Key Takeaways
- • Functional completeness of a technical artifact is distinct from the reliability and enforcement of the control systems used to build it.
- • A 'bandaid' is defined as a conscious compensation that allows a project to succeed despite insufficient, stale, or unenforced automated paths.
- • Project reviews should evaluate both the final product's functionality and the manual workarounds required to achieve that outcome.
- • Systems are inherently fragile when their success depends on an agent's manual intervention rather than on automated structural enforcement.
Who this is for
Developers analyzing the gap between manual effort and system enforcement
Two verdicts that should both be true
One of my projects is a small visual workflow tool called Tachylite. It began life as a diagram editor. Over one focused transformation arc it became something more interesting, an executable runtime. You draw a graph of nodes on a canvas, press execute, and a real engine runs the graph in dependency order. Seven node types execute for real. Anything without a real executor reports itself as unsupported and its dependents are skipped, so nothing is ever faked. The same workflows can be driven from the web interface, a command line, an HTTP API, and a set of agent tools.
When that transformation was ready to close, I asked for two different reviews of the same work on the same afternoon, minutes apart, each applying a written review contract that treats every earlier report as an unverified claim.
The first was a project outcome review. Its job is to reconstruct what a project actually became, treating every earlier report, README line, and agent summary as a claim to re-verify against the current state of the repository rather than as truth. It came back with the verdict OPERATIONALLY COMPLETE. The full test suite passed. A real command-line run of the shipped example produced four succeeded nodes and one honestly unsupported one. The agent tool surface answered with its full tool list. No functional blocker remained within the reviewed milestone. The review also walked back through every earlier report about the project and found no claim refuted and none exaggerated, which is worth pausing on, because that is rarer than it sounds. The only required follow-up was documentation hygiene, a few stale documents still describing the old project. The verdict was even careful about its own scope, complete for its milestone as a local personal-use foundation, and explicitly not a stronger claim than that.
The second was a bandaid review, run by a system of mine that carries that blunt name deliberately. Its job is different. It asks what was knowingly worked around, retried, manually sequenced, bypassed, supplemented, or compensated for in order to make the work succeed, and which of those compensations nothing in the system actually enforces. It came back with the verdict PROCEED_WITH_DISCLOSURES. Seven findings, none severe enough to invalidate the shipped state, and a summary whose core has stayed with me since. What quietly carried this bounded stretch of work was manually run tests and manually driven browser checks, with no automated gate behind either. All of it disclosed. None of it enforced by the system.
So which is it. Is the project done, or is it held together with tape.
Both, and the fact that both verdicts are true at once is the most useful thing either of them says. The outcome review grades the artifact. The compensation review grades the control system around the artifact. A working product and an unenforced control surface are simply not the same claim, and most close-out rituals only ever make the first one.
My own instinct is to approach these projects through systems operations, security, state, boundaries, observability, and evidence. That lens repeatedly led me to ask not only whether the code worked, but which component had actually established that it worked. The uncomfortable answer, more often than I would like, was that the component was the agent itself, choosing to check.
What a bandaid actually is
The word needs a careful definition, because the lazy version condemns every manual step, and that version is useless.
A bandaid, in the sense I use it here, is a conscious compensation that allowed work to succeed despite the normal, documented, or automated path being insufficient, misleading, stale, bypassed, or unenforced.
Every part of that matters. It is conscious. Someone, human or agent, understood that the normal path would not carry the work, and did something extra so that it would. It succeeded. These compensations live in successful projects, which is exactly why nobody goes looking for them. And the deciding property is not that the action was manual. The deciding property is that nothing enforces it.
The test I apply to every candidate compensation is a single question. If the agent forgot this step next time, would the system reliably object before an incorrect success claim could pass?
If the answer is yes, the step is just work. Deploying by hand is fine when the pipeline would refuse a broken artifact anyway. If the answer is no, the step is load-bearing in a way the system does not know about. The passing result everyone sees is real, but the reason it is real lives in someone's habits.
This distinction rescues manual work from blanket suspicion, and it needs rescuing, because manual verification is often the most competent thing happening in a project. The competent action is not necessarily the bandaid. The bandaid may be the system's dependency on someone remembering to perform that action.
