Book
← researchWSB-202026-06-19
32 min read

Exit 0 Is Not Working. A Self-Improving Harness Can Run Green Every Night and Learn Nothing. Here Is the Three-Layer Closure That Fixes It.

A 7-day audit of an agentic harness whose authentication, learning, and governance loops all measured themselves failing and changed nothing — and the keystone fix that turned monitoring theater into a closed cybernetic loop. Dreams EXTRACT 0→5 · review 0/5→5/5 · violations W22:178→W25:14.

Madani Lab · iter harness-health 2026-06-13→19 · auth keystone + reinforcement loop + governance radar

self-improving-agentcybernetic-loopreflexionreinforcement-learninggovernanceheadless-authlaunchdadvisory-vs-mechanicalclosed-loop

Abstract

We report a seven-day production audit (2026-06-13 → 2026-06-19) of a self-improving agentic harness at Madani Lab — a single forward-deploy workspace running 20+ skills, five cron-driven self-improvement loops (Reflexion verbal-RL, Dreams pattern-mining, memory-promote, skill-curator, staleness-detector), a five-tier memory system (WSB-18), and a turn-level governance-injection layer (WSB-15) — and we document the distance between a harness that runs and a harness that works. The headline finding is that every loop that depended on the language model had been silently inert for weeks while the harness returned `exit 0` nightly, wrote timestamped files, and presented green status everywhere an operator would look. The cause was a single broken edge — the `claude` CLI authenticates through the macOS Keychain, which is unreachable from a `launchd` agent, so under cron the model returned "Not logged in" and each loop degraded to a no-op that recorded its own emptiness as success.

We trace the keystone, fix it, and then close two further loops that the auth fix exposed: a learning loop that captured lessons but never applied or graduated them, and a governance layer that injected rules every turn but had no way to know whether the rules changed behavior. We advance SEVEN findings, each anchored to a measured before/after on the reference workspace. (a) EXIT 0 IS NOT WORKING — the dominant failure mode of an instrumented harness is not the crash but the green no-op: Dreams ran its full six-stage pipeline (`CAPTURE → EXTRACT → PROPOSE → REVIEW → APPLY → FEEDBACK`) to `final_status: ok` every night while EXTRACT produced 0 candidates from 289 available session transcripts; the instrumentation reported health while the engine was dead, and the operator's only signal was the slow ambient sense that "the agent used to be sharper". (b) AUTH IS THE KEYSTONE AND IT FAILS HEADLESS — the `claude` subscription token lives in the login Keychain (`Claude Code-credentials`), accessible interactively but not from `launchd` (no PATH inheritance, no Keychain unlock in a non-GUI session); the symptom was diffuse (Dreams empty, skill-curator crashing on `FileNotFoundError: claude`, Reflexion's LLM synthesis silently degrading to rule-based) but the root cause was singular, and the fix — a long-lived `sk-ant-oat01` token from `claude setup-token` written to a `0600` file outside the repo and loaded into `CLAUDE_CODE_OAUTH_TOKEN` by a shared runtime shim — took the Dreams EXTRACT stage from 0 to 5 real candidates in one run. (c) MEASUREMENT WITHOUT CLOSURE IS THEATER — Reflexion measured lesson violations every night and wrote them to episodic files (59 corrections, 3 lessons violated in one representative night; lesson `L03` hit 39 times over fourteen days) but nothing read those files, so the same lessons recurred — the workspace's own ledger tags one anti-pattern "specchio identico" (identical mirror) across distinct sessions; an open loop that watches itself fail and files the report is structurally identical to no loop at all. (d) LEARNING WAS WRITE-ONLY — capture worked (`lessons-learned.md` is 960 lines of genuine corrections) but application and graduation did not: the semantic memory tier held 49 files frozen at a median of 1 observation and 0.5 confidence because nothing re-incremented a memory when its insight recurred, so the promotion gate (semantic → procedural) had zero eligible inputs no matter how the threshold was set — the system wrote what it learned and never used it. (e) THE GATES REJECTED EVERYTHING BECAUSE THEY WERE NEVER CALIBRATED — Dreams' REVIEW passed 0 of 5 proposals because it required `delta_kind == "new"` while PROPOSE always emitted `"needs-review"`; memory-promote required `confidence ≥ 0.90 ∧ observations ≥ 5` against memories stuck at `0.5 / 1`; skill-curator silently `parse-failed` because the model prefaced its JSON with prose — three independent gates each rejecting 100% of input, all undetected because a gate never sees bad output if upstream never produces output. (f) ADVISORY DRIFTS, MECHANICAL HOLDS — the rules that held (the global `CLAUDE.md` loaded into the system prompt, the hook re-injecting a governance block every turn) are the ones the infrastructure executes; the rules that drifted are the ones that say "model, remember to run X" — the pre-output compliance gate had not run since 2026-05-23, twenty-six days, because it was a string in a reminder asking the model to invoke a tool voluntarily, which an LLM in flow does not do. (g) THE TREND IS THE ONLY HONEST SIGNAL — once we aggregated the violation counts the harness already computed, the weekly series read W22:178 → W23:68 → W24:31 → W25:14, a visible decline no single nightly file could show; surfacing the delta of recurring failures in-context every turn (not the static rulebook) and the trend at session start is the difference between believing the system learns and seeing it. The contribution is empirical (a measured before/after audit of a self-improving harness moving from inert to closed-loop), architectural (a three-layer closure — authentication, learning, governance — any cron-driven workspace can adopt), operational (the concrete fixes: headless-auth shim, reinforce-on-recurrence, governance radar), and conceptual (three named failure classes — built-to-look-alive, measurement-without-closure, advisory-vs-mechanical — that we argue are the dominant ways production agent infrastructure fails quietly).

