AI harness engineering

Guardrails and memory
for your AI coding agent.

Your AI coding agent will skip the test, leak the secret, and forget yesterday. That's not a prompting issue - it's a harness problem. goat-flow is the opinionated harness for teams shipping with Claude Code, OpenAI Codex, Google Antigravity, and GitHub Copilot/Copilot CLI - not just demoing them.

$ npx @blundergoat/goat-flow@latest

Illustrative audit output showing 20 of 20 build checks passing, four supported agent integrations, and 18 harness checks across context, constraints, verification, recovery, and feedback loop. Actual results depend on the target project.

Why harness engineering?

Agents need better control systems.

Files it can read. Commands it can run. Rules it must obey. Memory it keeps across sessions. That's the harness - and it matters more than which model you pick. goat-flow gives you one, opinionated, out of the box.

Supports Claude Code Codex Antigravity Copilot CLI
The system

Four pieces. One harness.

Audit tells you what's missing. Skills give the agent workflows. Hooks stop dangerous actions. The learning loop remembers what happened.

01 / Audit

Pass/fail checks, no wiggle room

Validates every file, skill, and hook the agent needs. Either it's installed or it isn't. Scores each agent's harness completeness across the five concerns.

npx @blundergoat/goat-flow@latest audit . --harness
02 / Skills

Structured slash commands

Seven workflows with defined phases, named artefacts, and stopping points. Debug, plan, review, critique, security, QA - plus a dispatcher that routes your intent to the right skill.

/goat, /goat-debug, /goat-plan...
03 / Hooks

Guardrails with explicit limits

Pre-action guards block known dangerous command shapes before they run. Where an agent runtime supports them, post-action guards can surface selected hazards after edits. guardrails ships by default, covering unsafe recursive deletion, all git push, direct literal secret-path access, and selected destructive shell and database patterns. These are best-effort local controls, not complete runtime isolation.

.goat-flow/hooks/
04 / Learning loop

Persistent memory across sessions

Footguns, lessons, decisions, session logs. Every mistake becomes next session's context. The compounding bet: every session that hits a problem makes the next one harder to trip.

.goat-flow/learning-loop/lessons, /footguns, /decisions
Under the hood

The execution loop

Every agent action follows four steps. Each one prevents a specific failure mode that free-running agents reliably hit.

READ

Load the files first

Pull in the actual code before reasoning about it.

Prevents fabrication - inventing APIs that don't exist.
SCOPE

Declare what changes

List files that will be touched, and files that won't.

Prevents surprise blast radius - changing files nobody agreed to.
ACT

Make the change

Edit only within the declared scope. Nothing else.

Prevents drift - refactoring that seemed related while the agent was in there.
VERIFY

Prove it works

Run linters, re-read changed files, confirm nothing drifted.

Prevents silent breakage - passing the task but breaking the build.
Seven skills

Workflows, not suggestions.

Free-form prompting is how agents get lost. Skills are structured slash commands with defined phases and clear stopping points. Use /goat as the default entry point and it routes to the right one.

/goat-debug Diagnose bugs without accidentally rewriting the codebase end to end Debug
/goat-plan Plan features, refactors, and milestones - scales from hotfix to system change Plan
/goat-review Review diffs and verify what shouldn't be there, not just what should Review
/goat-critique Surface blind spots from multiple angles before shipping Critique
/goat-security Threat model, dependency audit, and compliance checks Security
/goat-qa Generate test plans with automated, AI-verified, and manual steps QA
Hooks

Block dangerous actions before they run.

A system prompt is a suggestion. A hardcoded boundary is a rule. Hooks enforce boundaries at a layer the model cannot talk its way past.

Ships with sensible defaults

guardrails catches selected patterns agents hit when they go off-script: unsafe recursive deletion, all git push, direct literal secret-path reads, and selected destructive shell and database commands. It is a local guardrail, not a complete shell sandbox.

Extend with your own

Drop linters, format-on-save, custom validators, or project-specific rules into the hooks directory. They register automatically and run in parallel with the defaults.

guardrails Pre-action
βœ—rm -rfdestructive
βœ—git pushall pushes blocked
βœ—cat .envsecret read
βœ—curl | shexfiltration
βœ—eval, bash -csubshell escape
βœ—DROP TABLEdata loss
βœ—> filetruncation
βœ—$(...)recursive sub
Learning loop

The harness gets smarter every session.

Two things failed. Nothing remembered, and nothing stopped them. The learning loop fixes both.

Footguns

Architectural traps captured with semantic-anchor evidence. Stops the agent from hitting the same code landmine twice.

.goat-flow/learning-loop/footguns/

Lessons

Behavioural mistakes the agent made - logged so the same error pattern is recognised and avoided next time.

.goat-flow/learning-loop/lessons/

Decisions

Architecture Decision Records. Captures why a choice was made so future agents don't quietly reverse it.

.goat-flow/learning-loop/decisions/

Session logs

End-of-session summaries provide continuity between work sessions - across agents, across days, across context compactions.

.goat-flow/logs/sessions/
The framework

The five concerns of AI harness engineering.

The common ground across the public harness engineering literature. goat-flow scores every installed harness against these five.

Context Give the agent a map, not a 1,000-page manual. Concise instructions, the right files, progress notes across sessions.
Constraints Deterministic rules that steer before the agent acts. Linters, deny-hooks, permissions, required sections.
Verification Structural checks the agent runs to prove its own work. Tests, typecheck, post-action hooks, back-pressure.
Recovery Session durability and restart paths. Checkpoint and resume, compaction handlers, milestone checkboxes, loop detection.
Feedback loop Capture every mistake as persistent context so the next session doesn't repeat it. Footguns, lessons, decisions, logs.

Sources: Mitchell Hashimoto, Birgitta BΓΆckeler (martinfowler.com), Anthropic engineering, and HumanLayer. goat-flow synthesises these into a working system with strong defaults.

Get started

From zero to passing audit in two commands.

Set up on any project, verify the harness, then start running skills through your agent of choice.

1 npx @blundergoat/goat-flow@latest
2 npx @blundergoat/goat-flow@latest audit --harness

Supports Claude Code, Codex, Antigravity, and Copilot CLI. Read the CLI docs β†’