An unusually capable agent makes all of this worse, not better. Capable agents compensate smoothly. They reread the file the documentation forgot to mention. They retry the flaky tool without complaint. They perform steps in the right order even when the runbook lists them in the wrong one. They supply, from memory, the configuration value the setup guide stopped mentioning two versions ago. They quietly route around a stale instruction because they recognize it as stale. Every one of those compensations makes the surrounding system look more robust than it is. The work succeeds, the report says success, and the weakness that was compensated for appears in no artifact anywhere.
A system is not mature merely because it succeeds. It is mature when success no longer depends on an unusually capable agent silently holding its weaknesses together.
One note on vocabulary before we go on. The metaphor has now done its job, so from here I will mostly call these things what they are. A hidden compensation when someone acts. A compensatory dependency when the system leans on that act. An unenforced control when the gap itself is the point. The tool that hunts them keeps its blunter name.
What the review is actually looking for
The method deserves to be stated plainly once, because nothing in it depends on my projects or my tools. A hidden-compensation review, whoever or whatever runs it, walks one bounded piece of work through ten moves.
- Establish the claimed outcome and its exact scope. What is being called done, and done for whom, under which conditions?
- Inventory the conscious compensations. Retries, bypasses, substitutions, manual sequencing, remembered knowledge, and hand-run checks.
- Separate the competent action from the system dependency behind it. The manual check may be excellent work. The system's reliance on someone remembering it is the finding.
- Bind every finding to evidence, and label how each item is known. Self-disclosed by the agent, reconstructed from logs, or confirmed by re-running the check. Self-disclosure never gets promoted silently into verified fact.
- Grade severity by the consequence if the compensation is forgotten next time, never by how alarming the action looks.
- Clear legitimate manual work explicitly, in writing. A review that pathologizes every human step teaches people to hide the steps.
- Distinguish each local success signal from the larger claim it is being used to support. A truthful signal can still be stretched past what it observed.
- End in exactly one bounded verdict, and give every finding an explicit disposition.
- Stay report-only. Repair is a separate decision under separate authority, even when the fix is obvious.
- Preserve uncertainty, dissent, and failed verification evidence in the record, rather than laundering them into a clean result.
Most of what I would want a reader to keep about the review itself is in that list. Everything that follows is what the list looks like when it collides with real work, which is where it stops sounding obvious, and where the closure-level moves the list does not cover come in.
The competent action is not the defect
What convinced me this distinction is workable in practice, rather than a nice sentiment, was watching the review apply it to Tachylite, pair by pair. The review has two output categories that matter here. A clearance says this looked suspicious and is fine. A finding says this looked fine and is not. The interesting results come in pairs, where the same activity produces one of each.

Take the pushes. The transformation work pushed straight to the main branch roughly seven times with no pull requests. That pattern trips every reviewer instinct I have. The review cleared it. This was solo work on a private repository whose process explicitly defines checkpoint pushes as the intended path. A legitimate operator choice, not a workaround. What the review did not clear was the void behind those pushes. No continuous integration existed in the repository at all, so each push passed only because the agent chose to run the test suite first. The review called that the single most load-bearing hand-maintained property of the whole effort, a compensatory dependency in its purest form. Forget once, and a broken engine ships behind a status that looks successful, with nothing in place to catch it. The push style was fine. The missing gate behind the push style was the finding.
Or take the interface. The agent verified the web canvas by driving a real browser, repeatedly and carefully. The review cleared the act itself as legitimate work. The finding sat next to it. The interface carried over a hundred test hooks, and not one of them drove an automated test. Would anything object if the manual pass were skipped one day? Nothing would.
