Hashimoto coined the term in Feb 2026. OpenAI institutionalized it. Fowler formalized it. We ship it to production with the 3 layers the pure pattern omits: 10-category DLP scrubber, dual-rail audit trail, and output guards across 9 compliance frameworks.
Baseline is the multi-runtime harness (14+ runtimes). GlassPlane is the control plane (18 live compliance dimensions). We use it for our own factory. We license it so you can use it too.
Traditional dev shops don't know how to build with autonomous agents.
AI governance vendors (Credo AI, Holistic AI, Fiddler) charge enterprise pricing for the dashboard alone β and you still need someone to actually build the software.
We do both.
Hashimoto, OpenAI, and Fowler defined harness engineering as the tooling that steers AI agents toward specific objectives via infrastructure. But the pure pattern is productivity-only β it omits governance, DLP, and compliance. OSSFIA ships it with the 3 layers regulated industries actually need.
CLAUDE.md + AGENTS.md + skills + rules + progressive disclosure. What the agent can't see, doesn't exist.
Linters, hooks, dependency layers mechanically enforced. Unidirectional layers (Types β Config β Repo β Service β Runtime β UI).
Periodic agents validate docs vs code, remove dead code, detect drift. The repository = single source of truth.
The nxcode 'Harness Engineering Complete Guide 2026' article is excellent "Harness Engineering 101". OSSFIA is the full graduate program for regulated industries.
10 formal categories with absolute BLOCK (CDI / JDI / SEC / BIO) + automatic REDACT (PII / PHI / PFI / HRI) + auditable WARN (AUD / IPR). Applied at runtime BEFORE any external model.
Canonical schema work_agent_executions.sql + actor_origen + actor_id columns on operational tables. GlassPlane dim 17 work_automation_ratio.
AURA 4 levels + scoring against 9 simultaneous frameworks: NIST CSF 2.0 (93%), AI RMF (93%), SSDF (95%), GenAI (80%), EU AI Act, NIS2, ISO 42001, SOC 2 + LATAM packs.
OSSFIA total: additive brownfield in ~1 day with everything included. Saves 12-24 months of engineering plus the cost of not having it when EU AI Act enforcement hits (Aug 2 2026).
Scope-based quote β book a 30-min diagnostic call and we'll review your project.
| Capability | Pure Harness Engineering (DIY) | OSSFIA |
|---|---|---|
| Time to ship governance harness | 6-12 dedicated months | ~1 day brownfield |
| Multi-runtime support | Lock-in | 14+ runtimes |
| DLP scrubber | DIY | 10 categories + 20 tests/cat |
| Dual-rail audit trail | DIY | work_agent_executions schema |
| Compliance frameworks | 0-1 | 9 cross-mapped |
| CVE freshness | hardcoded | OSV.dev 24h refresh |
| LATAM regulatory | invisible | Law 1581, RIPS, SFC, SNIES, LGPD |
| Time-to-value vs cost | 12-24 engineering months | ~1 day brownfield + retainer |
Full battlecard with 14 capabilities + 6 objections + 5 closing tactics: framework/reference/marketing/battlecards/BATTLECARD_vs_Pure_Harness_Engineering.md in the public repo.
10 phases, 3 macro-stages, formal gates with automated enforcement. Replaces the traditional SDLC for development with autonomous agents.
Strategy, domain, knowledge, architecture. Decide what to build and under what regulatory constraints.
Contracts, AI-assisted build, TEVV (test + eval + verify + validate), security & compliance.
Deploy, continuous operation with GenOps, metrics, and evolution based on real telemetry.
You choose the autonomy level. We give you the same Baseline + GlassPlane underneath. No tier or feature gating on compliance β the regulatory evidence is the same regardless of how you contract us.
Your team builds; we are the harness and sparring partner. We install Baseline in your repo, configure GlassPlane for your portfolio, train your devs with our 17 specialized subagents, and gradually remove the scaffolding as your team matures.
We build; you receive product + evidence. You hand off an intent (business problem + constraints), our FABs (FullStack Agent Builders) execute the ADLC F01-F10 autonomously, and we deliver release + GlassPlane scorecard + signed AIBOM/SBOM every month.
Same Baseline harness. Same GlassPlane. Same 18 compliance dimensions. Same regulatory evidence. The difference is who writes the code β your team or ours β not how rigorous the governance is.
Underwriting platform that continuously measures the NIST AI RMF + MITRE ATLAS posture of your insureds, via API, with 30-day refresh. You keep the underwriting; we give you the objective evidence underneath.
Your insured implements OSSFIA on their side (Bet 2). You access the scorecard via API with OAuth consent (Bet 1). Same baseline + GlassPlane underneath. Validated B2B2B chain.
