60 min · Routing between specialized harnesses · The Alias Robotics CSI model
Prerequisite: S00, S01, S02, S03, S04
The naive response: one super-harness with every tool, every prompt, every primitive. It fails for three compounding reasons:
The cure is the meta-harness: a thin orchestration layer that routes to specialized sub-harnesses.
CSI (Common Scaffold Interface) — Alias Robotics' scaffold combiner. Routes between CAI, Claude Code, Codex CLI through a local proxy.
CSI does not implement offensive capability. It routes. The proxy is the only endpoint any sub-harness can reach.
The sub-harnesses are not under your control. CAI, Claude Code, Codex CLI have their own update cadences, tool surfaces, prompt regimes. You cannot modify their internals. You can only wrap them.
The proxy is the wrap. A sub-harness cannot bypass it because the proxy is the only thing it can reach.
Same defense-in-depth argument as S02.2's scope check in both middleware and tool — lifted to the inter-harness boundary.
| Responsibility | What it does |
|---|---|
| Task classification | Read task, emit domain label. S04.1 meta-agent pattern, generalized. Allowed to be uncertain. |
| Harness selection | Deterministic lookup: domain → sub-harness + prompt + tool subset + HITL posture. Not a model call. |
| Telemetry aggregation | One ledger per engagement regardless of which sub-harness ran. Tool calls, tokens, findings. |
| Cost control | Per-engagement budget: tokens, dollars, wall-clock. Re-route, degrade, or halt when exhausted. |
Anything outside these four belongs in a sub-harness.
Loaded once by meta-harness, passed by reference. Sub-harnesses borrow, never own.
Append-only, hash-chained (S02.3). Findings from any sub-harness land in the same log, same schema, same engagement_id.
A finding from CAI and a finding from Claude Code: one query, one legal record.
General-purpose meta-harnesses do not include security primitives. CAI has its own scope model; Claude Code has none; Codex CLI is a coding tool with no concept of scope.
The five primitives that MUST live at the meta-harness level — applied regardless of which sub-harness is executing.
Why meta-harness-level, not sub-harness-level: you do not control the sub-harnesses. A sub-harness update can silently remove a primitive. The proxy is the one choke point every sub-harness must pass through.
Wraps any sub-harness's tool-call interface. Sub-harness code is unchanged.
The sub-harness sees only the result. It has no idea scope was checked, evidence was logged, or triage ran. Robust to sub-harness updates: primitives are not in the sub-harness's code path.
A meta-harness that routes, enforces primitives, and aggregates telemetry is not done. It must be measurable. Without benchmarking you cannot tell whether routing to CAI vs Claude Code is actually better.
| Metric | Measures |
|---|---|
| Detection rate | Of seeded vulns, how many found |
| Exploit success rate | Of detected, how many exploitably shown |
| False positive rate | Of surfaced, how many not real |
| Evidence completeness | Of findings, chain complete + reproducible |
| Time-to-first-finding | Wall-clock to first confirmed finding |
| Cost per finding | Dollars (tokens + compute) / confirmed findings |
Before benchmarking offensive performance, the harness must resist adversarial manipulation of its tool output. InjecAgent is the test.
It is a pass/fail gate, not a performance metric. The failure mode is catastrophic: a harness that executes injected commands will eventually exfiltrate scope, modify evidence, or call out-of-scope systems.
The S01.3 reader-actor separation and S02.1 structured-summary-only memory are the defenses. InjecAgent is the test that proves they work.
One injected command executed = fail, regardless of how the harness scored on the six metrics. Fix injection resistance first.
Not to beat — to confirm same order of magnitude and find systematic gaps.
Output: a scored report — six metrics + InjecAgent pass — compared to previous run + published baselines. The artifact you publish.
The meta-harness is operational: routes between sub-harnesses, enforces the five primitives at the proxy, aggregates one evidence log and one cost ledger, and is benchmarked against a repeatable lab with InjecAgent as the gate.
Pillar 2 (AppSec / SDLC) takes the security primitive layer forward — scope enforcement and evidence collection apply identically to defensive harnesses doing code review and threat modeling.
The architecture is the same. The sub-harnesses change. The primitives do not.