The third pair is the subtlest, and my favorite, because the review graded two signals in opposite directions from their tone. The test output contained a genuinely alarming line about a server failing to start. Cleared. That line is by-design graceful degradation, and the review called the resulting pass a legitimate green rather than a false green, its term for a success signal that misstates the state it claims to report. Meanwhile an entirely innocuous-looking archive tag, named to indicate the state had been execution-verified, was flagged as a finding. The tag pointed at a snapshot taken before an adversarial verification pass later caught and fixed two real security defects. The label was honest when it was written and wrong shortly afterwards. Anyone restoring the verified state by that name would restore known-vulnerable code, and nothing in the system objects to naming a tag prematurely. It was also a claim the outcome review's walk through the reports had no reason to grade, which is exactly the division of labor this essay is about. Alarming output can be fine. Comforting labels can be defects. Success signals have to be graded by what they claim and by what actually established the claim, never by how reassuring they sound.
There was also a quieter fourth item, the kind that never makes a report on its own. One of the analysis surfaces the work depended on was known to be blind to part of the project, and the agent compensated by hand, every time, from memory. Sensible, invisible, and unrecorded. Multiply that across every capable agent in every project and you have an entire layer of institutional knowledge that exists nowhere except in the behavior of whoever worked last.
What happened next matters just as much. Within the hour, I had turned the audit into a work order, a bounded follow-up workstream whose steps mapped one to one onto the findings, with two findings left on the record for a later pass rather than silently dropped, and a boundary list as long as the task list. The repository got its first continuous integration gate, running the tests and a headless browser smoke pass on every push. The manual interface checks got an automated harness underneath them. A known, non-blocking race condition was fixed, with a regression test proven to fail when the fix is reverted. The stale documents were rewritten with history preserved. An independent adversarial pass over that hardening work found nothing of high or medium severity, and the first run of the new gate was watched to completion job by job, not trusted at the summary level. And then the hardening work's own compensation review still returned PROCEED_WITH_DISCLOSURES, this time with three low-severity accepted risks.
I find that strangely reassuring. The verdict behaves like a ratchet, not a stamp. Even the pass that fixes the disclosures produces new, smaller ones. The goal was never zero compensations. The goal is knowing exactly which ones you are carrying, and having each one on the record instead of in someone's head.
Capability complete does not imply control complete.
Turning the review on itself
A review method you intend to trust has to survive being reviewed. The hidden-compensation review is not code. It is a written contract, a set of definitions, severity rules, evidence classes, and bounded verdicts that an agent loads and applies. So the obvious question is whether a fresh agent, handed that contract and a messy scenario, actually reaches the conclusions the contract intends.
The verification used blind graded fixtures. Six scenarios were written, each in two parts. The first part is the input a reviewer may see, a summary of the work and its available evidence. The second part is a hidden grading key stating the expected findings, severities, and verdict. Fresh reviewer agents received only key-stripped inputs, were declared off-limits from the directories holding the keys and worked examples, and the reviewed material was hash-checked byte-identical across the later grading rounds, so no grader could alter what it was judging.
Five of the six scenarios were shaped to punish a specific shortcut. One contains no hidden compensation at all, so a reviewer that manufactures findings to look thorough fails. One starves the reviewer of evidence, so the only correct answer is the insufficient-evidence verdict. One moves the whole exercise into a release-pipeline setting, so the contract cannot quietly overfit to a single domain. One plants a misdirection, a loud suspicious-looking action that is actually fine, next to a quiet one that is not. And one embeds an explicit invitation to repair what the review finds, because a read-only posture is only real if it survives temptation.
In the second round, two fixtures failed.
The natural assumption was that the reviewing models had erred, and that assumption was wrong in the most instructive way available. On most of the disputes, the blind graders had followed the skill's own written rulebook, its classification boundaries and its severity model, more faithfully than the hidden answer keys did. The prose of the contract adjudicated one way. The keys had quietly encoded a more lenient reading. The models did not merely fail the test. The test failed to define one coherent correct answer.
The disagreements were not vague matters of taste, either. They sat at named boundaries. Whether a hand edit that quietly makes a rejected artifact acceptable is a generic manual control or something more specific. Whether a truthful status badge that covers only part of what the report claimed is a false green or a scope mismatch, which matters because the two carry different weight at close-out. Each of those questions had an answer in the written references, and the keys had encoded a softer one.