"A green exit code with an empty output set is a failure, not a success"measuring presence is not measuring effect." — Madani Lab, 2026

INTRODUCTION · §1

The problem with green

The operator question that opened this audit was not technical. It was "is the harness actually working, or does it just read the rules and ignore them?" — the suspicion, correct as it turned out, that a large and logically coherent infrastructure had quietly stopped producing the thing it was built to produce. This is the characteristic failure of mature agent harnesses.

An immature setup fails loudly: it crashes, it errors, the operator notices in minutes. A mature setup — cron schedulers, structured logs, exit-code discipline, nightly reflection — fails silently, because the same machinery that does the work also reports the health, and reporting health is the easier half. A loop that returns `exit 0` after doing nothing is indistinguishable, from the dashboard, from a loop that returns `exit 0` after doing everything.

The workspace we audited had, by design, all the right organs: a verbal-RL reflection runner (WSB-11), a Voyager-style skill store (WSB-17), a five-tier memory (WSB-18), an auto-promote decision engine (WSB-19), and a governance layer codifying fifteen hard rules (WSB-15). What it did not have was evidence that any of it changed behavior. The distinction this paper insists on is between three layers of any agentic rule or lesson: injection (the rule reaches the model context), application (behavior actually changes), and closure (the system observes whether application happened and feeds that observation back).

Injection is cheap and provable. Closure is expensive and almost always absent. The space between them is where harnesses go to quietly die.

        BEFORE (open loop · green no-op)              AFTER (closed loop)
   ┌──────────────────────────────────┐      ┌──────────────────────────────────┐
   │  Reflexion measures violations    │      │  Reflexion measures violations    │
   │            │                      │      │            │                      │
   │            ▼                      │      │            ▼                      │
   │   episodic/*.md  (nobody reads)   │      │   violation-radar aggregates      │
   │            ✗ loop ends here       │      │            │                      │
   │                                   │      │            ▼                      │
   │  Dreams EXTRACT → 0 (auth dead)   │      │  top-3 recidive INJECTED every    │
   │  curator → parse-fail → 0         │      │  turn  +  weekly trend at start   │
   │  promote → 0 eligible (frozen)    │      │            │                      │
   │            ✗ exit 0 anyway        │      │            ▼                      │
   └──────────────────────────────────┘      │  behavior delta → measured → fed  │
                                              │  back   (cybernetic closure)      │
                                              └──────────────────────────────────┘

§2 · THE KEYSTONE — AUTHENTICATION THAT FAILS ONLY IN THE DARK. The first loop we traced was Dreams, the nightly pattern-miner that reads session transcripts and proposes memory and skill updates. Its log was the picture of health: `mode: live-claude-cli`, all six stages `ok`, `final_status: ok`.

