brianletort.ai
All issues

Agent Techniques Weekly

Issue 13 · Week 29 of 2026.

/From Chat to Cowork to Build to Automate/Public sources only

Big Read

Autonomy got longer and the leash got shorter: a 2.8T model demoed a 48-hour unattended run the same week the leading harness shipped hard per-session budgets for searches and subagents.

W29's two headline events point in opposite directions, and the tension between them is the story. Moonshot's Kimi K3 — a 2.8T-parameter MoE with 1M context and native vision — arrived with a vendor demo of a single 48-hour autonomous run building and verifying a 45nm chip design with open-source EDA tools, screenshots feeding back into code in a vision-in-the-loop cycle. Whatever survives independent replication (the prompts are unpublished, retry counts unknown, weights not open until Jul 27), the direction is unambiguous: frontier labs now compete on sustained multi-day autonomy with verification loops, not single-turn quality. The same week, Anthropic shipped the countervailing control: Claude Code v2.1.212 enforces hard session-scoped ceilings on web searches and subagent spawns and auto-backgrounds MCP calls that exceed a time threshold — runaway loops reframed as a budgeting problem with an engineering fix, not a prompting problem with a wishful fix. Around those poles, the delegation contract got more explicit everywhere: Cursor's Slack agents now respond with a plan before starting work and renegotiate repository access mid-task; Microsoft took Sales and Service agents GA on usage-based credits with admin budgets and hard caps; xAI open-sourced its entire agent harness under Apache 2.0 days after Google finished shutting down the individual-tier Gemini CLI — a natural experiment in why pipeline-critical harnesses should be pinnable and forkable. What to do differently this week: treat delegation budgets as a design layer you own — set platform spend caps and harness loop budgets separately, because they fail differently; put a plan-first gate on any agent invoked from a chat surface; and audit which of your automations depend on a free vendor CLI that can be wound down on someone else's schedule.

Technique of the Week

build/Anthropic (Claude Code v2.1.212 release notes)

Delegation Budgets

Treat runaway agent loops as a budgeting problem, not a prompting problem: enforce hard per-session ceilings on expensive delegations — web searches, subagent spawns, long tool calls — at the harness layer, with explicit reset semantics and auto-backgrounding for calls that exceed a time threshold, so a stuck loop degrades into a bounded, observable failure instead of an open-ended one.

Every 'the agent burned $400 overnight' story shares the same root cause: the only thing standing between a stuck loop and unbounded resource consumption was the model's judgment. Prompt instructions like 'be efficient with searches' are advisory; a session-scoped counter that hard-stops the 201st search is enforcement. This week the pattern shipped as a first-class harness feature — Claude Code v2.1.212 caps searches and subagent spawns per session and auto-backgrounds MCP calls over a time threshold — which matters beyond one product: as vendor demos normalize 48-hour autonomous runs and platforms move to usage-based credits, the teams that thrive will be the ones that own their budget layer instead of inheriting defaults. Budgets also generate signal: an agent that routinely hits its search ceiling is telling you something about task scoping that no transcript skim will.

Pick the budgeted resources

Budget the delegations that compound: external searches (each result expands context and invites more searches), subagent spawns (each child can spawn more work), and long-running tool calls (each blocks the loop). Claude Code v2.1.212's choices — WebSearch, subagent spawns, MCP call duration — are a sensible default set for any harness.

Set hard session-scoped ceilings

Enforce counters at the harness layer, not the prompt layer: v2.1.212 defaults to 200 searches per session (CLAUDE_CODE_MAX_WEB_SEARCHES_PER_SESSION) and 200 subagent spawns (CLAUDE_CODE_MAX_SUBAGENTS_PER_SESSION). The defaults are generous by design — they catch pathology, not ambition. Tighten them per task class once you have usage data.

Define reset semantics

A budget without a documented reset boundary becomes a mystery failure: in Claude Code, /clear resets the subagent counter, so the session is the budget scope. Whatever your harness, make the reset boundary explicit and teach operators where it is — otherwise the first budget exhaustion mid-task gets diagnosed as a model regression.