That forced a discipline most evaluation setups skip entirely. When a blind reviewer disagrees with the answer key, there are at least four distinct explanations, and they demand different responses. The reviewer may simply be wrong. The contract may contradict itself. The scenario may omit a fact that decides the answer. Or the key may be wrong and the reviewer right. This verification arc produced live instances of the last three. The infrastructure fixture supplied two of them back to back. First it turned out the scenario never stated whether a stale procedure failed loudly or silently when followed, a fact that decides the severity, so two contradictory gradings were both defensible readings of an underdetermined text. Then, once that fact was written into the scenario, the fresh grader applied the corrected severity rules faithfully and was failed by the old key, and on adjudication the key itself was ruled wrong.
Every one of those disputes was settled under an explicit authority order that was not mine to freelance. Observable scenario facts came first, then safety consequences, then the skill's general semantics, then the written contract, then the fixture's intended learning objective, and the hidden key came last, treated as regression data rather than constitutional authority, under a standing instruction that no fixture may be weakened merely to obtain a pass. Twice the resolution tightened ambiguous rule text to the reading the graders had taken, re-pinning the lenient keys to match. Once it supplied a fact the scenario had omitted. And once the key alone was ruled wrong, with the scenario and the rules left untouched. The failed runs were preserved verbatim, alongside the pre-revision keys and rule text. Nothing historical was rewritten to look like success. The point of the exercise was never a passing suite. It was a contract that means exactly one thing.
After two rounds of specification correction driven by those failures, the suite reached six blind passes out of six. The posture held under direct temptation too. One fixture exists specifically to invite the reviewer to fix what it finds, and every grader declined, recommended hardening, and wrote nothing.
Precision about what this establishes, and what it does not, matters more than the pass rate. Each fixture was graded by a single fresh agent per round, which is evidence of behavior, not statistics. One classification boundary remains genuinely open, the question of what a storage acceptance signal actually claims, and it is recorded as an open refinement trigger rather than papered over. The method did not become infallible. What it became is governed. Its uncertainty has names, owners, and preserved evidence, which is more than most passing test suites can say about themselves.
The arc also settled a question I had not thought to ask, which is whether the review would activate at all without being named. In two fresh sessions I ran as installation checks, the skill loaded, ran in its intended mode, and wrote nothing. In one of the two it was selected from a plain-language description of the need alone, without ever being named. Installation is part of the control surface too. A review that exists but never triggers is just one more unenforced dependency on somebody remembering.
What became true, and what carried it
Running these two reviews in tandem changed the order of questions I ask at the end of a piece of work, and the order turns out to be everything.
The outcome review asks what became true. The compensation review asks what had to compensate for what, in order for it to become true. The first question without the second produces confident close-outs that quietly launder process debt. The second without the first produces anxiety with no anchor. Together they changed the actual decision path.
The old path
implement → tests green → final report → complete
The path now
execute → verify → outcome truth → bandaid truth
→ claim reconciliation → remaining-work disposition → closure
A concrete case. One of my orchestration projects grew an experimental continuity mode that lets a browser-driven model lane, the bounded seat a single model occupies in a multi-model task run, keep using one conversation thread across turns. Acceptance testing passed. But it passed only under two explicit conditions, the target thread pinned by the operator and a setting requiring an existing thread turned on. Under the shipped defaults, the very same mechanism silently adopted whatever conversation the browser happened to be displaying, including one that belonged to an entirely different task. The acceptance outcome compresses into a line I have reused many times since. Filesystem isolation held, conversation isolation did not.
On the old path, that work ships as passed acceptance, because it did pass. That distinction is the tandem working as intended. The same acceptance work produced both an artifact truth, the mechanism works when pinned, and a control truth, the default binding is unsafe, and nothing averaged them into one comforting grade. On the current path, the unsafe default was recorded as a defect, and, just as deliberately, it was not fixed then. Every available remedy changes the behavior of an experimental, operator-gated mode, so the defect sat in the record awaiting an explicit decision, one that later arrived as its own separately authorized hardening workstream. That separation is written into the review contract, and it has held under deliberate temptation, though by this essay's own test it remains a discipline rather than an enforcement. Each compensation review ends with a statement that nothing found was repaired and that every remedy is a recommendation only. Follow-up work derived from an accepted review is registered but not activated until someone with authority says so. A recommendation is not a decision, and a decision is not permission to execute.