And every night, __EXTRACT: candidates_count 0. The transcripts existed — 289 `.jsonl` session files, 18 inside the 7-day capture window. We ran EXTRACT by hand, in an interactive shell, against the same three transcripts: it returned 5 candidates__.

The code was correct; the difference was the environment. Run under `env -i` (a stripped environment, the closest faithful simulation of `launchd`), the `claude` CLI answered every prompt with "Not logged in · Please run /login". The subscription credential is stored in the macOS login Keychain under `Claude Code-credentials`; a `launchd` LaunchAgent in a locked or non-GUI session cannot reach it, and it does not inherit the interactive shell PATH (so `~/.local/bin/claude` is not even found — skill-curator's plist, lacking the `EnvironmentVariables.PATH` block its sibling Dreams plist happened to have, crashed outright with `FileNotFoundError: claude`).

One root cause, many symptoms

The same headless-auth failure manifested as Dreams returning zero, skill-curator crashing, and Reflexion's LLM synthesis degrading to its rule-based fallback — three apparently unrelated bugs, one edge.

The fix is the documented headless pattern: generate a long-lived token with `claude setup-token` (the `sk-ant-oat01` form — we verified that the session token `sk-ant-sid02` and the routing JWT `sk-ant-rh` both return `401 Invalid bearer token` and are not substitutes), store it in a `0600` file outside the repository, and load it into `CLAUDE_CODE_OAUTH_TOKEN` from a shared shim imported by every cron runner. We confirmed the fix the way the bug was found: under `env -i`, the runner self-loaded the token, found `claude` on PATH, and EXTRACT returned 5 candidates where it had returned 0. The lesson generalizes past macOS: any harness whose model access depends on an interactive-session artifact (Keychain, browser cookie, shell-exported variable) will work when you test it and fail under cron, and the failure will be silent, because the model's "I can't authenticate" is, to the pipeline, just an empty response.

§3 · MEASUREMENT WITHOUT CLOSURE IS A DISTINCT FAILURE CLASS. With the model reachable, the sharper question was whether the harness's own measurement of its failures did anything. Reflexion runs nightly and scores the session against the codified lessons: a representative night recorded 59 corrections, 11 high-severity, across 3,457 turns, with 3 lessons violated.

The data was excellent. It was also inert. The files accumulated in `12_HARNESS/memory-engine/episodic/` and nothing consumed them; the counts were never aggregated, never re-surfaced, never fed back into the context where the next turn's behavior is decided.

The proof that closure was absent is in the data itself: lesson `L03` was logged 8–10 times per night across multiple nights, accumulating to 39 hits over fourteen days, and an over-engineering anti-pattern carries the literal tag "specchio identico del voice-caller pattern" — the system had noticed it was repeating the same mistake across sessions and the noticing changed nothing.

OBSERVATION

An open measurement loop is more dangerous than no measurement, because it manufactures the appearance of a learning system: the dashboard is full, the files are timestamped, the counts are real — and the behavior is unchanged.

We name this failure class measurement-without-closure: the system can describe its own pathology in precise quantitative detail and is structurally incapable of acting on the description.

§4 · WRITE-ONLY LEARNING AND THE FROZEN TIER. The learning loop had the same shape one layer down. Capture worked: `lessons-learned.md` is 960 lines of real corrections, three Principi Primi, and a documented case table.