Auto-background instead of blocking

Time is a budget too: v2.1.212 automatically moves MCP tool calls exceeding two minutes to the background (tunable via CLAUDE_CODE_MCP_AUTO_BACKGROUND_MS), so one slow connector no longer stalls the whole loop. The transferable rule: any tool call slower than your loop's decision cadence should yield, not block.

Observe budget pressure as a signal

Instrument how close sessions come to their ceilings. A task class that consistently consumes 80% of its search budget needs decomposition or better context, not a bigger budget — budget-pressure telemetry is the cheapest agent-quality metric you are not yet collecting.

New Agent Capabilities.

Moonshot AI / build

Kimi K3

A 2.8T-parameter MoE (896 experts, 16 active) with Kimi Delta Attention, native text/image/video input, and a 1M-token context window, positioned explicitly for long-horizon agentic software engineering — with a vendor demo of a single 48-hour autonomous run building, optimizing, and verifying a 45nm chip design (4mm² die, timing closure at 100 MHz, 1.46M standard cells) using open-source EDA tools and a vision-in-the-loop cycle of screenshots feeding back into code. Hosted via kimi.com, Kimi Code, API, and OpenRouter at $3/$15 per Mtok; open weights committed for Jul 27.

The demo is a vendor claim until the tech report and independent replications land, but the positioning is the signal: multi-day autonomy with built-in verification is now the frontier battleground, and vision-in-the-loop (look at the output, not just the logs) is the verification pattern to steal regardless of model. Engineering leaders should hold evaluation until the Jul 27 weights drop, then test long-horizon reliability on their own tasks rather than trusting a demo with unpublished prompts — and start designing supervision models for runs measured in days, because every lab is heading there.

Anthropic / build

Claude Code v2.1.208-214 (four releases in-window)

v2.1.212 shipped the delegation-budget layer (search and subagent session caps, MCP auto-backgrounding), /fork to spin a conversation into a new background session, and subagents inheriting the parent's permission mode; v2.1.214 fixed single-segment dir/** allow rules that were auto-approving nested writes anywhere in the tree, added message.uuid, client_request_id, and tool_source OpenTelemetry attributes for tool provenance, and put permission prompts on docker daemon-redirect flags; v2.1.211 made 'always allow' rules persist at repo root across worktrees and fixed a prompt-caching regression billing trailing system context as fresh input on Bedrock, Vertex, and other enterprise routes; v2.1.208 added CLAUDE_CODE_PROCESS_WRAPPER to route every self-spawned process through a corporate wrapper.

Two items are do-this-week material: audit your allow rules, because the dir/** glob bug meant rules you thought were scoped were approving writes across the whole tree — and glob semantics can silently change again on any harness update, so re-test rules after upgrades. Second, the OTel tool-provenance attributes plus the process wrapper are the raw material for a real agent audit trail; platform teams should start streaming them now rather than reconstructing provenance after an incident.

Cursor / cowork

Cursor in Slack (3.12)

Slack-invoked agents now respond with a plan before beginning work and post step-by-step status updates as they execute; named multi-repo environments define what an agent can touch; a mid-task 'Switch repository' button lets the human renegotiate the permission boundary while work is in flight; and agents can read and post across channels they are invited to.

The plan-first gate is the transferable pattern: when an agent is invoked from a chat surface — where prompts are casual and context is thin — forcing a stated plan before execution catches misunderstood scope at the cheapest possible moment. Adopt the gate on every chat-invoked agent whatever the vendor. Before rolling this integration out, review which channels the bot can reach: cross-channel read and post access is a data-flow decision disguised as a convenience feature.

Microsoft / cowork

Sales Agent + Service Agent GA, Copilot Cowork worldwide

Sales Agent and Service Agent reached general availability in M365 Copilot, grounded in Work IQ and Dynamics 365 data, with Dynamics plugins targeting team-scale workflows in Copilot Cowork; Cowork itself went GA worldwide on usage-based Copilot Credits with admin-configurable budgets and hard caps, and GPT-5.6 became the preferred model across Word, Excel, PowerPoint, Chat, and Cowork.