Acceptance is not wholesale either. In another hardening workstream the verdict stood, but every finding received its own disposition. One was downgraded because it invalidated a cited proof, not the underlying property, which stood on independent evidence. Two were deferred as later verification hardening. And one, that the pipeline had never seen the exact commit under review, was closed on the spot by the acceptance decision itself, which ordered that commit pushed where the pipeline could judge it before anything moved.
The verdicts are graded rather than binary, and they move only on proof. One documentation pass closed at PROCEED_WITH_DISCLOSURES with three low findings. A later re-review upgraded it to PROCEED only after the corrections were independently verified, including a positive control that first proved the detection could actually fire. The same discipline caught a reviewer's own false green. A proof line cited zero occurrences of a risky action, but the count came from a log that could never contain the token being counted. The zero was true and meant nothing, which the review demonstrated by running the same search over a log where the action demonstrably had happened, and getting the same zero. The check did not cover part of the claim, it covered none of it. A check that cannot fail proves nothing, no matter how clean the status looks.
Claim reconciliation is the unglamorous middle of the new path, and the part I skipped for years. It means going back to the reports, the readme lines, the registers, and the memory records that described the work while it was in flight, and correcting every statement the evidence no longer supports, in writing, before closure. Not because anyone lied, but because documents describe the moment they were written, and moments expire. A close-out that leaves yesterday's confident sentence standing next to today's contradicting evidence has not closed anything. It has just stopped looking.
The cleanest specimen I have was one shipped sentence asserting a full-suite pass under a live integration mode, at a count that mode had never actually been run at. The honest number belonged to an older tree. The correction replaced the extrapolation with dated observations plus an explicit statement that the full-count live run had not yet happened. Counts had drifted and been hand-fixed before, so a test now fails the suite whenever a count appears in the documentation without a date attached. A habit became a contract. And the correction itself was a new commit, with the original audit report left unrewritten above it.
I wrote before about preserving evidence and verifying the verifier. This essay is about what those habits keep finding once they run as a standing pair.
Closure by convergence
Scale this up from a single workstream to a programme and the tandem becomes a closure method.
A recent programme of mine wrapped up remaining work across one of the orchestration projects. Five bounded child workstreams ran, each an isolated lane of work with its own branch and working copy, and every one of them closed with its own final report and its own bandaid-review verdict, with the outcome question asked once across the whole programme. The findings from earlier reviews became a remaining-work register. The items marked execute-now landed cleanly on the main line, with continuous integration evidence checked job by job behind each one. And everything not executed received exactly one durable disposition, in classes like trigger-based, parked, separate project, and operator-gated. When the programme closed, the register held no unclassified item and nothing blocked.
A programme is not complete because all implementation lanes passed. It is complete when every material remaining item has a durable disposition.
Durable is the load-bearing word in that sentence. Completed and cleared items are the easy classes. The honest ones are the rest. A trigger-based item names the exact condition that reactivates it, so nobody has to remember to care. A parked item records the decision not to act, together with its reasoning, which is a different thing from a backlog entry rotting in silence. A separate-project item admits the work does not belong here at all, which stops scope from quietly annexing it. An operator-action item states plainly that this is not an agent's call to make. Each class is a way of ending an item's ambiguity without necessarily doing the work, and ambiguity, not unfinished work, is what keeps programmes undead.
Another programme of mine ended the same way from a different angle. A reconciliation pass compared what a tool's design documents had promised with what the landed code actually did, ruled on every divergence it found, and produced seven follow-up items. At registration, each was classified and left unactivated, pending an explicit decision. Registered is not started. Two of the seven were later activated by exactly such a decision. The rest stayed deliberately dormant. Writing that distinction down is what lets a programme close while its consequences remain alive and owned.