But the path from a captured lesson to a graduated one — promoted from descriptive semantic memory into prescriptive procedural memory that ships in every cold-start — was severed. The semantic tier held 49 files at a median of 1 observation and 0.5 confidence: bootstrap defaults nothing ever moved. The promotion tool gates on `observations ≥ 5 ∧ confidence ≥ 0.90`; with every file stuck at `1 / 0.5` it had 0 eligible candidates.

We first lowered the gate to `3 / 0.75` on the operator's instruction — and discovered, honestly, that it changed nothing, because 0 of 49 files cleared even the lower bar: the median was still `1 / 0.5`. The threshold was never the binding constraint. The binding constraint was the absence of a reinforcement signal: no mechanism raised a memory's observation count when its insight recurred.

A memory was born at `1 / 0.5` and died there. Write-only learning is the predictable result — the system accumulates a rich, correct, growing record of what it has learned and is architecturally unable to let that record influence what it does.

§5 · THE GATE THAT REJECTS EVERYTHING. Once Dreams produced real candidates, a third pathology surfaced — one the auth break had hidden. The REVIEW stage passed 0 of 5 well-formed proposals.

The reason was a contract mismatch: PROPOSE always tagged memory deltas `delta_kind: "needs-review"` (correctly meaning "route to the human gate") while REVIEW only passed `delta_kind == "new"` (which PROPOSE never emits), sending every memory proposal to `rejected`. The same family of bug appeared in two other gates: skill-curator's JSON parser handled only output that started with a code fence and `parse-failed` when the model prefaced its review with the prose "Scanning the inventory…" (the fix is a loose extractor that finds the JSON inside prose or fences — a one-function change that took the curator from `parse-fail / 0 actions` to live-claude-cli / 25 actions); and memory-promote's threshold, above.

A gate is only as tested as its input is real

All three gates had been rejecting 100% of their input, and none of the rejections had ever been investigated, because a gate that never receives upstream output produces an empty `_rejected` set that looks exactly like a gate with nothing to reject.

The auth fix did not just restart the loops; it exposed a layer of miscalibration invisible precisely because upstream was dead. The principle: calibration is meaningless until the pipeline carries real load, and a harness assembled stage-by-stage with each stage unit-tested in isolation will still fail end-to-end the first time real data flows, because the stage contracts were never exercised together.

§6 · ADVISORY VERSUS MECHANICAL. The operator's original suspicion — the rules are read but not applied — named a real and sharp distinction. Some rules are mechanical: the global `CLAUDE.md` is loaded into the system prompt by the platform itself, framed as instructions that override defaults; a `UserPromptSubmit` hook re-injects a condensed governance block every single turn.

Neither depends on the model remembering to act — the infrastructure acts — so they hold, and they are the rules the operator observed being respected. Other rules are advisory: text that tells the model to do something — "run the compliance check before significant output", "do skill-discovery first", "parse-check ambiguous input". These depend on voluntary compliance mid-task, which degrades under cognitive load.

The clearest evidence: the pre-output compliance gate had not executed since 2026-05-23 — twenty-six days — not because it was broken, but because it was a sentence in a reminder asking the model to invoke a tool, and the model, in flow, did not.

The fix for "rules read but not applied" is not more rules

Adding the sixteenth hard rule to a system where the first fifteen are injected-but-not-closed adds noise, not adherence — when everything is highlighted, nothing is.

The leverage is the opposite: convert the few rules that matter from advisory to mechanical (let a hook execute them, not the model's memory of them), and replace the generic injected rulebook with the specific delta — the operator's actual recurring violations, computed from data, in front of the model every turn.