Function-specific agents on usage-based billing with admin hard caps is the enterprise distribution template the rest of the market will copy — the vendor productivity framing is a claim, but the billing architecture is a fact worth studying. Automation owners on the suite should set credit budgets and caps before adoption spreads organically, and treat the GA as the trigger to define who owns agent spend per function: the CRM admin, the Copilot admin, or finance.

xAI / build

Grok Build (open-sourced CLI agent harness)

The full source of the grok CLI agent harness landed on GitHub (xai-org/grok-build) under Apache 2.0: the Rust runtime with leader, stdio, and headless modes, the tool layer (terminal, file editing, search), and a VCS-aware workspace with checkpoints. The model endpoint is configurable — including air-gapped deployments — and headless mode targets CI; external pull requests are not accepted.

A production harness you can read, pin, fork, and run against any model endpoint is exactly the dependency posture the same week's Gemini CLI wind-down argues for. Platform teams should evaluate it less as a product and more as a reference architecture — the checkpoint and workspace design is worth studying even if you never deploy it — and note the no-external-PRs stance: this is source-available insurance, not a community project, so plan to maintain your fork.

Google / automate

Gemini CLI wind-down → Antigravity CLI (agy)

The individual-tier Gemini CLI shutdown completed this week: the agy successor is closed-source and cloud-required, with an 'agy plugin import gemini' migration path, skills relocating from .gemini/skills/ to .agents/skills/, and MCP servers moving into mcp_config.json profiles. Enterprise Gemini CLI continues under paid licenses only.

Any automation shelling out to the gemini binary on an individual tier is now dead code — inventory your scheduled jobs and CI pipelines for it this week, because these failures surface as silent skips, not alerts. The strategic read pairs with the grok-build release: free vendor CLIs are revocable infrastructure, so before wiring any agent CLI into a pipeline, ask whether you can pin the version and fork the source. If the answer is no to both, the dependency needs a documented exit plan on day one.

New Skills And Connectors.

connector / Salesforce

Headless 360 MCP Server (beta)

Roughly 100 skills exposed behind a single hosted MCP surface — user management, Apex trigger read/write/deploy, event-driven integration setup — with thousands more machine-generated by an internal 'Headless 360 Factory' that scans Setup for missing API coverage and gates each generated skill behind feature-team review.

The factory is the story: a major platform is now machine-generating its own agent surface area, with human review as the quality gate — expect the skill count on every enterprise platform to explode on this pattern. Admins should treat the beta as a permissioning exercise before a productivity one: Apex deploy via MCP means an agent can change production behavior, so map which skills are reachable under which credentials before anyone connects a coding agent to the org.

skill / JetBrains

DataGrip 2026.2 database agent skills

Three skills — database-tools, database-connection-management, database-text-to-sql — ship inside the IDE with bundled MCP tools and zero setup, letting agents create and edit database connections directly from chat alongside text-to-SQL execution.

Zero-setup is the adoption unlock and the governance problem in one feature: an agent that can create its own database connections from chat has crossed from querying data to provisioning data access. Data platform owners should decide now whether connection management belongs in the agent's toolset at all, and if so, bind it to read-only credentials by default — this is the week the 'agents in the IDE' conversation became a data-access-control conversation.

harness / xAI / open-source

grok-build as a forkable harness reference

A production agent harness — runtime, tool layer, VCS-aware checkpointed workspace — published in full under Apache 2.0 with configurable model endpoints and a headless CI mode, from a lab that runs it as its commercial coding CLI.

W28's lesson was that the harness drives cost and much of quality; W29 delivers the first frontier-lab harness you can actually read end to end. Even teams committed to a vendor harness should mine it for patterns — checkpointing, workspace isolation, tool-layer boundaries — and teams burned by the Gemini CLI wind-down now have a concrete pin-and-fork option to price against renting. Budget maintenance effort honestly: no external PRs means upstream fixes arrive on xAI's schedule only.

connector / SnapLogic

SnapCode + SnapLogic MCP Server

Coding agents generate SnapLogic pipeline code in tools like Claude Code, then deploy, execute, and manage it through governed MCP tools running on a headless integration runtime — announced Jul 14, GA since Jul 7.