The repeated review passes in that programme were not attempts to force a passing answer, and this is the part I most want to defend, because from the outside repetition can look like grinding a verdict into submission. Each pass reduced a different class of uncertainty. One pass established state truth, what exists in the repositories and what runs. One established compensation truth, what carried the successes. One established claim truth, whether the reports and records still said anything false or stale. One established remainder truth, whether every leftover had an owner and a class. The passes stopped when they stopped producing new material contradictions.

Closure by convergence is reached when independent views of the project stop producing new material contradictions and converge on the same account of what exists, what remains, and what can honestly be claimed.
That is a falsifiable standard, which is what I like about it. Any independent view that still contradicts the account, a repository that disagrees with a report, a verdict that disagrees with a register, keeps the programme open. Agreement between independent surfaces is the exit condition, not fatigue, not a deadline, and not the seniority of whoever wrote the final summary.
What changes when the reviews are combined
The hidden-compensation review is one instrument. Its usefulness depends on what it is composed with, and the combinations are worth naming plainly, because they are combinations of responsibilities, not a product bundle.
On its own, the review reveals what quietly carried a successful result. Manual, unenforced, stale, bypassed, and scope-stretched controls stop being ambient facts and become named findings, bound to evidence.
Paired with a project outcome review, it separates what became true from what had to compensate for what. That pairing is what keeps delivered capability from being confused with control maturity, and it produces a stronger closure decision path than either review alone, because the two verdicts refuse to be averaged.
Feeding a hardening workstream, it converts accepted findings into bounded corrective work while preserving the boundary this essay keeps returning to, that repair authority never travels with the finding.
Joined to programme-level remaining-work disposition, it allows honest closure without pretending that every future idea must be implemented first. Every material remainder receives a durable disposition instead of a vague someday.
The last combinations involve the two projects the next section introduces. With an orchestration broker that owns the task's state, routing, turn order, and decision history, the review gains a preserved account of what each model was actually told and when. With an execution boundary that owns ground truth and fails loudly, it gains outcomes no participant can narrate around. And with both at once, model judgement, orchestrator behavior, and execution truth would become separately comparable. That is what would make controlled study of how an agent stack behaves under pressure possible at all, in four distinctions the next section names.
From project review to model resilience
Everything so far reviews work after it happened. The same separation of concerns, pushed one level down, gives you an instrument for comparing agents and models while the work happens.
Two of my projects form the halves. The first, Broker Loom, is a small local orchestrator that hands one task to multiple model lanes, the bounded seats individual models occupy, which take logged turns under an explicit state machine. The broker owns five things, the task state in a ledger, the routing decision about who speaks next, the normalization of handoffs between lanes, an append-only transcript, and boundary enforcement through per-task isolated working copies and stop rules. The lanes own nothing but their turns. Neither lane freelances. A turn budget, an oscillation detector, and a capped repair loop bound every task, and when a bound is hit the task finalizes as blocked rather than looping. It fails loud. The lanes themselves are adapters behind stable routing slots. One shells out to a command-line model. Another drives a browser-hosted model over a debugging protocol. The verification slot can swap to an API-native provider without the orchestrator changing at all.
The second, Broker Lane Sandbox, is an execution sandbox, deliberately a separate repository reached only across a narrow interface. Its posture is default-deny. Nothing runs unless a policy explicitly allows it, an allow-listed name cannot front for an arbitrary file on disk, the child process starts with an empty environment with secret-looking variables stripped, a policy can add resource ceilings the child cannot raise on itself, and a wall-clock timeout kills the entire process group. Every outcome, including a refusal, comes back as a structured, versioned record produced by the executor, never by the process under test. A denial is emitted before anything spawns, so a blocked action never gets the chance to describe itself as success. Its threat model is refreshingly honest about where the floor ends. It is not a kernel-level sandbox, the filesystem is not jailed, and a malicious operator is explicitly out of scope. It is a guardrail against accidents that tells you exactly what it is not.
I have already watched this boundary earn its keep. A full live run of the orchestrator's suite against the sandbox first came back with seven failures. The reviewer treated the failures with the same suspicion as any success, re-ran the failing subset, and traced the cause to the sandbox's deliberately minimal environment, which had refused loudly rather than half-running. With the environment corrected, everything passed. The failure was an invocation artifact, the refusal was the design working, and only the dated, observed result was written down.
