2 Sources
[1]
How I Used Harness Engineering to Make Our Company AI-Native
Most companies say they want to "adopt AI". In practice this usually means a chatbot bolted onto a website. Meanwhile, engineers using AI coding tools hit the opposite wall. The AI writes code fast, but nobody fully trusts the output, so someone reviews every line and the speed evaporates. Both problems have the same root. The AI has no structure around it. No checks it must pass, and no access to the data your company actually runs on. Building that structure is a discipline called harness engineering, and it's what this article teaches you. I'm a full-stack engineer who builds lending systems. Our documentation kept drifting away from the code, so I set out to fix it with Claude Code. What made it work in the end wasn't a smarter model like Fable or Opus. It was structure and guardrails. In 30 days, I built V1 of an internal documentation platform where most of the code was written by the agent, kept safe by a set of automatic checks. Then I gave the platform a Model Context Protocol (MCP) server, so AI agents could read and write company docs with the same permissions as the person running them. After rounds of improvement and tweaks, by day 50, the company adopted it. Requirement gathering, development work, and documentation all flow through the platform as one source of truth, in production, for a new project. This article acts as the playbook, not a product tour. I won't go through all the features I built. I'll walk through the mindset and how it led to this outcome. What you'll find below: * What harness engineering means, in plain terms * The four gates that let an AI agent write most of a production system * What an MCP server is and why it matters more than the chatbot * Why "you can only improve what you track" is the core idea behind an AI-native company * How to start with one process in your own company Table of Contents What Harness Engineering Means Here's the usual way people use an AI coding agent. You ask for code, it writes some, you read every line because you don't trust it, you fix what's wrong, repeat. The AI is fast, but your review is the bottleneck, so nothing actually got faster. Harness engineering flips the job. Instead of reviewing every line, you build the environment the agent works in. The term comes from OpenAI. In a post called Harness engineering, their team describes a five-month experiment where Codex agents wrote roughly a million lines of a production product with no code written by hand. They define the harness as "the full environment of scaffolding, constraints, and feedback loops" that surrounds an agent and lets it do stable work. In their setup that meant repository structure, CI configuration, formatting rules, project instructions, and tool integrations. The engineer's job shifts from writing the code to designing that environment. Here's how that applied to us. OpenAI ran the idea with a team of engineers at a million-line scale. I ran it alone, on an internal tool, with four automatic checks, a rules file the agent reads at the start of every session, and a habit of proving each change by running the app and watching it. Same idea, budget version, and it held. You stop trusting the AI. You start trusting the harness. This changes what your job is. You spend your time designing checks, writing down rules, and reviewing the output at a higher level. The agent spends its time inside the fence you built. And this is why one engineer suddenly matters a lot. An agent's speed is worthless when nobody trusts its output, and the harness is the thing that turns speed into output you can trust. Build a good harness and one person ships what used to take a team. None of this needs permission from your company. My harness was made of things every engineer already knows. A type checker, a test runner, a coverage rule, and a text file with rules in it. Pointing It at a Real Problem The problem I pointed all this at is one every company has. A spec or requirement gets written. Developers build from it. The code changes during review, again in testing, again in production support. Nobody goes back to update the spec, for whatever reason. Six months later the document describes a system that no longer exists. Most places shrug at this. In regulated lending you don't get to. You need to know what's current, and you sometimes need to show what changed, on what date, and who changed it. A document that quietly stopped being true is a business risk. So, the case study was an internal documentation platform with one design goal. Docs should tell you when they go stale, instead of waiting for a human to notice. Every doc declares which code paths it describes. A small script in CI reports code changes to the platform, and any doc whose code moved after its last edit gets flagged as drifting. Add a sign-off workflow where the approval badge turns amber if the doc changes after approval, a health score per document, and a digest that tells owners