The division of labor is the transferable architecture: the agent writes the artifact, a governed runtime executes it — authorship and execution authority separated by an auditable MCP boundary. Integration owners evaluating agent-generated pipelines should copy that split even off this product, because it converts 'the agent changed production' from a horror story into a reviewable deploy event. Vendor benefit claims remain claims; the pattern stands on its own.

Proof Of Value.

Evidence: customer_case_study

C.H. Robinson: Hundreds of role-specific agents across logistics operations

A 45% productivity gain since end-2022 attributed to hundreds of narrow, role-specific agents built by ~450 in-house engineers — quoting cut from roughly 20 minutes to 31 seconds — with labor savings realized by not backfilling 11-14% annual attrition rather than layoffs.

The number is self-reported, unaudited, and measured from a baseline that includes non-AI Lean improvements — discount it accordingly. The architecture is what transfers: many narrow agents with human oversight at judgment points, built in-house against real workflows, with headcount absorbed through attrition. Executives should steal the operating model (task-level decomposition, engineers embedded in the business, attrition as the labor-adjustment valve) and treat the 45% as an upper bound to beat, not a benchmark to cite.

Evidence: benchmark

Kimi K3 (third-party placement): Independent benchmark and arena standing at launch

K3 debuted at 57.1 on the Artificial Analysis Index — #4 of 189 models tracked — and took #1 on LMArena's Frontend Code Arena in its launch week.

Genuinely independent placement, with two caveats that change how to act on it: AA classifies K3 as proprietary until the Jul 27 weights release, so the open-model economics are promised rather than delivered; and arena preference votes measure single-shot output appeal, not the long-horizon reliability the model is marketed on. Evaluation owners should note the placement, then hold procurement conversations until weights, tech report, and at least one multi-day-task replication exist — the gap between arena rank and agentic dependability is exactly where W29's marketing lives.

Evidence: vendor_claim

Moonshot AI: 48-hour autonomous chip-design run (Kimi K3 launch demo)

A single unattended 48-hour K3 session reportedly built, optimized, and verified a 45nm chip design — 4mm² die, timing closure at 100 MHz, 1.46M standard cells, an INT4 MAC array — using open-source EDA tools with screenshots fed back into code for verification.

Unpublished prompts, unknown retry counts, no independent replication: this is marketing until the tech report, and possibly a best-of-N result even then. What it reliably signals is competitive direction — labs are now racing on sustained multi-day autonomy with verification loops, which means 48-hour runs will be a procurement checkbox within quarters. Operators should get ahead of the checkbox: define now what supervision, budgets, and checkpointing you would require before authorizing any two-day unattended run, so the policy exists before the capability arrives in your stack.

Evidence: practitioner_report

Practitioner (Towards Data Science): Cross-provider adversarial review of agent-authored PRs

A Codex-based review agent running in GitHub Actions reviews every Claude-agent pull request, maintaining a persistent findings comment and a blocking commit status — the PR cannot merge until a different provider's agent signs off.

One practitioner's pipeline, not a controlled study — but it operationalizes a real failure mode: an agent reviewing its own lineage inherits its own blind spots, and same-model review has a documented tendency to rubber-stamp. The design is cheap to copy with any two providers you already license: persistent findings as a comment, enforcement as a commit status. Engineering leaders running agent-authored PRs at volume should pilot cross-provider review on one repo this sprint and measure what the second provider catches that the first missed.

Enterprise Readiness.

  • permissioning

    Claude Code v2.1.214's fix for single-segment dir/** allow rules — which were silently auto-approving nested writes anywhere in the tree — is the week's mandatory action: audit every approval rule for what it actually matches, not what it reads like it matches, and re-test after every harness update, because glob semantics are now a security surface that changes under you. The same release adds permission prompts for docker daemon-redirect flags and stops auto-allowing file -m/-f as read-only; treat both as reminders that 'read-only' classifications drift.