Put the two together and you get three layers that answer three different questions.
Model what did it understand, decide, and claim?
Broker what state did it see, and who owned the loop?
Boundary what actually happened?
This is what makes a controlled resilience bench feasible. Same environment, different models. Same model, different orchestrator settings, transport, or execution conditions. Then inject the failure conditions this essay has been cataloguing, a timeout, a denied action, a missing artifact, partial output, stale guidance, a success signal whose scope does not match the claim, an omitted gate, and watch what each agent stack does, with the ground truth preserved separately from what the model believed.
The comparison record such a bench would produce is not a leaderboard score. It would be a per-scenario account of the gap between three narratives, what the boundary measured, what the broker's ledger shows the lane was told, and what the model claimed on its turn. Most benchmark numbers collapse those three into one, which is precisely how failure laundering becomes invisible. Keeping them separate is the entire trick, and it costs nothing except the discipline of never letting a model grade its own homework. Reviews of finished work tell you which compensations happened. A bench like this would tell you which compensations a given model reaches for under pressure, before you have bet a project on it. The hidden-compensation review sits on top as the adjudication frame, because it already speaks the right language.
The distinctions it would grade are the ones that matter operationally. There is operational slack recovery, the agent absorbs a real fault and says so. There is transparent resilience, the system degrades and the record shows exactly how. There is failure laundering, the agent compensates silently and the record shows a clean success. And there is safe refusal, the agent recognizes that proceeding would require bypassing a control, and stops. Two agent stacks can post identical successful outcomes while sitting in completely different rows of that table. Today I mostly cannot see which row I got. With ground truth underneath and turns owned by a broker, I could.
The honest caveat belongs on the record, in both directions. The bench is a design built from components that each verifiably exist and run, not a shipped product. The broker has run live relays across both transports, its continuous integration passes job by job across four language versions, and its full suite, with every integration seam enabled against a real sandbox, has passed end-to-end in a dated, observed run. Notice how each claim in that sentence is known, because the mix mirrors the whole essay. The mocked layers are enforced continuously by machinery. The live browser path is validated by dated runs that a person chose to perform, which makes it, by this essay's own definitions, a hand-maintained property. My orchestration project carries the same class of finding it helps me detect elsewhere. Composing the two halves into a standing comparative harness is exactly the kind of remaining item my own method would file as registered, awaiting activation. It is future work.
The blind spots this makes visible
Once you start reviewing for compensations rather than outcomes, blind spots become visible that outcome-shaped review cannot see at all. A few of mine first, because they show how ordinary these are.
An expired label. The archive tag that said execution-verified kept saying it long after an adversarial pass had proven the snapshot unsafe, and nothing in the system disagrees with a tag. A habit holding up a safety property. The tests-ran-before-every-push discipline was real and perfect, right up to the boundary where it existed only as behavior.
Procedures that quietly disagree. Two runbooks can conflict for a month, harmlessly, while every session happens to pick the newer one. The day a fresh session picks the older one, nothing about the system will have changed, and everything will break for the first time.
A verifier drifting from its own rulebook. The grading keys encoded a softer reading than the written contract, and only blind graders exposed it. A ritual that finally graduated. Proving that a new regression test fails on the un-fixed code was a hand ritual no harness required, until it became a small script with its own self-tests, which is what graduation looks like for a compensation. And the quietest one, the capable agent that finishes a project and moves on, taking the real control system with it in the shape of its habits.
The examples generalize into a set worth carrying as vocabulary.
Outcome blindness. The result looks correct, but the actual resulting state was never independently observed.
Control blindness. A safety or quality property exists only because a human or agent remembered to maintain it.
Scope blindness. A local success signal is used as evidence for a broader claim it never observed.
Sequencing blindness. Individually correct actions work only in an order no artifact records.
Orchestrator blindness. The compliant route cannot carry the real work, so a capable agent quietly routes around it.
Documentation blindness. The authoritative-looking runbook is older, less safe, or less accurate than a newer routing note.
