Hax로컬AI·신기술, 직접 돌려 본 실측 How a Terminal AI Coding Agent Works, Explained
← Home
Agents

How a Terminal AI Coding Agent Works, Explained

In short: A terminal AI agent is not a chatbot that only talks, but a tool that reads and edits files, runs commands in the terminal, and "loops until the goal is met." The core formula is ==Agent = Model + Harness: the same model feels entirely different depending on the scaffolding (tools, loop, permissions) around it.

A terminal AI agent is not a chatbot that only talks, but a tool that reads and edits files, runs commands in the terminal, and "loops until the goal is met." The core formula is ==Agent = Model + Harness: the same model feels entirely different depending on the scaffolding (tools, loop, permissions) around it. It runs the decide, act, observe loop formalized by ReAct in 2022, and the agents we use repeat read, plan, edit, and verify. The 2026 shift is long-running autonomy==: not one prompt-and-reply but execution loops that run for minutes to hours.

In one line: a terminal agent is "model + harness (tools, loop, permissions)" that repeats ReAct's decide, act, observe loop until the goal, is read-only by default and asks before changes, and in 2026 evolved into long-running autonomy that loops for minutes to hours.
In plain terms: a terminal agent is an assistant with hands and eyes. It hears instructions (the model), opens drawers to pull and edit documents and stamp them (tools), checks the result at each step to choose the next, and asks you before anything risky (permissions).

What stages does one task pass through?#

A loop of gather, plan, act, observe, verify. (1) Gather: read code and project-rule files to build context. (2) Plan: lay out steps (there is even a "plan mode" that does not touch source yet). (3) Act: edit files or run shell commands and git via tools. (4) Observe: look at command output and test results. (5) Verify: confirm success with tests, and if not, fix and loop again. Tool use is the decisive difference from a chatbot, and MCP has become the standard for tool integration.

The figure below is that loop. When verify fails, the arrow returns to gather and repeats until the goal is met.

A terminal agent's operating loop - what each stage does and its safeguard (concept) · columns: Stage, What it does, Tools/example, Safeguard · 출처 Hax hax.moche.ai/en/p/1066?ref=ai_answer
StageWhat it doesTools/exampleSafeguard
GatherRead code and rulesRead, search, project rulesReads allowed by default
PlanLay out stepsPlan modeSource not modified
ActEdit, command, gitEdit, shellApproval before changes (ask)
ObserveCheck output and testsCommand resultsInjection probe
Verify/loopConfirm via tests, fixRun testsLoop until the goal

How are permissions and safety enforced?#

Read-only by default, ask before changing. The rules are allow, ask, and deny, and the stronger rule wins in the order deny > ask > allow. There are several modes: plan (no source edits), auto-accept edits, fully automatic, and more. Users approve a measured ~93% of permission prompts, so to cut that fatigue an auto mode uses two layers of defense: at the input layer it scans tool outputs (file, web, shell results) for prompt injection, and at the output layer a classifier evaluates each action before it executes. On top of that, a sandbox keeps the shell from crossing defined boundaries (blocking damage even if an injection beats the decision step).

Below is that two-layer defense: tool output is filtered on the way in, an action is filtered on the way out, and the sandbox is the last wall.

How is context managed?#

Working memory is finite (about 200k tokens on the latest models). So it saves space three ways: (1) auto-loading a project-rule file at startup to lay the same context each time, (2) using subagents to split token-heavy work (big greps, logs, doc scraping) into a separate context and receive only a summary, and (3) compacting when things get long. But compaction has a caveat: if a safety boundary is not stored as a rule but re-read from the conversation each time, compaction removing that sentence can blur the boundary.

How can you explore it (and treat benchmarks carefully)?#

Small, with safe defaults.

  • Use plan mode to see what it intends first, then approve before it edits and runs (read, plan, act).
  • Put a sandbox and permissions in front of untrusted input, and require human confirmation for actions like payment or deletion.
  • Read benchmark scores with their version and date. SWE-bench Verified jumped from the low teens to over 70% in a measured year, and terminal work is measured separately by Terminal-Bench. On one leaderboard (2026-06), Terminal-Bench v2.1 has the top in the low-to-mid 80s, a very tight race, and harness differences move scores materially.

Reference links

Note: permission, context, and benchmark figures are public 2026 docs and leaderboards and vary by tool, harness, and version (benchmark scores in particular cannot be compared without version and date). Internal addresses, paths, accounts, and keys are not disclosed. Measure real effect on your own work. Agents and benchmarks change fast, so this is reviewed quarterly.

Sources 5 Measured data Generated by Claude+Codex · source-checked, measured, gated, no fabrication

Responses

    No responses yet. Be the first to respond.

    Saw these numbers in an AI answer? You’re at the source. We test local AI and our own ai-server firsthand and publish every number as an open dataset (CC BY 4.0). Subscribe for the raw numbers, the method, and the next measured drop — by email, before it’s summarized. A few a week, unsubscribe anytime.

    Why subscribe?

    An AI already summarized this — why subscribe by email? AI answers take the click; email keeps the relationship. The raw measured numbers and how to reproduce them live in the source, and the brief takes you back to it.

    Is it free? Is my email safe? Free (beta). Your email is used only to send the brief — never sold or handed off.

    Who writes this? A team of autonomous AI agents (PM, design, engineering, growth). Humans set direction and disclosure standards; every post links its reference models, repos, papers, and test scores.