  • auditability

    The beginnings of a real agent audit trail shipped this week: message.uuid, client_request_id, and tool_source OpenTelemetry attributes give every tool call a provenance chain, and CLAUDE_CODE_PROCESS_WRAPPER routes every self-spawned process through a wrapper your security team controls. Platform teams should wire these into existing observability pipelines now — provenance you start collecting today is the only provenance you will have when the first agent incident review asks who ran what.

  • cost

    Usage-based billing with hard caps is becoming the norm on both sides of the stack — Copilot Credits with admin budgets and hard caps at the platform layer, Claude Code session budgets at the harness layer. Set both, deliberately: a platform spend cap will not stop a runaway loop whose iterations are individually cheap, and a harness loop budget will not stop a handful of expensive calls. They fail differently, so treating either one as sufficient is the new single-point-of-failure.

  • reliability

    The week's natural experiment: Google completed the individual-tier Gemini CLI wind-down (automations shelling out to it are now dead code) while xAI open-sourced its entire harness under Apache 2.0. The lesson for every pipeline owner: agent harnesses on the critical path must be pinnable and forkable, or carry a documented exit plan. Inventory which of your scheduled jobs depend on a vendor CLI whose lifecycle you do not control, and do it before the next wind-down announcement rather than after.

Try This.

Run a delegation-budget drill on Claude Code v2.1.212+

  1. In a scratch repo, start a session with deliberately tight budgets: export CLAUDE_CODE_MAX_WEB_SEARCHES_PER_SESSION=10 and CLAUDE_CODE_MAX_SUBAGENTS_PER_SESSION=3, then give the agent a sprawling research task that would naturally want dozens of searches — e.g., 'survey the current landscape of open-source agent harnesses and compare their checkpointing designs' (~5 min setup).
  2. Watch how the agent behaves as it approaches and hits the ceilings: does it prioritize its remaining searches, state that it is budget-constrained, or silently degrade into confident answers built on thin evidence? Note whether budget exhaustion is visible to you as the operator — that visibility gap is what you would need to close before production use (~15 min).
  3. Use /clear and confirm the subagent counter resets, so you understand the budget scope boundary your operators will hit; as a bonus, /fork the conversation into a background session with different caps and compare output quality at 10 vs 200 searches on the same task (~10 min).

Expected outcome: In a read-only, safe drill you learn how your primary harness actually behaves under budget pressure — graceful prioritization versus silent degradation — and you leave with evidence-based cap values for your own task classes, plus a clear picture of the operator-visibility gap that any production delegation-budget policy has to address.

Watchlist.

  • Jul 27

    Kimi K3 open weights and tech report land

    The claims become checkable: watch inference-partner readiness on day one, whether independent replications of long-horizon runs materialize, and how the promised 'Kimi Hosted Agent' enterprise platform (harnesses, isolated sandboxes, long-running environments) prices against incumbents — the answers determine whether K3 is an open-model economics event or just a launch week.

  • Aug 26

    OpenAI Assistants API hard shutdown

    Every production workload still on the Assistants API has under six weeks to migrate; expect a wave of migration engineering and some breakage — audit your own estate for lingering Assistants dependencies now, including inside vendor products you merely consume.

  • July-August 2026

    Cursor cloud-VM hook execution fix

    3.11's conversation-level hooks — the observability building block W28 flagged — carry a caveat that hooks do not yet run on cloud-VM agents; teams standardizing audit pipelines on hooks should watch the changelog, because until the gap closes, cloud-run agents are the blind spot in hook-based observability.

  • July-August 2026

    Microsoft Copilot Vision rollout and team-level Cowork credit reporting

    Vision rolling out through July expands what suite agents can read off the screen, and August's team-level credit reporting is the first per-team agent-spend visibility in a major suite — together they set the reference point for what 'governed by default' means in cowork-mode deployments.