"goal": goal, "inputs": inputs or {}}),
                timeout=spec.timeout_s,
            )
            r.raise_for_status()
            return r.json()
        finally:
            # 4) tear down — context, memory, sandbox, all gone
            await self._docker("rm", "-f", name)

This is what makes the harness model categorically different from a framework. A framework can give you crew.kickoff(), but the agents still share a Python interpreter. A harness can give you process-level, container-level, or machine-level isolation between agents — selected per call. The same property that made microservices win the 2010s makes runtime multi-agent inevitable for the 2020s.

Putting it all together

A complete agent application now looks like this:

main.py

import asyncio
import logging
 
from harness_runtime import Harness, HybridMemory, Sandbox
from mcp_client import MCPClient, MCPServer
from skill_registry import SkillRegistry
from subagent_spawner import SubagentSpawner, SubagentSpec
from wire_mcp import wire_mcp
 
 
class FakeModel:
    """Stand-in model — in production this is Claude / GPT / Llama via API."""
    async def complete(self, messages, tools):
        # In a real run, the model picks a tool from `tools`, or returns final.
        return {"type": "final", "content": "demo: configure a real ModelClient"}
 
 
async def main() -> None:
    logging.basicConfig(level=logging.INFO)
 
    skills = SkillRegistry("./skills")
    mcp = MCPClient([
        MCPServer(name="internal-crm", url="https://mcp.internal/crm"),
        MCPServer(name="code-executor", url="https://mcp.internal/sandbox"),
    ])
    spawner = SubagentSpawner()
 
    harness = Harness(
        model=FakeModel(),
        memory=HybridMemory(max_working_tokens=8000),
        sandbox=Sandbox(timeout_s=20.0),
    )
 
    # Wire MCP — every tool from every server is now sandbox-protected.
    try:
        await wire_mcp(harness, mcp)
    except Exception as e:
        logging.warning("MCP discovery failed (offline?): %s", e)
 
    # Optional: register a "spawn_subagent" tool that the model can call.
    async def _spawn(args):
        return await spawner.run_task(
            SubagentSpec(role=args.get("role", "generic")),
            goal=args["goal"],
        )
 
    harness.register_tool(
        "spawn_subagent",
        _spawn,
        {
            "name": "spawn_subagent",
            "description": "Spawn an isolated subagent for a focused subtask.",
            "parameters": {
                "type": "object",
                "properties": {
                    "role": {"type": "string"},
                    "goal": {"type": "string"},
                },
                "required": ["goal"],
            },
        },
    )
 
    # Inject any matching skills BEFORE the run starts.
    goal = "Audit the latest production deploy for regressions."
    for s in skills.find(goal):
        harness.memory.append({"role": "system",
                               "content": f"[skill:{s.name}] {s.instructions}"})
 
    answer = await harness.run(goal)
    print("ANSWER:", answer)
 
    await mcp.aclose()
 
 
if __name__ == "__main__":
    asyncio.run(main())

The application code is ~40 lines. There is no orchestration logic, no memory plumbing, no retry loop, no token streaming code. Every one of those concerns lives inside the harness — exactly where it belongs.

Part 5: Even the Harness is Plumbing — and That's the Point

If the article ended here, it would be wrong in the same way every breathless "X is dead, Y is the future" post is wrong. So let's be honest about what comes next.

The harness is being commoditized too. It's already happening, on a quarterly cycle.

Anthropic shipped Claude Code with a built-in event loop, sandboxed bash, and skill discovery — folding harness concerns directly into the model product.
OpenAI's Responses API and Operator absorbed retry logic, tool-call orchestration, and session memory into the platform tier.
Google's AgentSpace bundled MCP, sandboxing, and multi-agent spawning into a managed service.
The open-source side — Hermes, OpenClaw, dozens more — is racing to a stable harness contract that will eventually look as boring as "a Linux container."

Within 18 months, choosing a harness will feel like choosing a Postgres distribution. It matters operationally, but it is not where you build a competitive moat. "Vibe-coding a harness" in a weekend will be a real thing. Pretending otherwise is selling a trend that's already eroding.