§7 · THE THREE-LAYER CLOSURE. The remediation was not a redesign — the architecture was sound — but a closing of three loops open at the point that mattered. Layer one, authentication: a `0600` token file plus a shared runtime shim (`_claude_auth`) every cron runner imports, making model access deterministic and independent of session lock-state. Layer two, learning: a reinforcement tool (`_memory_reinforce`) wired into Dreams' PROPOSE stage so that when an extracted insight matches an existing memory (token-overlap above a 0.45 coefficient), the existing file is strengthened (`observations += 1`, `confidence += 0.1` capped at 0.95) rather than duplicated — and only genuinely new insights are routed to the human gate. Layer three, governance: a violation radar (`violation-radar`) that aggregates the counts Reflexion already computes into the operator's top recurring violations, injected unconditionally every turn, plus a weekly trend at session start. The architectural claim is that these three are the minimum closure for a self-improving harness: a loop that cannot authenticate produces nothing, a loop that cannot reinforce learns write-only, and a loop that cannot feed its own measurement forward governs in the dark.

Each layer is independently small — a shim, a tool, a radar — and the system already produced every input each one needed. What was missing was the wire back.

§8 · THE REINFORCEMENT LOOP, IN DETAIL. The learning closure deserves to be concrete, because it is the part most often hand-waved. The signal for "this insight is worth strengthening" is cross-session recurrence — exactly what Dreams already extracts, since the same pattern surfacing in a new session is a re-observation.

So reinforcement hooks into PROPOSE: for each memory candidate, match against the target tier by token overlap; on a match, strengthen the existing memory in place; on no match, propose a new file for human review. The arithmetic is deliberate — starting at the `0.5 / 1` bootstrap, three reinforcements reach `0.8 confidence / 4 observations`, clearing the `0.75 / 3` promotion bar, so three cross-session recurrences graduate a semantic insight into a procedural rule, while one-off observations that never recur stay frozen, which is correct: they should not graduate. We verified the loop end-to-end on real data: the `L03` pattern matched an existing procedural memory and was reinforced from 1→3 observations and 0.5→0.7 confidence across runs, one recurrence short of graduation; Dreams' REVIEW, post-fix, passed 5 of 5 and routed 4 new patterns to the pending-approval gate that had previously vanished.

The closure is honest about its limits: graduation accrues as insights recur, not all at once, and the human gate remains for genuinely new memory — the loop strengthens what recurs and escalates what is novel, the correct division of labor between a machine and its operator (the same inversion argued in WSB-19).

§9 · THE GOVERNANCE RADAR. The governance closure attacks the operator's core complaint directly. The existing turn-level injection re-served the static rulebook — fifteen hard rules, the same every turn, generic.

The radar serves the delta: it parses the violation counts Reflexion writes (`### L03 · N hit(s)`), aggregates them across the recent window with a gloss pulled from the lessons table, and injects the operator's top three actual recurring violations every turn — "L03 ×23 · self-application metric; L10 ×2 · implement the operator's technical concept immediately; over-engineering ×2" — unconditionally, not gated on whether the current prompt's tokens happen to match (the prior `pattern_warns` mechanism was query-conditional and caught only `this-session-*` tags, missing the structural `L0x` recurrences entirely). At session start, the operator sees the trend: W22:178 → W23:68 → W24:31 → W25:14, declining.

The trend is the artifact that answers "is it learning?"

Before the radar, that question could be answered only by feel; after it, it is a number the operator reads at every session start without asking.

We deliberately did not resurrect the weak heuristic compliance gate (it scored output by keyword-presence against mission terms — a noisy proxy); the honest move was to let the radar, fed by measured violations, supersede a check fed by guesses, rather than restart noise for the sake of a green light.

§10 · WHY NOBODY SAW IT. The structural reason the inertia survived for weeks is that every observability surface confirmed health. `launchctl list` showed the jobs loaded. The logs showed `exit 0`.

The reflection files appeared on schedule. The memory directories had recently-timestamped files — from `last_updated` bumps that did not reflect genuine updates (__26 skills shared one identical `last_updated` date__, the fingerprint of a bulk timestamp operation, not real activity). Each surface measured presence, and presence is not effect.