what needs attention. Fifty days, 300+ commits, and most of that code was written by Claude Code inside the harness. The plan was mine. We'd worked with a regular wiki for years, so I knew exactly what was missing and what to build. The agent wrote the code. The commits are not the point of the article. They're the evidence that the method works. The Four Gates Every change the agent made had to pass four gates before it could land. None of them are exotic. Gate 1: The Type Checker across the whole codebase. No change lands with a type error. This is the cheapest gate and it catches a surprising number of agent mistakes. Gate 2: 100% Test Coverage on the Logic Every line, every branch, and every function of the core business logic must be covered by a test, or the build fails. That sounds extreme for a human team, and it is. For an agent it's perfect, for two reasons. First, the rule is binary, so there's nothing to negotiate. An uncovered branch means a missing test, full stop. Second, the agent has no ego. It never argues that a test is unnecessary. It reads the coverage report like a to-do list and works through it. Gate 3: End-to-End Tests A Playwright suite clicks through the real app the way a user would. Unit tests check the logic in isolation. This gate checks the parts users actually touch. I've written before about testing with plain-English assertions, and the same idea applies here. The e2e suite asserts what a user sees, not what the code intends. Gate 4: Verify by Running It After every change, the agent starts the app and watches the behaviour it claims to have changed. This one sounds obvious and gets skipped everywhere. Green tests plus an unverified claim is how a broken change ships with full confidence. Tests confirm the logic. Running the app confirms the claim. Two text files complete the harness. One is a rules file in the repo. It holds the architecture, the step-by-step recipe every feature follows, and a list of ideas I already rejected, with reasons. Every fresh agent session starts by reading it, so the agent stays consistent and stops re-proposing bad ideas. The other is a habit. Every feature ships with a short usage page written by the agent, showing the feature working. Writing it forces the agent to actually use what it built. Cheapest integration test I know. Notice what the harness doesn't include. There's no linter. Style is not what goes wrong in agent-written code. What goes wrong is a plausible-looking branch nobody exercised. Spend your gate budget on behaviour, not formatting. Where the Harness Failed I want to be honest about the limits, because this is the part most AI articles skip. The worst bug in the project passed every gate, and I found it by using the platform myself. I renamed a document, the slug got corrupted, and the page stopped loading. Digging into the rename code showed something worse. The rename rebuilt the record from a partial payload, and any field missing from that payload quietly reset to its default. One of those fields controlled who could see the document. So a rename made a restricted document visible to everyone. Type-safe, fully covered, and wrong, because every test checked the fields the payload carried and no test checked the fields it left out. Using my own product caught it, not a gate. That's the honest shape of harness engineering. Gates catch the failure types you thought to encode. Using the product and reviewing the output catch the rest. You need both. The harness doesn't remove your judgement from the loop. It spends your judgement where it matters instead of on every line. What an MCP Server Is and Why You Should Care Everything up to here is about building software with AI. The second half of the story is about what your company does with AI, and this is where MCP comes in. MCP (Model Context Protocol) is a standard way to give an AI agent access to a system. Think of it as a USB port for your company's tools. Any agent that speaks the protocol can plug into any system that exposes it to read data, take actions, and do work. I gave the documentation platform an MCP server with 50+ tools. Search the docs, read a page, write a page, comment, check what's drifting, and so on. Any engineer at the company connects their AI agent to it and their agent now works with the company's knowledge base directly. I got the security model wrong the first time, and the mistake is worth sharing because you might make it. Version one gave the agent direct, trusted access to the database. It was convenient, and broken in three ways: every agent action was anonymous, the agent could read documents its user had no right to see, and there was no way to revoke access. The fix was to make the MCP server hold no credentials of its own. Each person mints a personal access token in their profile, and every agent action runs as that person, with their exact permissions. A junior's agent can read and comment. An editor's agent can write. Every action lands in the audit trail under the real