Coding-agent teams introduce hooks, smoke tests, and stop conditions after production misfires

• Practitioners are moving agent behavior out of prompts and into the harness: one detailed Claude Code setup encodes commands, skills, subagents, workflows, and hooks in .claude/, while one MCP builder's writeup says verbose tool descriptions, CLAUDE.md, and a real smoke test did more than handler code.
• The loudest cautionary example is still PocketOS: according to the main HN incident post, an agent deleted a production database and its backups in nine seconds, while the HN core summary says engineers treated the failure as an access-control and blast-radius problem, not a prompt-quality problem.
• Verification is getting more explicit. In meliwat's MCP server lessons, "done" means a script proves output, while a Cursor debugging thread frames the new skill gap as understanding and debugging generated systems, not producing more code.
• Vendors are shipping the same controls at product level: ClaudeCodeLog's 2.1.166 thread highlighted fallback models, deny-rule globs, and hardened cross-session messaging, LangChain's sandbox post pointed to isolated execution environments, and cryps1s' Lockdown Mode post described outbound-network restrictions aimed at prompt-injection exfiltration.

You can read Anthropic's hooks reference, check the v2.1.166 Claude Code release, skim LangChain's Sandboxes GA post and Auth Proxy writeup, and compare that with OpenAI's Lockdown Mode announcement. Anthropic's own Claude Code overview now treats CLAUDE.md, skills, and hooks as first-class customization surfaces, which is exactly where practitioners are piling their guardrails.

Anthropic's hooks docs split hook events into session, turn, and per-tool-call cadences. The interesting bit is not the taxonomy, it is that the harness can inspect JSON context, take action, and block or modify behavior before the model talks its way around a rule.

In SIGH_I_CALL's setup dump, the reusable stack breaks into five layers:

1. Slash commands for named workflows like /memory-self-review and repo-wide cleanup passes.
2. Skills for auto-invoked workflows with bundled docs and sub-skills.
3. Model-tiered subagents, with Haiku on gate-running, Sonnet on drift audits, and Opus on security review.
4. Deterministic workflows that fan out tasks, triage failures, then integrate green diffs.
5. Hooks that run on PreToolUse, PostToolUse, Stop, UserPromptSubmit, and SessionStart.

The hook list is more concrete than most agent-safety manifestos. That setup post uses pre-tool guards to block repeated loops and secret writes, post-tool hooks to record governed calls and track session cost, and session-start hooks to inject codebase maps. Anthropic's hooks guide describes the same pattern more blandly: enforce project rules, automate repetitive tasks, and stop relying on the model to remember.

In meliwat's post about shipping an MCP server, the sharpest claim is that tool descriptions ended up 5 to 10 times longer than the handlers. The three lessons are simple:

• Tool descriptions are the product, because the model only behaves as well as the prose tells it to.
• "Done" needs a hard gate in CLAUDE.md plus a smoke script that checks real output.
• Production-specific footguns need to go back into CLAUDE.md, or the agent will rediscover them.

A Cursor thread about building faster than debugging pushed the same idea from the other side. The post says code generation is close to effortless, but understanding generated systems is not. One top reply in that same thread turned debugging into a required artifact list: expected-behavior test, failure reproduction, small diff, exact commands run, explanation for the fix, and a stop condition if the agent drifts into unrelated files or invented state.

PocketOS is the story everybody references because the failure mode is brutally legible. The HN incident summary says an agent found an overly broad Railway token in the codebase, deleted the production volume, and took the backups with it because the backups lived in the same volume.

The HN follow-on discussion converged faster than a lot of vendor safety pages. According to the discussion summary, the recurring fixes were:

• scoped tokens and least-privilege IAM,
• backup isolation across accounts or storage boundaries,
• permission gateways in front of third-party services,
• read-only database interfaces for agent access.

The HN core takeaway compresses that into one sentence: agent safety here is an access-control and blast-radius problem. Newer community posts are starting from the same premise. One AI_Agents thread complains that incidents usually come from loops, missing cost controls, and missing traceability, while one Spring AI MCP proxy post proposes a policy-aware proxy that inspects tool calls, applies policies, supports human approval, traces workflows, and blocks unsafe actions before execution. A deterministic-FSM runtime post goes further and argues that the model should be a bounded compute unit inside a governed runtime, not the thing that owns orchestration.

The product surface is catching up with the community's paranoia. LangChain's Sandboxes GA post says each sandbox runs in a hardware-virtualized microVM, with snapshots, copy-on-write forks, pre-warmed blueprints, service URLs, a CLI, and an Auth Proxy. LangChain's Auth Proxy writeup is even more revealing: credentials stay outside the sandbox, and network policy is enforced on the outbound path rather than via secrets stuffed into env vars.

OpenAI is shipping the same instinct at the UI layer. The June 4 Lockdown Mode update says the feature is rolling out to personal and self-serve Business accounts, and it can disable live web access, Deep Research, Agent Mode, live connectors, and file downloads for higher-risk users. the tripwires feature post points at a code-level variant of the same idea, flagging sensitive files so agent edits trigger extra scrutiny.

Claude Code's own release cadence shows similar hardening. LLMpsycho's 2.1.165 note and ClaudeCodeLog's 2.1.167 thread were mostly bug-fix releases, but the 2.1.166 changelog thread added up to three fallbackModel options, glob patterns in deny rules, hardened cross-session messaging so relayed permission requests lose user authority, and ways to disable default-model thinking to cut tokens and latency. The official v2.1.166 release notes read like a small maintenance update. Read next to this week's operator posts, they look more like the harness growing teeth.