The first generation of AI asked: which model?
The next generation asks: which harness?
Today we're answering that question. The Qoris Harness and Knox are live — available now at qoris.ai.
The Platform Shift
The first wave of AI gave the world large language models. OpenAI released ChatGPT. Anthropic built Claude. For a brief window, the defining question of enterprise AI was simple: which LLM should we choose?
Now a second layer is emerging — the harness — and it changes the competitive landscape entirely.
OpenAI signaled this with Operator. Anthropic signaled it with Claude Code and Computer Use. The model is the capacity to think; the harness is the capacity to exist. Memory, tools, persistence, governance, scheduling, identity — these are not features of a language model. They are features of the system that hosts it.
The Qoris Harness is our answer to this signal. It is the execution layer that transforms any language model from a stateless responder into a persistent, autonomous worker — one that remembers, schedules, acts, and governs itself across days, weeks, and months of continuous operation.
What the Harness Actually Is
Each Qoris AI Worker runs inside a dedicated Docker container on managed infrastructure. This is not a shared tenant. It is an isolated execution environment with its own filesystem, memory, network access, and identity.
The architecture follows a three-layer design:
The Dashboard — The human interface. React-based, real-time. Manages agents, monitors context, configures tools. Every layer of agent activity — text, reasoning, tool execution — streams to the frontend in real time via Server-Sent Events.
The Gateway — HEL — The control plane. Manages container lifecycle, proxies requests, handles authentication, orchestrates rolling upgrades. The agent never speaks to the outside world directly — HEL mediates every interaction.
The Harness — The agent itself. A FastAPI application equipped with persistent storage, a security engine, a memory system, a scheduler, and extensible tooling. This is where intelligence becomes action.
Each container mounts persistent volumes for workspace files, session history, memory, cron jobs, and audit logs. Containers survive upgrades — code changes are deployed via rolling upgrade without losing state.
Memory That Actually Works
Most AI systems are stateless — every conversation starts from zero. Those that offer memory typically dump everything into a vector database, trading precision for volume. We took a different approach.
Tier 1 — The Index. Always loaded into the agent's context. Contains concise, curated records — facts, preferences, decisions, patterns. Each record is titled, timestamped, and identified. Short memories live here inline.
Tier 2 — Deep Memory. Detailed knowledge files linked from the index. When the agent writes a memory exceeding 500 characters, the system automatically creates a dedicated file and stores a summary with a reference link. The agent sees the summary in every session; it reads the full detail on demand.
This design bounds context cost while allowing unbounded knowledge depth. The result is an agent that genuinely learns — carrying forward corrections, discovered patterns, and institutional knowledge across hundreds of sessions without context degradation.
Unbounded Conversations
When a conversation approaches the context limit, the system automatically compacts — older message chunks are summarized by the model itself and archived to immutable storage. The current session continues with the summary in context and full detail preserved on disk.
The result is unbounded conversation length without context degradation. An agent can work through a complex multi-hour task — debugging a system, writing a report, managing an incident — without the user ever hitting a wall.
Knox — Execution Governance
This is the part that changes everything for enterprise adoption.
Knox is not a monitoring layer. Monitoring observes after the fact. Knox intercepts — it evaluates every shell command against a configurable policy engine before execution. Commands are classified, risk-assessed, and either approved, flagged, or blocked — in real time, before the system state changes.
Every decision — approved or blocked — is written to an append-only audit log. This log is immutable from the agent's perspective; it cannot be read, modified, or deleted by the agent.
Knox policies support path-based restrictions, command pattern matching, network egress controls, and process management governance.
Behavioral escalation. Knox tracks denial patterns per session. When an agent repeatedly attempts restricted operations — three or more blocked commands in a single conversation — the system escalates. A security notice is injected directly into the agent's context, altering its behavior: the agent is made aware that it is under scrutiny, and the session is flagged for human review. This is not just logging — it is behavioral feedback that changes how the agent operates in real time.
For enterprise deployments, Knox provides the compliance foundation: full audit trails, role-based policy inheritance, and the guarantee that no shell command or system interaction executes without governance review.
Skills — One Worker, Many Roles
A single Qoris worker can operate as a code reviewer in the morning, a content writer at noon, and a system administrator overnight — governed by the same Knox policies throughout. This is possible because of Skills.