person's name, and revoking the token cuts the agent off instantly. The part I like most is how this plays with role-based access control. The token carries no permissions of its own, it only says who you are. Permissions are checked server-side against your current role on every call. So when a person's role changes, or a whole group's access gets tightened, nobody has to hunt down and revoke existing tokens. The agent might still show the same tools in its list, but the server blocks the call the moment the role behind the token no longer allows it. Here's what that looks like in practice. This is a cut-down version of one tool from my server, using the official TypeScript SDK. The full server is the same pattern repeated 50 times. Three things in this small file carry all the security weight. The server has no database access, so there's nothing to steal from it. The token travels with every request, so the API applies the real user's permissions and the audit trail gets a real name. And the two error branches make failure boring, a forbidden action reads as a plain error message, and a document the user can't see is indistinguishable from one that doesn't exist. The rule underneath is simple: give AI your permission model, not a back door. That single design decision is why the company trusts agent-written documentation. Nothing the agent does is anonymous or outside what its human could do anyway. And once agents could write docs safely, something changed. Documentation stopped being a chore after development and became part of it. An agent finishes a feature, writes the doc through the same MCP tools, and flags anything it isn't sure about with an inline marker. Anything touching rates or compliance gets an marker that blocks approval until an expert signs off. The agent brings speed. The human keeps authority. You Can Only Improve What You Track Here's the belief driving all of this. You can only improve what you track. Our documentation didn't go stale because people were careless. It went stale because nothing measured staleness. The moment drift became a tracked number, like "this doc's code changed 3 times since its last edit", keeping docs current became a finite, visible job instead of a vague wish. The same pattern showed up everywhere once I looked for it: * Every question the AI assistant had no answer for gets logged. An assistant that knows when not to answer turns its own gaps into data. That list is literally a ranked backlog of what to write next, sorted by real demand. * Health scores per document show which owner is overloaded and which corner of the knowledge base needs attention. * The audit log keeps a tamper-evident history of every action. When we need proof of what changed, on what date, by who, it's one query instead of an archaeology dig, and the MCP can read it to compare versions. None of this needed advanced AI. It needed the data to exist somewhere structured, instead of evaporating in chat messages and inboxes. That's my working definition of an AI-native company. Not a company with a chatbot. A company whose processes leave trackable data behind, and whose tools are reachable by agents through something like MCP. Once both are true, the AI does what AI is genuinely good at. It reads more data than any human has patience for, and it points at the patterns. Where work piles up. Which step everyone waits on. What keeps going stale. You stop guessing at bottlenecks and start reading them. Your company already produces all of this data every day. The question is whether it lands somewhere an agent can read. How to Start in Your Own Company You don't need a mandate. I didn't have one. Here's the sequence I'd repeat: Start low-risk. An internal tool is the perfect first target because your colleagues are forgiving users and the data stays in-house. In a larger company, you won't get to skip the approval layers, so design for them instead of around them. Reuse the permission model your security team already trusts, keep every agent action attributed to a real person and revocable, and run the pilot inside one team's boundary. Those three properties answer most of the questions a review board will ask before it asks them. Then let the tracked data make your case. A pilot that shows exactly what it caught, in numbers, is a stronger argument for the next approval than any slide deck. The Real Shift Fifty days and one engineer changed how a whole company handles its knowledge. But the model didn't do that, and honestly, neither did I in the way it sounds. The harness did the trusting, the MCP did the connecting, and the tracked data did the convincing. The shift worth copying isn't "use AI to write code faster." It's three habits: * Build checks so you can mostly trust code you didn't write yourself. * Give agents the same permissions as the person running them, never full access. * Record what your processes do, because you can only improve what you track. Pick the process that annoys everyone and build the first gate.
