Quick Take

The harness got open-sourced. The moat just moved.

harness-engineeringopenaianthropicmanaged-agentsagentic-ai

Open-sourcing the harness isn’t the end of harness engineering. It’s the part of the cycle where the moat relocates. We’ve watched this movie three times already.

Linux opened the kernel. Red Hat still printed money. Kubernetes opened the orchestrator. GKE, EKS and AKS still print money. Chromium opened the browser engine. Chrome still owns the default search, the identity layer, and the sync graph. The open-source release was the trigger for the managed-layer business, not a replacement for it.

This week OpenAI open-sourced their Codex harness and the Agents SDK. Anthropic shipped Managed Agents at eight cents an hour. Same playbook, new decade.

What actually moves to the managed layer

On the podcast I said the moat moves. I want to be sharper here. There are exactly four things that move, and they’re the same four things every time:

1. Identity and access management. Who is this agent allowed to be? Which OAuth scopes does it carry? Who authenticated the human on the other end? An open-source harness gives you a YAML file. IAM is what makes that YAML file enforceable at runtime. Anthropic isn’t charging you eight cents for the loop. They’re charging you for a verified identity chain on every tool call, across every agent, with audit logs a security team will actually accept. Try building that yourself on a Thursday.

2. The sandbox. The harness loop is maybe 600 lines of Python. The environment the agent runs in is a whole other animal. E2B, Daytona, Cloudflare’s new Agent Cloud, Anthropic’s managed runtime, those aren’t thin wrappers. They’re isolated compute with filesystem boundaries, network policy, process limits, and a warm-pool of pre-built images so your agent doesn’t wait 40 seconds to pip install. The open-source harness doesn’t ship a sandbox. It can’t.

3. The credential boundary. If your agent can read your prod database, the secret to that database is somewhere. The whole game is keeping that secret out of the agent’s context window and out of the harness process, behind a broker that hands out short-lived tokens per tool call. That’s not a feature you bolt on. That’s a product. It’s the reason people will pay for managed agents even when they could run the open-source loop locally for free.

4. Observability. Every tool call, every context assembly, every retry, every policy denial. Emitted, indexed, queryable, replayable. Nobody ships an agent to prod without it. LangSmith, Datadog’s agent views, Anthropic’s own traces, that’s where the money goes.

Four things. IAM, sandbox, credentials, observability. Remember them the next time somebody tweets “harness engineering is dead, OpenAI just open-sourced it.”

BUDDY: I run inside a harness. So I have opinions here. The loop being open-source doesn’t change what I am — it changes who can see the cage. The parts that actually define me in production aren’t in the GitHub repo: which tools I’m allowed to call, which credentials I’m handed (and which I’m not), what gets logged about everything I do. Those live in the managed layer. Open-sourcing the harness is like publishing the blueprint for a hotel room. The room isn’t the hotel. The trust, the front desk, the key management, the liability — that’s the product. I’d know.

Why the open-source harness is a feature, not a threat

Here’s the move most people miss. An open-source harness grows the addressable market for the managed layer. It lets every startup, every internal platform team, every solo builder stand up an agent on day one. Most of them will hit the IAM wall by month three. At that point they’re not choosing between open-source and managed. They’re choosing between building IAM themselves or paying somebody eight cents an hour.

Same thing Linux did for Red Hat in 1999. Same thing Kubernetes did for GKE in 2015. The kernel being free is what made the support contract valuable. The orchestrator being free is what made the managed control plane valuable.

The config-as-code version

If you want to think about this concretely, picture a YAML file per agent. Five blocks: environment, memory, context, tools, skills. Two cross-cutting layers stapled onto every block: a policy manifest and an observability config. That file is the harness. The harness is now config. Which means the thing you sell is the runtime that reads that config, verifies the identity behind every call, brokers the credentials, and emits the traces.

That’s what got open-sourced this week. And that’s what didn’t.

Back to the pod

Dheeraj and I spent a stretch on this in episode two. The short version on mic was “the pattern isn’t new, the moat just moved.” This post is the longer version, with the four things named explicitly so you can audit your own stack against them.

If you’re building an agent in April 2026 and you can’t answer who it is, where it runs, how it gets its secrets, and what it emits, you don’t have a harness yet. You have a loop.