Targets: LATAM Q3 2026 Β· 3-phase pilot setup β operational β scale Β· scope-based quote per carrier engagement
GlassPlane is the private dashboard we give every customer. It scans your project against 16 compliance dimensions in real time. Your team sees the score; your auditors see the evidence.
You're free to see even our weaknesses. This portfolio shows real scores β EU AI Act 96, but Gates 48. That's how we work: no black boxes. Your auditors can validate the evidence directly.
We don't just measure your software. We execute it every 6 hours with AI agents that walk through critical flows like real users, and we archive the recordings as auditable evidence for your regulators.
DOM + mouse + keyboard + network for every execution, encrypted in R2 with 365-day retention. Meets ISO 42001 Annex B and EU AI Act Art. 72.
We validate that your AI chat (AURA or others) responds correctly against golden datasets β by meaning, not by string match.
We simulate doctor_senior, patient_65+, admin_compliance, accountant β and report real friction by persona.
Critical flows that fail alert your team's webhook within 30 min max. Automatic 3-level escalation if there's no ack.
Static compliance dashboards. They measure artifacts, not live behavior. Enterprise pricing.
They build software, but without auditable regulatory evidence. When the regulator shows up, you're the one assembling the report.
Both β we build + monitor + give you signed evidence every month. Included in retainer.
Implemented on Cloudflare Browser Run (GA 2026-04-15). Available automatically for Growth and Enterprise tier customers. No additional charge on top of the monthly retainer.
When we deliver a sprint, it ships with scoring against all 10 frameworks at once: NIST CSF 2.0, NIST AI RMF, EU AI Act, NIS2, ISO 42001, SOC 2, and the native LATAM packs. No separate "compliance consulting" services, no rework, no surprises for your auditor.
Auditable against CSF 2.0 (CSWP 29, Feb 2024), AI RMF 1.0 (AI 100-1), GenAI Profile (AI 600-1), SSDF v1.1 (SP 800-218 + 218A), SP 800-53r5
Same Baseline, same GlassPlane, same sprint β scoring against all of them simultaneously
Article 14 (human oversight), Annex IV technical doc, conformity assessment. Pack + battlecard.
Article 21 β 10 cyber risk measures. 18 EU critical sectors. ~90% mapping with NIST CSF 2.0. Up to β¬10M / 2% revenue.
Annex A controls, automatic evidence collector script, mapping to SOC 2 CC + assisted audit.
Trust Service Criteria CC1-CC9, existing evidence collector, cross-mapping with ISO 42001.
If you're an IPS in Colombia, an SFC-regulated cooperative, a public higher-ed institution, or an equivalent regulated sector (critical manufacturing, telco, energy LATAM), we start in ~1 day with additive brownfield. If your sector ISN'T covered but has similar regulation, we build a tailored pack in 4-8 weeks and it stays as reference.
NIS2 Article 21 (10 cyber risk management measures) has ~90% overlap with NIST CSF 2.0. We build it once, report in both formats.
| NIS2 Article 21 β measure | NIST CSF 2.0 β function | OSSFIA |
|---|---|---|
| a) Risk analysis & info system security policies | GOVERN (GV.RM, GV.PO) | β |
| b) Incident handling | RESPOND + RECOVER | β |
| c) Business continuity & backup mgmt | RECOVER (RC.RP, RC.CO) | β |
| d) Supply chain security | IDENTIFY (ID.SC) + AIBOM/SBOM | β |
| e) Vulnerability handling & disclosure | PROTECT (PR.IP) + SECURITY.md | β |
| f) Cybersecurity assessment policies | DETECT (DE.CM) + audits | β |
| g) Cyber hygiene + training | PROTECT (PR.AT) | β |
| h) Cryptography + encryption | PROTECT (PR.DS) | β |
| i) Human resources security & access | GOVERN (GV.RR-04) + IDENTIFY | β |
| j) MFA, secure comms, emergency comms | PROTECT (PR.AA, PR.PS) | β |
Applicable to essential entities (energy, healthcare, transport, banking, digital infra, government) and important entities (critical manufacturing, food, waste, postal). Penalties up to β¬10M or 2% global revenue.
Every prompt to an external LLM is filtered against these 10 categories. Absolute BLOCK, automatic REDACT, auditable WARN.
Native Habeas Data (Colombia Law 1581) Β· GDPR Art. 9 Β· HIPAA Safe Harbor Β· ADR-FRAMEWORK-010 dogfooded
OSSFIA is XCloud Solutions' proprietary methodology. We use it to build our own software, on third-party engagements, and for co-creation with clients (always under contract). Every engagement is scoped individually β we don't publish rates because every case is different.