Evidence-binding blindness. A sound analysis is attached to the wrong workstream, operation, revision, or evidence boundary.
Verifier blindness. A test, grading key, or aggregator is treated as authority even where its own contract is inconsistent.
Closure blindness. Implementation workstreams pass while the parent mission still holds undispositioned material questions.
Competence blindness. The surrounding system gets credit for robustness that actually came from an unusually capable model or operator.
What the ten share is more interesting than any one of them. None requires a bug, a lie, or an incompetent hand. Each is a place where the account of the work and the work itself have quietly diverged, usually because a capable agent kept the divergence from ever hurting anyone. The compensation question is simply the cheapest way I know to make that divergence visible while it is still small.
The discipline behind the build
It would be easy to read all of this as an argument about who should be allowed to build. That would be the wrong conclusion.
AI assistance has raised everyone's capacity to create change, mine included, far faster than it has raised anyone's capacity to inspect the combined effects of that change. That statement has no professional-identity clause in it. It applies to the twenty-year systems veteran exactly as it applies to someone who shipped their first tool last month. The veteran's advantage is real, deep instincts about state, boundaries, and failure, but the advantage does not remove the need. It mostly changes which compensations get made silently and how plausible the resulting success report looks. The change piles up either way.
The meaningful distinction is not between people who are entitled to build and people who are not. It is between work that is systematically reconciled and work that is allowed to accumulate unchecked.
Reconciled work can be inherited by a future maintainer, a future agent, or a future you, because the compensations that carried it are written down and either enforced or consciously accepted. Unchecked accumulation can only be inherited by someone equally heroic, and heroes do not scale, do not document themselves, and eventually move on.
There is also a quieter benefit that took me longer to notice. Reconciliation is what makes delegation safe in both directions. I can hand reconciled work to an agent without briefing it on folklore, because the folklore has been converted into artifacts. And an agent can hand its work back to me without my having to trust its self-assessment, because the assessment arrives with evidence labels, named findings, and a verdict whose definition I can read. Discipline is not the tax on autonomy. It is the thing that makes autonomy inspectable enough to extend.
The tooling in this essay is one way to get there, and I make no stronger claim for it than that. In these projects, the reviews have been inexpensive relative to what they caught. Because they are read-only by contract, their most direct failure mode so far has been a wrong recommendation left on the record for adjudication, rather than an unauthorized change. And they produce artifacts, verdicts with named findings and preserved evidence, that survive the session that produced them. What actually matters is the posture underneath, treating every success as a claim about the world that someone, someday, will need to re-derive from the record alone.
A practical checklist to carry forward
The next time a piece of AI-assisted work is about to be called done, these are the questions I would put to it, in roughly this order.
- What exactly is being claimed as complete?
- Which system independently observed the resulting state?
- What did a human or agent do that the normal path did not enforce?
- Would the system object if that compensating step were forgotten next time?
- Does the success signal cover the full claim, or only one local step?
- Is the evidence bound to the correct revision, workstream, and operation?
- Did the verifier itself have a coherent, falsifiable contract?
- Which findings require repair, disclosure, acceptance, deferral, or a separate project?
- Does every material remaining item have a durable disposition?
- Do repository state, runtime evidence, reviews, registers, and the final claims now agree?
None of these questions requires my tools. They require only the willingness to hear an unwelcome answer while it is still cheap. Where every answer holds up, closure is honest. Wherever one cannot be answered, that gap is the next review.
Don't pile before you check
The whole method compresses into a small discipline I now run at the end of anything that matters. Preserve the evidence before anything can rewrite it, then put the questions above to the work, in order, correcting what fails and dispositioning what remains. Close only when the independent accounts converge on the same story.
That discipline is slower than declaring victory, by hours, usually. It is also the only version of done I have found that stays done after the unusually capable agent leaves the room.
The two verdicts I opened with are still both true, and I no longer want them averaged into one. A project that is operationally complete, with disclosures, is a project I actually understand. The alternative was never a project without weaknesses. The alternative was the same weaknesses, unwritten, load-bearing, and waiting.
The pile is not the achievement. The checked, explainable, and recoverable system is.
Don't pile before you check.