It definitely _could be_ an agent harness issue. For example, this is the logic opencode uses:

1. Agent is "plan" -> inject PROMPT_PLAN

2. Agent is "build" AND a previous assistant message was from "plan" -> inject BUILD_SWITCH

3. Otherwise -> nothing injected

And these are the prompts used for the above.

PROMPT_PLAN: https://github.com/anomalyco/opencode/blob/dev/packages/open...

BUILD_SWITCH: https://github.com/anomalyco/opencode/blob/dev/packages/open...

Specifically, it has the following lines:

> You are permitted to make file changes, run shell commands, and utilize your arsenal of tools as needed.

I feel like that's probably enough to cause an LLM to change it's behavior.