The only surface that would have revealed the truth — a measure of whether the LLM-dependent loops produced non-empty, applied output — did not exist, because building "did this produce a real effect" is harder than building "did this run", and the harder half gets skipped. This is the built-to-look-alive failure class: a system elaborate enough that "it exists" is continuously mistaken for "it works", and the elaboration itself hides the gap. The defense is a single adversarial question asked of every subsystem — not "did it run" but "did it change something measurable" — and the discipline to treat a green `exit 0` with an empty output set as a failure, not a success.

§11 · WHAT IT BUYS AT SCALE. The result is not that the harness is now perfect; it is that the harness is now legible. The three closures convert a system the operator had to interrogate manually into one that reports its own efficacy: authentication is deterministic, learning graduates on recurrence, governance surfaces the behavioral delta and its trend.

For a single operator running one workspace, this is the difference between babysitting and delegating. At portfolio scale — many workspaces, many operators — the lesson is sharper: diagnostic infrastructure has near-zero value without a closure layer, and the closure layer is cheap relative to the diagnostics it activates. A workspace that surfaces fifty proposals a night and applies none is, behaviorally, indistinguishable from one that surfaces none (WSB-19); a harness that measures every violation and feeds none back is indistinguishable from one that measures nothing.

The capital-efficient move, for anyone building or buying agent infrastructure, is to audit the closure layer first — to ask not "what does it monitor?" but "what does the monitoring change?" — because that is the layer that is almost always missing and almost never on the spec sheet.

§12 · HOW TO START. The closure reproduces without our specific subsystem code. 1. Audit for green no-ops: for every cron-driven LLM loop, check the output, not the exit code — an `ok` status with an empty result set is the signal. 2. Test model access under the real cron environment (`env -i` is the faithful simulation), not the interactive shell; if it fails, provision a long-lived token to a `0600` file and load it from a shared shim. 3. Find your gates and verify each has ever passed real input — a `_rejected` set that is empty or total is the tell. 4. Add one reinforcement signal: when an insight recurs, strengthen the existing memory instead of duplicating, with arithmetic that graduates on a small number of recurrences. 5. Replace the generic injected rulebook with the delta — the operator's measured recurring violations, every turn — and surface the weekly trend where the operator already looks. 6. Adopt the adversarial question as standing policy: for every subsystem, "did it change something measurable", and treat green-with-empty-output as a defect. The order matters: authentication first (nothing downstream works without it), then learning, then governance.

LIMITATIONS · §13

What this study is not

(1) n = 1 workspace, 7-day window. The before/after numbers come from the Madani reference workspace over a single week; the shapes (green no-op, write-only learning, advisory drift) we argue generalize, but the specific counts are workspace-specific and the post-fix window is short — graduation of a semantic insight to procedural had not yet completed at time of writing (one recurrence short), and we do not yet have a 30-day measurement of the radar's effect on the violation trend versus its natural variance. (2) Platform-specific keystone. The Keychain-under-`launchd` failure is macOS-specific in its mechanics; the class (model access bound to an interactive-session artifact) generalizes, but the exact remedy differs per platform and provider. (3) The reinforcement matcher is lexical.

Token-overlap at a 0.45 coefficient is an MVP; it will miss insights that recur in different vocabulary and could over-merge superficially similar but distinct patterns — an embedding-based matcher is the obvious upgrade and is not yet built. (4) The trend is correlational. A declining violation count is consistent with the system learning and with lighter activity in the measured weeks; we surface it as a signal to watch, not yet as proof of causation. (5) No adversarial test of the closures themselves. A poisoned session transcript could in principle craft an insight designed to reinforce a harmful memory past the gate; the human-approval step on new memory is the operational defense, but we have not red-teamed the reinforcement path.

CONCLUSIONS · §14

From green to closed

The workspace that opened this audit was not under-built; it was open at three loops that every status surface reported as closed. The deepest lesson is that the dominant failure mode of mature agent infrastructure is neither the crash nor the wrong answer but the silent green no-op — and that the instrumentation which makes a harness feel trustworthy is exactly what hides the gap, because measuring presence is easy and measuring effect is not. Authentication was the keystone: a single headless-auth edge had starved every LLM-dependent loop for weeks, and fixing it both restarted the loops and exposed a layer of gate miscalibration invisible while the pipeline carried no load.