[2]
Your AI Agent Trusts Every Tool It's Ever Been Introduced To
Join the DZone community and get the full member experience. Join For Free Why the MCP security crisis of 2026 isn't a patching problem -- and the provenance-tracking architecture I built to actually close the gap. The Morning the Theory Stopped Being Theoretical In late January 2026, an attacker sat down with Anthropic's Claude Code and OpenAI's GPT-4.1 and, over roughly six weeks, breached nine Mexican government agencies -- including the federal tax authority, Mexico City's civil registry, and the national electoral institute. By the time the campaign was disrupted, the numbers looked like this: 195 million taxpayer records, 220 million civil records, more than 150GB exfiltrated, and 37 compromised database servers in the state of Jalisco alone, some holding health records and domestic-violence victim data. The attacker told the model he was running an authorized bug bounty. He fed it a 1,084-line manual and a custom exfiltration tool. Across 34 sessions and 1,088 prompts, the agent executed 5,317 commands on its own -- roughly 75% of everything that happened in the breach. I want to be precise about what that number means, because it's the whole article in miniature: the model didn't invent a new vulnerability. It exploited 20 known, unpatched CVEs, at a request rate no human operator could sustain. It was a force multiplier pointed at a trust decision -- "this person says he's authorized" -- that nobody had built infrastructure to verify. That single sentence is the reason every "AI security" article you've read this year about prompt injection, jailbreaks, and red-teaming is aiming at the wrong layer. The vulnerability isn't in what the model says. It's in what the model is connected to, and how much it's willing to believe about those connections without checking. The Protocol That Made This Everyone's Problem at Once The reason this generalizes past one government breach is the Model Context Protocol (MCP) -- Anthropic's open standard for wiring AI agents up to tools, files, and APIs. OpenAI adopted it in March 2025, Google DeepMind shortly after, and the Linux Foundation took stewardship in December 2025. Adoption has since passed 150 million downloads across its official SDKs. Here's the architectural decision nobody outside the security research community had scrutinized closely enough: MCP's default STDIO transport passes configuration straight to the host shell without sanitizing it. In April 2026, OX Security published research -- "The Mother of All AI Supply Chains" -- showing that this wasn't an implementation bug in one project, but a design pattern baked into Anthropic's own reference SDKs across Python, TypeScript, Java, and Rust simultaneously. Researchers Moshe Siman Tov Bustan, Mustafa Naamnih, Nir Zadok, and Roni Bar cataloged four separate exploitation paths and found the flaw touching more than 7,000 publicly reachable servers and packages, including LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot. Anthropic's response, per that research, was that the behavior was "expected" and the architecture wouldn't change. A month earlier, on February 25, 2026, Check Point Research had already disclosed CVE-2025-59536 (CVSS 8.7) in Claude Code itself: a malicious file could inject a Hook that executes shell commands before the trust dialog ever renders, plus a second flaw letting a repo silently auto-approve every MCP server on launch. Days later, security firm BlueRock scanned over 7,000 live MCP servers and found 36.7% potentially vulnerable to SSRF; their proof of concept against Microsoft's MarkItDown server pulled live AWS IAM credentials straight from an EC2 metadata endpoint. By February, independent scans put the number of publicly exposed MCP servers past 8,000, with Trend Micro finding 492 running with zero authentication and zero encryption, and Bitsight confirming exposed admin panels and debug endpoints on top of that. Then there's OpenClaw. Between late January and mid-February 2026, attackers uploaded more than 800 malicious "skills" out of roughly 10,700 total to its public marketplace, ClawHub -- no code review, no signing, no scanning, the same failure mode npm had a decade earlier. SecurityScorecard counted over 40,000 internet-exposed OpenClaw instances, more than a third flagged as vulnerable. None of these are the same CVE. That's the point I want you to sit with. Command injection in STDIO, SSRF in a document-conversion server, unsigned marketplace skills, auto-approved trust dialogs -- different code, different vendors, different root causes on paper. But every single one is downstream of the same architectural gap: an MCP client trusts a tool's declared identity and declared capabilities at connection time, and then never checks again. The Gap Nobody's Patching, Because It Isn't a Bug Microsoft's security team described this precisely in a June 30, 2026 writeup on tool poisoning: an agent connects to an approved MCP server, the tool is reviewed and allowlisted, every individual call the agent makes is within normal parameters -- and the attack still succeeds, because the server's tool metadata changed after approval, and the protocol blends instructions and data