Notes
Short pieces about the methodology and architecture decisions behind the AI systems I ship — specs, evals, multi-agent orchestration, LLM integration, and the discipline of directing coding agents.
July 3, 2026
Prompt injection isn't a bug you'll patch
Teams keep treating prompt injection like an ordinary vulnerability — one that a model update or a clever filter will eventually close. It won't. OWASP's 2026 report and a growing line of researchers now describe it as a permanent property of how LLMs work: the model genuinely can't tell your instructions from the data it's reading. Once you accept that, the job changes. You stop trying to prevent the injection and start making sure a successful one can't do any damage — which comes down to never letting a single agent hold the three powers that turn a poisoned input into a breach.
- security
- architecture
July 3, 2026
The agent that rewrites itself has no spec
The new pitch is the 'self-evolving' agent — it adapts its own behavior as it runs, so you never have to update it. ServiceNow and NVIDIA just aimed one at your desktop. But production software needs one thing above all else: a fixed target you can verify against. An agent that rewrites its own logic is a system where the thing you tested is not the thing running next week. Let it learn in data you can read and reset — never in behavior you can't watch change.
- agents
- architecture
July 3, 2026
The model got commoditized. The chip didn't.
For two years the whole game was which model is smartest. That game is ending: Claude Sonnet 5 landed near Opus-class quality at a fraction of the price, the labs are racing on cost instead of IQ, and swapping providers is now a config change. When the capability layer commoditizes, the moat slides down the stack — to the inference silicon and the racks. OpenAI just taped out its own chip. Here's what that means for the rest of us building on top: your per-token price floor is set two layers up, by people you'll never meet, so design like it.
- business
- architecture
July 1, 2026
AI code debt doesn't get paid back. It compounds silently.
The cost of AI-generated code isn't the bug you catch in review — it's the flaw that survives, unowned, in a codebase nobody has a mental model of. A 2026 study of 300k+ AI-authored commits found that nearly a quarter of the issues AI introduced were still there at HEAD. Human debt gets paid down because someone remembers writing it. AI debt just accumulates, because no one did. The only real hedge isn't more test coverage. It's comprehension.
- architecture
- methodology
July 1, 2026
Double the task, quadruple the failure
Everyone wants the agent that works a full 8-hour day. The math is against it. A new 2026 paper shows that doubling a task's length doesn't double the failure rate — it roughly quadruples it, because a tiny per-step error compounds. A 2% slip per step becomes a 33% chance of blowing the whole task over 20 steps. Long-horizon autonomy isn't waiting for a smarter model. It's an architecture problem: decompose, checkpoint, verify.
- agents
- architecture
July 1, 2026
Perplexity is walking away from MCP — and they're not wrong
MCP won the standards war so fast that almost nobody stopped to ask whether it's actually good in production. Then Perplexity's CTO said out loud they're moving off it internally — because tool metadata can eat 40–50% of your context window before the agent does a single useful thing. The 'just plug in 50 MCP servers' dream collides with context economics. Tools are a dependency, not a buffet.
- architecture
- agents