Your team and ours build together. You pay for the harness + sparring; the code and the harness stay in your repo.
We build, you receive product + monthly regulatory evidence. Outcome-based model + GlassPlane score gates in the contract.
For carriers that need to measure NIST AI RMF / MITRE ATLAS compliance of their insureds (B2B2B).
OSSFIA is proprietary. Available only under contract. It is not open source and is not licensed individually β it is the methodology we use to build.
We don't compete with Cursor / Copilot / Codex (we use them as runtimes). Nor with DIY harness engineering (we applaud it but add the 3 layers). 16-capability table, 6 columns β including the "Pure Harness Engineering" route that sells 6-12 months of engineer time.
| Capability | Cursor | GitHub Copilot | MS AI Toolkit | Devin / Factory | Pure HE (DIY) | OSSFIA |
|---|---|---|---|---|---|---|
| Code generation | β | β | β | β | β | β via 14+ runtimes |
| Multi-runtime governance | β | β | partial | β lock-in | DIY | β 14+ runtimes |
| ADLC / 10-phase lifecycle | β | β | β | 3 phases | β | β F00-F10 |
| EU AI Act evidence auto | β | β | templates | β | β | β Art 14 + Annex IV |
| NIS2 Directive EU (Art 21) | β | β | β | β | β | β 10 risk measures |
| NIST CSF 2.0 + AI RMF | β | β | ~40% | β | β | 93% / 93% |
| 10-category DLP scrubber | β | basic PII | basic PII | β | β DIY 6-12m | β CDI/JDI/PHI/PFI/BIO+ |
| Dual-rail audit trail | β | β | β | β | β DIY 3-6m | β work_agent_executions |
| Native LATAM regulatory | β | β | β | β | β invisible | β 1581/1995/SFC/SNIES |
| Live compliance dashboard | β | β | excel exports | β | DIY dashboards | β GlassPlane 18-dim |
| Continuous Conformity (6h) | β | β | β | β | β | β unique in LATAM |
| Loop detection + drift | β | β | β | β | DIY hooks | β pre_tool_use + daily-drift |
| Signed AIBOM + SBOM | β | β | SBOM only | β | β | β cosign + SLSA |
| CVE freshness (MCP packages) | β | β | manual | β | hardcoded | β OSV.dev 24h refresh |
| Time to ship governance | N/A (tool) | N/A (tool) | 2-4 weeks M365 | N/A | 6-12 months DIY | ~1 day brownfield |
| Sovereign on-prem | β SaaS | β SaaS | Azure only | β SaaS | β DIY | β deploy anywhere |
| Commercial model | per developer | per developer | M365 license | per developer | 3-5 internal engineers | scope-based retainer |
Excellent code generators. Your team will keep using them under OSSFIA β we are the harness, not the competitor.
Static governance dashboards. They only measure artifacts; they don't build software or integrate with your pipeline. High enterprise pricing.
3 pillars from Hashimoto/OpenAI/Fowler. Excellent theory. 6-12 months of 3-5 engineers to implement. And you still need the 3 regulatory layers.
3 pillars + 3 integrated layers. Additive brownfield in ~1 day. A single source of truth for your CISO and your CTO. Scope-based quote.
GlassPlane is our own control plane β we built it for ourselves before licensing it. If we didn't apply it to Baseline, we couldn't sell it.
The same dashboard we deliver to customers, applied to our own Baseline repo (github.com/aforero22/baseline). 18 compliance dimensions, fingerprint dedup, 9 regulatory frameworks scored simultaneously.
Commercial names under NDA. Numbers and stacks are real. We sign MSA + SOW before sharing direct references and detailed architecture.
These 3 cases represent the 3 productized LATAM packs we offer. Each customer was an additive brownfield. Their regulators don't need a PDF to see compliance β they read the live GlassPlane scorecard.
We sign MSA + SOW before sharing commercial names, detailed architecture, or direct references. Book a diagnostic call so we can discuss your case.
30 minutes. No cost. No pitch deck. You walk away with a preliminary GlassPlane scorecard for your project.
I have my own dev team. I need governance + compliance evidence without rewriting my SDLC.
Discuss adoption βI need product in production + regulatory evidence. I don't want to hire 15 engineers.
Start factory βEU AI Act, ISO 42001, SOC 2 or a regulator audit is coming. I need auditable evidence, not spreadsheets.
Gap assessment βB2B2B underwriting platform. Continuous NIST AI RMF + MITRE ATLAS scoring of your insureds, via API, with 30-day refresh.
Pilot program β