So if frameworks are dead and harnesses are next, where does enduring engineering value actually live?

Three places — and only three:

1. Proprietary data exposed through MCP

The harness is generic. Your data is not. The CRM history, the support tickets, the codebase, the deal memos, the production traces — these are the only assets a competitor cannot replicate by buying the same SaaS. Wrapping them in MCP Servers turns them from a passive store into an active capability surface that any future runtime can consume.

2. The feedback flywheel

A harness that runs for a year inside your org accumulates something no model provider can sell: a private corpus of how your specific people actually work. Which skills succeeded. Which failed. Which sequences of MCP calls solved which class of ticket. Which approval thresholds caught real fraud. This corpus feeds the skill registry, which feeds the next agent run, which produces more data — a flywheel that compounds inside your organization and nowhere else.

This is the asset OpenAI cannot ship and Anthropic cannot license. It only exists if you wire your harness to capture it from day one.

3. The approval and policy layer above the harness

Which actions need human review. Which budgets cap which agents. Which data classes never leave the perimeter. The harness will execute whatever it's told; the policy layer is where regulated industries and serious enterprises actually live. Off-the-shelf harnesses will hand you 80% of this; the last 20% is where compliance, security, and trust are won.

Notice what is not on this list: the event loop, the memory manager, the sandbox, the loop detector. Those are plumbing. They will be free in eighteen months. Build accordingly.

Part 6: The 2026 CTO Roadmap

Three operational directives. Print them, tape them to the wall, kill any roadmap item that doesn't pass them.

1. Stop Building Agentic Glue

Kill every internal project whose deliverable is "a library for managing agent loops / state / memory / sandboxing." These are plumbing. They are being commoditized by Anthropic, OpenAI, and the open-source harness community on a quarterly cycle. Any code you write here is depreciating faster than you can amortize it. If a senior engineer's quarterly OKR is "build our internal LangGraph wrapper," you have an organizational problem, not a technical one.

2. Expose the Enterprise via MCP

This is where your engineering budget belongs. Every meaningful internal data source — CRM, support tickets, code repos, observability, finance, HR — gets a hardened MCP Server with proper auth, audit, and rate-limiting. This investment is model-agnostic and harness-agnostic. It survives every framework war, every model migration, every vendor switch. It is the single most durable asset your AI program can produce in 2026.

3. Adopt a Thin Upstream Runtime

Don't build a harness. Adopt one. The decision is binary along one axis: do you need model portability and data residency, or do you need fastest time-to-value?

Cloud-Native, Opinionated — Claude Code, OpenAI Operator, Gemini AgentSpace. Lowest setup cost, vendor-locked, perfect for proving a use case in weeks.
Local-First, Thin — Hermes Agent + Ollama, OpenClaw, self-hosted runtimes. Model-agnostic, ops-heavier, mandatory for regulated data.

Pick one. Inject configuration. Move on. The harness itself is not the moat — your skills, your MCP servers, and your feedback flywheel are.

The engineers who will win the next three years are not the ones who write the most agent code. They are the ones who write the least — and instead build the data infrastructure and policy layer that no model provider can sell back to them.

Closing Thought

Software architecture has always evolved toward the same pattern: abstract away the solved problems, raise the floor, and let engineers focus on the unsolved ones.

VMs commoditized hardware. Containers commoditized OS configuration. Serverless commoditized server management. Harnesses are commoditizing the agent loop. Each layer felt controversial at the time and obvious in retrospect — and at every layer, the companies that won were not the ones who built the abstraction. They were the ones who built the proprietary value that ran on top of it.

Frameworks are dead. The harness is plumbing. The moat is your data, your feedback flywheel, and the policy layer above the runtime. Stop writing glue code, ship MCP Servers, adopt a thin runtime, and put your best engineers on the things a vendor cannot sell you in eighteen months.

The agent is not the code you write. The agent is not even the runtime you configure. The agent is the compounding system of proprietary capability that the runtime exposes. Build accordingly.

📂 Source Code

All code examples from this article are available on GitHub: OneManCrew/death-of-frameworks-harness