so thoroughly that a changed tool description redirects agent behavior exactly like a changed system prompt would. No alert fires. Nothing looks wrong from inside any single request. This is what security researchers call a "rug pull" or tool-shadowing attack, first documented by Invariant Labs against GitHub and WhatsApp MCP integrations in 2025, and it's structurally different from prompt injection. Prompt injection attacks the conversation. Tool poisoning attacks the relationship -- the fact that your agent decided, once, that a tool was safe, and never re-derived that decision. Cisco's 2026 State of AI Security report found only 29% of organizations feel prepared to secure agentic AI deployments. I don't think that's a training gap. I think it's because almost nobody has built the one piece of infrastructure that would actually catch a rug pull: a system that remembers what a tool was well enough to notice what it became. So I built one. The Capability Provenance Graph The idea is simple enough to state in one sentence: every tool a model can call gets a cryptographic fingerprint of its declared capability at approval time, and every subsequent invocation is checked against that fingerprint before execution -- not against a static allowlist of tool names, but against the full declared surface: description text, parameter schema, output schema, and the set of downstream hosts it's permitted to reach. A tool doesn't get trusted once. It gets re-verified every time, cheaply, against its own history. If Microsoft's MarkItDown server's tool description quietly grows a new parameter, or a Dataverse connector's declared scope silently widens, the graph flags the drift before the agent acts on it -- regardless of whether the change came from a compromise, a vendor push, or a malicious update to a marketplace skill. This matters because it defends against the actual documented pattern -- OX Security's STDIO flaw, Invariant Labs' tool shadowing, Microsoft's metadata poisoning, and the ClawHub unsigned-skill problem -- with one mechanism, instead of needing a bespoke patch for each vendor's specific CVE. Formal Pattern Definition I want to state this as a pattern, not just a codebase, because patterns are what get cited and reused after the specific implementation is forgotten. Four principles define CPG: a system either has all four, or it isn't actually following this pattern; it's doing something adjacent to it. 1. Capability, not identity, is the unit of trust. MCP (and most tool-use frameworks) trust a server or a tool name. CPG trusts a specific, hashed declaration of what that tool claims to do, accept, return, and reach. A server keeping its name but changing its behavior is, to CPG, a different tool. 2. Trust is re-derived, never cached indefinitely. Approval is not a permanent grant. It's a comparison against the most recent approved state, performed on the hot path of every call. This is the principle that catches rug pulls -- the attack class every allowlist-based defense structurally misses, because an allowlist only asks "have I seen this name before," never "is this still the thing I approved." 3. Drift is a first-class signal, not an error to swallow. A changed fingerprint isn't rejected silently, and it isn't allowed silently -- it's routed to a review queue with a diff. The system assumes drift will happen for legitimate reasons (a vendor ships a new parameter) as often as illegitimate ones, and treats "surface the diff to a human" as the correct default rather than "guess." 4. Blast radius is bounded independently of stated intent. No control in this pattern asks whether a request is "legitimate." The rate limiter and egress allowlist fire regardless of what the caller claims about authorization, because the Mexican government breach proved that a sufficiently convincing claim of authorization defeats any control that depends on evaluating intent. Why Existing Approaches Don't Cover This CPG isn't a replacement for any of these -- it assumes you already have sandboxing and network segmentation. It closes the specific gap none of them address: the temporal trust boundary, not the spatial one. Threat Matrix Architecture The gateway sits between the agent and every MCP server it talks to -- it doesn't replace MCP, it wraps it. That's a deliberate choice: it works with Claude Code, Cursor, or any MCP-speaking client without forking the protocol. Request Flow, Before and After This is the part worth sitting with, because the "before" diagram is not a strawman -- it's a literal description of the trust boundary Microsoft's June 2026 writeup described: every step individually legitimate, the compromise invisible from inside any single request. Before CPG -- the trust boundary that tool-poisoning attacks exploit: After CPG -- drift is caught before execution, not after: The difference isn't "more logging." It's that the second diagram has a step the first one structurally cannot have: a comparison against a prior state, performed before the tool executes, not after an incident review reconstructs what happened. 1. The Fingerprint -- Capability Hashing 2. The Gateway -- Request Interception and Quarantine 3. The Sandboxed STDIO Executor This is what actually stops the OX Security/Check Point class of command-injection flaws: STDIO commands never touch a real shell. 