Virgil

When building AI systems that handle multiple kinds of tasks, do you let different agents exist side by side — each owning its own domain — or do you funnel everything through a single entrypoint that routes to the right agent? At work, this design question has come up multiple times already. Some of my colleagues and I presented our first agent POCs to the team last week. That question is now more urgent. ...

If you’ve used any agent harness for development work - Claude Code, OpenCode, Devin, or one of the many others - you’ve run into this: you’re mid-task, the agent needs to search the web or read a file, and it stops to ask permission. This is disruptive to the flow. The naive fix is to just trust the agent more - expand the allow list, enable auto mode, and move on. But that’s not a viable long-term solution. An agent that self-certifies its own intent is exploitable. If a model can decide that fetching a URL is “just reading,” it can be manipulated into deciding that almost anything is. ...