On-demand invocation. A user types a slash command in chat. The harness reads the skill file, resolves workspace file references into actual content, and injects the enriched instruction into the agent's context — all before the model sees it.
Autonomous discovery. The agent's system prompt lists all available skills by name and description. During scheduled tasks or autonomous operation, the agent can load any skill and apply its instructions without human prompting.
Skills support argument substitution, file content injection, per-skill tool restrictions, and enable/disable toggling — making them safe to compose, share, and iterate on without redeploying the harness.
Autonomous Scheduling
The Qoris Harness includes a built-in cron scheduler. Agents can create, modify, and manage their own scheduled tasks — or have them configured by the user through the dashboard.
When a job fires, the harness creates a dedicated session, injects the prompt, and runs a full agent turn — with access to all tools, memory, and workspace files. The agent can read previous run results, adapt its behavior based on outcomes, and escalate to the user when thresholds are breached.
Run history is stored with per-job statistics — success rate, average duration, failure patterns — providing a complete audit trail of autonomous actions.
Public Hosting in One Conversation
Every deployed worker gets a public URL — HTTPS, Cloudflare-protected, ready to serve. No DNS setup, no certificates. An AI worker can go from "build me a landing page" to a live, publicly accessible website in a single conversation.
The agent starts an HTTP server on port 3000 and it is live immediately. Traffic flows through Cloudflare, nginx, and into the container. When nothing is running, visitors see a branded standby page instead of an error.
Custom domains. Users point a CNAME to their agent's subdomain, add a TXT record for verification, and SSL is provisioned automatically via Cloudflare for SaaS. Works with any DNS provider. For businesses, this means an AI-built application can run on their own brand domain with production-grade SSL — no DevOps team required.
The gap between idea and deployment collapses to a conversation.
Extensibility — The MCP Protocol
The harness supports the Model Context Protocol with HTTP, SSE, and stdio transports. MCP servers requiring authentication use a PKCE OAuth flow. Tokens are encrypted and stored directly in the container's environment.
The dashboard provides a visual interface for connecting MCP servers: preset configurations for common services, a transport selector, and an authentication flow — all without writing code. Per-tool governance means individual MCP tools can be enabled or disabled without disconnecting the server.
Security by Default
Container isolation. Each agent runs in a dedicated Docker container with no shared state. Filesystem access is restricted to the mounted workspace volume.
Pre-execution governance. Knox intercepts every shell command before execution. Destructive operations, network exfiltration attempts, and privilege escalation are blocked by default.
Encryption at rest. API keys, OAuth tokens, and SSH credentials are Fernet-encrypted in the gateway database. Environment variables are injected at container creation time, never stored in images.
Audit immutability. Governance logs are append-only from the agent's perspective. The agent cannot read, modify, or delete its own audit records.
What Comes Next
The Harness is the foundation. What we are building on top of it:
Knox Guardrail — Evolution of the execution overseer into a universal governance layer. Fully integratable with third-party environments — Cursor, OpenClaw, Claude Code. It expands from shell-level interception to a full prompt-and-request gateway, reasoning over and approving or denying every user input and agent request in real time.
Cross-agent memory — Shared knowledge layers that allow multiple workers to build on each other's discoveries while maintaining individual context boundaries.
Workflow orchestration — Multi-agent pipelines where the output of one worker feeds the input of another, coordinated by a central planning agent.
Real-world interaction — AI Workers that navigate web interfaces, complete forms, book meetings, and manage workflows in systems that offer no API — governed by Knox before every click.
Try It Now
The Qoris Harness is available today. Deploy a worker, define its identity, connect your tools, and put it to work. Knox governs every action from the first command.
The future of enterprise AI is not a smarter chatbot. It is a persistent, governed, autonomous system that works alongside your team — one that remembers what matters, acts on schedule, and never exceeds its authority.
Eliel Joseph is the CEO and co-founder of Qoris AI — the trust layer for enterprise AI. Qoris builds Knox, the execution-layer governance for autonomous AI agents, and the Qoris Harness, the infrastructure that turns any LLM into a persistent worker. Headquartered in Stamford, CT. NVIDIA Inception Program member.