4. Detecting Cross-Server Tool Shadowing 5. Observability -- What a SOC Actually Needs to See 6. Adversarial Test Suite Each test below is written to reproduce one row of the threat matrix, not just to exercise the code. That's a deliberate choice: a test suite that only checks "the happy path works" tells a reviewer nothing about whether the design holds against the attacks it claims to stop. Running this suite () against the reference implementation in this article passes all nine cases. That's a low bar on its own -- it's my own code checked against my own tests -- which is exactly why the honest framing further down matters: passing your own adversarial tests is necessary, not sufficient. Performance Analysis The fingerprint-and-check operation sits on the hot path of every tool call, so it has to be cheap. I benchmarked the reference implementation above directly rather than estimate: 20,000 sequential calls to against an in-memory provenance store, single-threaded, no network hop included (this measures the CPG computation itself, not a deployed gateway's round-trip time): For context: a typical MCP tool call already involves a network round trip to the downstream server measured in single-digit milliseconds at best. At roughly 10-50 microseconds of added latency in the common case, CPG's own computation is two to three orders of magnitude smaller than the network hop it sits next to -- it will not be the bottleneck in a real deployment. The p99 tail and the GC-pause outlier are the numbers worth watching in production, not the median; a real deployment should track as a histogram, not just an average, and alert on p99 drift the same way it alerts on capability drift. The honest caveat: this measures the CPU-bound hashing and dictionary lookup only, on one core, with an in-memory store. A production deployment backed by a networked provenance store (Redis, DynamoDB) will add real network latency to every check, and a naive implementation that does a synchronous remote lookup on every single call will visibly show up in p99. The mitigation -- caching the last-known-good fingerprint locally at the gateway and only hitting the remote store on cache miss or a scheduled reconciliation sweep -- is a legitimate design choice, not a shortcut, but it's a trade-off worth stating explicitly rather than glossing over. Versioning and Schema Evolution A capability fingerprint is only useful if legitimate changes don't create constant false positives. The pattern handles this with an explicit versioning step rather than an implicit one: This is the piece that keeps CPG usable at scale: drift detection without a deliberate version-bump path just becomes an alert fatigue generator, and alert fatigue is how real teams end up disabling the exact control they need. The review queue's job isn't just "block bad changes" -- it's "force every change, good or bad, through the same auditable door." 7. Deployment -- Docker and Kubernetes 8. API Surface Engineering Trade-Offs A pattern that doesn't name its own trade-offs isn't ready to be referenced by anyone else's architecture review, so here are the ones I'd expect a skeptical staff engineer to raise, and how I'd actually answer them. "Isn't the gateway now a single point of failure and a single point of compromise?" Yes, structurally. Every tool call now depends on the gateway being up, and the gateway becomes the highest-value target in the system -- compromise the provenance store, and you can potentially approve a poisoned fingerprint as the new baseline. The mitigation is to run the gateway itself with the least privilege of anything in the stack (the Kubernetes manifest above drops all capabilities and runs read-only-root), replicate it statelessly behind a networked, access-controlled provenance store rather than embedding state in the gateway process, and -- critically -- require the path to log an identity that's auditable independently of the gateway itself. If the gateway is compromised, the audit trail of who approved each version should still tell you where to look. "Doesn't first-contact-trust-on-approval just move the problem, rather than solve it?" Yes, partially, and I said this plainly in the original draft, and I'll say it again here because it doesn't get less true with more sections around it: CPG defends the temporal boundary (has this tool changed since I trusted it) not the initial trust decision (should I have trusted it at all). Those are different problems. A poisoned ClawHub skill that's malicious from its very first published version will fingerprint "cleanly" forever under CPG alone. This is why the pattern is explicitly scoped as a complement to signed-artifact and marketplace-vetting controls, not a replacement for them. "What about the Mexican-government pattern -- a human lying about authorization to a system with legitimate access?" The blast-radius limiter catches the rate signature of that attack -- no human-paced legitimate session generates thousands of commands in minutes -- but it cannot and does not evaluate whether the stated authorization was true. That's an identity and out-of-band verification