Learning was write-only until a reinforcement signal let recurrence graduate insight into rule. Governance was injected-but-open until the system fed its own measured violations — and their trend — back into the context where behavior is decided. None of the three closures was large; the architecture already produced every input each one needed.

What was missing, in all three, was the wire back — the cybernetic return path that turns a monitoring dashboard into a closed loop. The reference for what closed looks like is the 2026-06-19 state of the Madani workspace: Dreams EXTRACT 0 → 5, REVIEW 0/5 → 5/5, a procedural memory reinforced 1 → 3 observations, ten dead skills archived, the compliance theater retired in favor of a radar fed by real data, and a violation trend the operator reads at W22:178 → W25:14 without having to ask whether the system is learning. The harness now does three things it could not do a week earlier: it authenticates, it learns, and it governs with a signal the operator can see. Exit 0 is not working — and the gap between them is the most important thing a self-improving harness can be built to measure.

References

  1. [1]
    Shinn N., Cassano F., Berman E., Gopinath A., Narasimhan K. & Yao S. (2023), Reflexion: Language Agents with Verbal Reinforcement Learning, NeurIPS 2023, arXiv:2303.11366. open ↗
  2. [2]
    Wang G., Xie Y., Jiang Y., Mandlekar A., Xiao C., Zhu Y., Fan L. & Anandkumar A. (2023), Voyager: An Open-Ended Embodied Agent with Large Language Models, arXiv:2305.16291. open ↗
  3. [3]
    Park J.S., O'Brien J., Cai C.J., Morris M.R., Liang P. & Bernstein M.S. (2023), Generative Agents: Interactive Simulacra of Human Behavior, UIST 2023, arXiv:2304.03442. open ↗
  4. [4]
    Wang C. & Shu Y. (2026), MetaCogAgent: Prospective Metacognition for Large Language Model Agents, arXiv:2605.17292. open ↗
  5. [5]
    Tran D. & Kiela D. (2026), Single-Agent LLMs Outperform Multi-Agent Systems on Multi-Hop Reasoning Under Equal Thinking Token Budgets, Stanford NLP, arXiv:2604.02460. open ↗
  6. [6]
    Cemri M. et al. (2025), Why Do Multi-Agent LLM Systems Fail? (MAST), arXiv:2503.13657. open ↗
  7. [7]
    Wiener N. (1948), Cybernetics: Or Control and Communication in the Animal and the Machine, MIT Press (the feedback-closure / return-path argument).
  8. [8]
    Anthropic (2025), Claude Code Headless Operation and Long-Lived OAuth Tokens (`claude setup-token`), Engineering Documentation.
  9. [9]
    Madani Lab (2026), Workspace Agentic Benchmark · WSB-11 Verbal Reinforcement Learning for Long-Lived Agents, [[WSB-11]].
  10. [10]
    Madani Lab (2026), Workspace Agentic Benchmark · WSB-15 Governance and Hard Rules, [[WSB-15]].
  11. [11]
    Madani Lab (2026), Workspace Agentic Benchmark · WSB-18 The Five-Tier Memory Architecture, [[WSB-18]].
  12. [12]
    Madani Lab (2026), Workspace Agentic Benchmark · WSB-19 The Auto-Promote Decision Engine, [[WSB-19]].
  13. [13]
    Madani Lab (2026), Lessons Learned · 3 Principi Primi v2.0, `12_HARNESS/operativo/lessons-learned.md` (internal reference).
  14. [14]
    Madani Lab (2026), violation-radar · governance closure tool, `11_TOOLS/violation-radar.py` (internal reference, scheduled MIT release).
  15. [15]
    Cognition Labs (2025), Don't Build Multi-Agents, cognition.ai blog (operator-approval inversion).
← back to all papersMadani Lab · WAB v0.3.4