Real-world implementation stories from our engineering team
In 2000, MCP meant 'male chauvinist pig' — and Nick Marshall, the ad man who electrocutes himself into hearing women's thoughts, was Hollywood's prize specimen. In 2026, MCP means Model Context Protocol. We asked six AI models what they actually want from tool output, and one of them read its own harness's source code to answer. The verdict: the harness is the architect of the model's reality — and it never confesses. The models don't want less. They want honesty.
Dynamic Workflows' sandbox confiscates every clock to stay replayable — Date.now(), Math.random(), even argument-less new Date() all throw. But setTimeout survives. That one timer is enough to rebuild /loop's cadence and /schedule's fire-later inside a single workflow run, via a self-rescheduling agent chain. With a director's-cut asciinema of it running, and the honest caveat: it isn't durable across resume.
Part 2 of 8
The first time I decomposed a month's token bill, the whale wasn't intelligence — it was transit. My agents were re-reading, re-sending, and narrating build logs at frontier-model prices. My first instinct was the same as everyone else's in 2025: reach for middleware. A whole market was waiting.
Part 0 of 8
A builder's eight-part journey from a Claude Code plugin to a coding harness — through token bills, a public middleware benchmark, compression libraries, and a context governor — ending at a market-wide question: the platforms are absorbing context management, so where should it actually live?
Part 1 of 8
Last week I deleted three of the most carefully written documents of my engineering life, and the overwhelming feeling was relief. Forge lives in two bodies — a Claude Code plugin and a coding harness built on pi — and they are converging on everything except one thing: what my agents see, each turn, in each phase.
If every side effect in a dynamic workflow is routed through an agent(), then the security of the workflow is the security of agent() — a subagent that can do anything your session permits. A follow-up that probes that surface empirically: the JS lockdown isn't a boundary, the engine adds control-model risk rather than new privilege, and two probabilistic guardrails — model injection resistance and the harness action classifier — both fired but neither is a wall.