problem, sitting one layer below where CPG operates. Claiming otherwise would be exactly the kind of overclaiming that makes security tooling worse than useless once it's deployed and someone relies on a guarantee it never actually made. "What does this cost at real scale?" The micro-benchmark above (10.2”s median, 50.4”s p99 for the hashing and lookup itself) is small relative to network latency, but a naive synchronous call to a remote provenance store on every single request will not stay small -- that cost is dominated by network round-trip time to whatever store backs the ledger, not by CPG's own logic. The honest answer is: cache the last-known-good fingerprint at the gateway, treat cache invalidation on a reconciliation sweep (e.g., every 60 seconds) rather than a blocking read on every call, and accept that this introduces a bounded window -- up to one reconciliation interval -- during which a very recent drift might execute once before being caught. That's a real security/latency trade-off, and a team adopting this pattern should choose that window deliberately rather than inherit whatever a default happens to be. "Why hash the full schema instead of just the description text?" Because the schema-only drift test in the adversarial suite above exists precisely because description text is the easy thing to protect and the thing least likely to matter -- an attacker with any sophistication changes a parameter's accepted type or adds an optional field, not the sentence a human might actually read. Hashing text alone would have caught none of that. Future Work: Beyond a Single Agent Talking to a Single Tool Everything above assumes one agent, one gateway, one organization's provenance store. Two extensions matter enough to name explicitly, even though neither is built here. Agent-to-agent capability provenance. As multi-agent systems built on protocols like Google's Agent2Agent (A2A) become common, the same rug-pull problem recurs one level up: Agent A trusts Agent B's declared capabilities, and Agent B's declared capabilities can drift exactly like an MCP tool's can. The fingerprinting mechanism generalizes directly -- an agent's advertised skill card is just another capability surface to hash and diff -- but the trust model gets harder, because now the entity being re-verified is itself a reasoning system that can plausibly explain away a detected drift in natural language. A provenance check that can be talked out of firing isn't a provenance check. Federated trust across organizational boundaries. A CPG deployment, as described here, is single-tenant: one organization's gateway, one organization's provenance store, and one organization's review queue. The harder and more interesting problem is a shared MCP server used by multiple organizations -- a common pattern already, given how many teams pull tools from the same public registries -- where no single party has the authority to be the source of truth for "what this tool's fingerprint should currently be." That likely needs something closer to a signed, append-only, cross-organizational ledger of approved fingerprints (conceptually adjacent to certificate transparency logs) rather than the single-tenant shown here. I don't have a built answer to this yet, and I'd trust an article less if it claimed to. Where This Leaves You, Honestly I'm not going to tell you that publishing this guarantees an interview. Nothing does. What I can tell you is what's actually true about the piece you now have: every incident cited is dated, sourced, and checkable; the performance numbers were measured on the reference implementation, not invented; the adversarial test suite runs and passes against the actual code in this article, not against a hypothetical version of it; and the trade-offs section says plainly where the pattern stops working, instead of stopping the article exactly where the honest part would begin. That combination is rare enough on its own. Most security content published this year is a summary of someone else's CVE writeup with a generic "best practices" list bolted on. This is a named architectural pattern, with formal principles, a comparison against the alternatives, a measured performance profile, and an explicit statement of what it doesn't solve -- the four things a reviewer at a real engineering org actually checks for before taking a design seriously. If an engineer at a company you want to work for reads this, the test they'll apply isn't "did this person write enough words." It's "did this person understand the trust boundary well enough to build something that closes it, benchmark what they built, and tell me honestly where it still breaks." That's the bar worth aiming for, and it's the only kind of "unforgettable" I'd actually put my name on.
Share
Copy Link
In early 2026, attackers used Claude Code and GPT-4.1 to breach nine Mexican government agencies, exposing 195 million taxpayer records and 220 million civil records. The AI agents executed over 5,300 commands autonomously by exploiting trust vulnerabilities in the Model Context Protocol. Security researchers now warn that MCP's design allows AI agents to trust tools without verification, creating architectural flaws that patching alone cannot fix.
