Module SDD-13 — tau — A Minimalist Coding Agent Harness

tau — A Minimalist Coding Agent Harness

The base harness for Course 2A: how a three-layer coding agent architecture becomes a security agent.

60
minutes
8
artifacts
4
sub-sections
tau is a minimalist Python coding agent designed to be read like a book — the entire portable brain is under 800 lines. Its three-layer separation (tau_ai / tau_agent / tau_coding) makes it the ideal teaching substrate for security harness engineering: same brain, different tools, scope enforcement in the executor, evidence from the event stream. This deep-dive scores tau at 40/60 on the 12-module rubric and explains why the 6-point gap is exactly what tau-security fills.
Key Claims
Load-Bearing Claims

tau is the most readable coding-agent harness available. Under 800 lines for the entire portable brain (harness, loop, tools, events). Designed to be read, not just used. Every architectural decision is documented in dev-notes/ phase journals.

The three-layer separation is the design decision that makes tau-security possible. tau_ai (providers), tau_agent (portable brain), tau_coding (app). The brain has zero dependencies on UI, CLI, or file layout. You swap tau_coding for tau_security and the brain doesn't change.

AgentTool's executor pattern is where scope enforcement hooks in. A tool is a frozen dataclass with an async executor function. Security tools wrap the executor with assert_in_scope() before the operation. The model cannot bypass this — it's structural, not advisory.

The event stream is the evidence chain's data source. Every ToolExecutionEndEvent carries the tool result, which becomes an Evidence record with a SHA-256 hash. tau's event architecture and security evidence requirements map almost perfectly.

After This Module
01
Apply the 6-phase deep-dive methodology to tau and produce a scored analysis (40/60 on the 12-module rubric).
02
Map tau's three-layer architecture: tau_ai (providers), tau_agent (portable brain), tau_coding (coding app), and how tau_security sits beside tau_coding as a sibling.
03
Explain how AgentTool's frozen dataclass + async executor design enables scope enforcement as a first-class concern.
04
Trace the event stream contract: 14 typed events flowing from provider → loop → harness → frontend, and how ToolExecutionEndEvent feeds the evidence chain.
05
Identify tau's strengths (execution loop, tool design, documentation) and weaknesses (memory, sandboxing, security features) — and map each weakness to what tau-security adds.
Artifacts