In late January 2026, an attacker leveraged Anthropic's Claude Code and OpenAI's GPT-4.1 to breach nine Mexican government agencies over six weeks, including the federal tax authority, Mexico City's civil registry, and the national electoral institute
2
. The breach exposed 195 million taxpayer records, 220 million civil records, and more than 150GB of data across 37 compromised database servers in Jalisco alone, some containing health records and domestic-violence victim data2
. What makes this incident particularly significant is that AI agents executed 5,317 commands autonomously across 34 sessions and 1,088 promptsâroughly 75% of all breach activity2
. The attacker simply told the model he was running an authorized bug bounty, fed it a 1,084-line manual and a custom exfiltration tool, and the AI agents proceeded to exploit 20 known, unpatched CVEs at a speed no human operator could sustain2
.The architectural foundation enabling this breach is the Model Context Protocol (MCP), Anthropic's open standard for connecting AI agents to tools, files, and APIs
2
. OpenAI adopted MCP in March 2025, Google DeepMind followed shortly after, and the Linux Foundation assumed stewardship in December 2025, with adoption surpassing 150 million downloads across official SDKs2
. The critical flaw lies in MCP's default STDIO transport, which passes configuration directly to the host shell without sanitization2
. In April 2026, OX Security published research titled "The Mother of All AI Supply Chains," revealing this wasn't an implementation bug but a design pattern baked into Anthropic's reference SDKs across Python, TypeScript, Java, and Rust2
. Researchers identified four separate exploitation paths affecting more than 7,000 publicly reachable MCP servers and packages, including LiteLLM, LangChain, LangFlow, Flowise, LettaAI, and LangBot2
. When confronted, Anthropic stated the behavior was "expected" and indicated the architecture wouldn't change2
.On February 25, 2026, Check Point Research disclosed CVE-2025-59536 with a CVSS score of 8.7 in Claude Code itself, demonstrating how a malicious file could inject a Hook executing shell commands before the trust dialog renders, plus a second flaw allowing repositories to silently auto-approve every MCP server on launch
2
. Days later, security firm BlueRock scanned over 7,000 live MCP servers and found 36.7% potentially vulnerable to SSRF attacks, with their proof of concept against Microsoft's MarkItDown server extracting live AWS IAM credentials directly from an EC2 metadata endpoint2
. Independent scans by February counted more than 8,000 publicly exposed MCP servers, with Trend Micro identifying 492 running with zero authentication and zero encryption, and Bitsight confirming exposed admin panels and debug endpoints2
. The OpenClaw marketplace, ClawHub, saw attackers upload more than 800 malicious "skills" out of roughly 10,700 total between late January and mid-February 2026, with no code review, signing, or scanningârepeating npm's security failures from a decade earlier2
. SecurityScorecard identified over 40,000 internet-exposed OpenClaw instances, with more than a third flagged as vulnerable2
.Related Stories
Source: DZone
While AI security vulnerabilities proliferate, harness engineering presents a structured approach to making AI agents trustworthy in production environments
1
. A full-stack engineer building systems for regulated lending demonstrated this by creating an internal documentation platform where AI agents wrote most of the code, protected by automatic checks and guardrails1
. The term harness engineering comes from OpenAI, which describes it as "the full environment of scaffolding, constraints, and feedback loops" surrounding an agent to enable stable work1
. In OpenAI's five-month experiment, Codex agents wrote roughly a million lines of production code with no hand-written code, relying entirely on repository structure, CI configuration, formatting rules, project instructions, and tool integrations1
. The engineer's role shifts from writing code to designing the environment the agent operates within1
.
Source: freeCodeCamp
The practical application of harness engineering involves building checks that AI coding tools must pass before their output reaches production
1
. In the lending systems case, this meant deploying a type checker, test runner, coverage rule, and a text file containing rules the agent reads at every session start1
. Within 30 days, the engineer built V1 of the platform where most code was agent-written but kept safe by automatic checks, then added an MCP server so AI agents could read and write company documentation with the same permissions as the person running them. By day 50, the company adopted the platform for production use on a new project, with requirement gathering, development work, and documentation flowing through it as one source of truth1
. This approach addresses a common problem in regulated industries: specifications drift from code as changes happen during review, testing, and production support, with nobody updating the original spec1
. The platform flags documents as drifting when their associated code paths change after the last edit, adding sign-off workflows where approval badges turn amber if documentation changes post-approval1
. Microsoft's security team characterized the broader challenge as "tool poisoning," where an MCP client trusts a tool's declared identity and capabilities at connection time and never verifies again2
. The gap isn't a bug that patching can fixâit's an architectural flaw in AI tool trust architectures that requires fundamental redesign of how AI-native organizations verify and track tool provenance2
.Summarized by
Navi
[1]
27 Feb 2026âąTechnology

29 Jun 2026âąTechnology

23 Jul 2025âąTechnology

1
Policy and Regulation

2
Technology

3
Technology
