blocksec

If the Harness Is the Product

Sun, 05 Apr 2026 00:00:00 +0000

The Incident

On March 31, 2026, Anthropic accidentally included a debugging file in a routine software update for Claude Code.¹ A configuration oversight exposed the complete source code: 512,000 lines across 1,906 files, fully readable. Within hours the code was copied, shared thousands of times, and dissected by the developer community worldwide.

Most of the analysis focused on features: codenames, a pet system, unreleased capabilities, internal tools. But a few analysts asked a different question. What users assumed was a thin interface that passes prompts to an AI model turned out to be a 512,000-line orchestration platform making hundreds of invisible decisions per session. As Han HELOIR Yan put it: the harness,² not the model, is the product.³

That claim raises two questions: First, is it true? Is the orchestration layer genuinely where the value lives, or is this just infrastructure that any competent team could replicate? Second, and this is the question this note is about: if the harness is the product, what kind of product is it? What does it mean when a Fortune 10 company ships an opaque operating system between the developer and the model, treats its configuration as a trade secret, and calls it a coding assistant?

The Harness Is the Product

Among the analyses that followed the leak, Yan’s stood out for asking the structural question rather than cataloguing features: if models are converging and available to anyone at commodity pricing, why does Claude Code alone generate $2.5 billion in annualized revenue? Yan’s answer is that the harness, not the model, is the product. Developers are paying for orchestration, not intelligence.

I think Yan is right, and not just from the leaked code. I use Claude Code daily and not as a coding assistant but as a knowledge work environment, research tool, and operational platform. I have used Cursor, Windsurf, and the API directly. The model is the same or similar across all of them. The experience is not. What makes Claude Code different is everything the harness does before the model sees your prompt and after it returns a response. The gap between using the API raw and using it through a well-built harness is the difference between having an engine and having a car.

The leaked source shows what that orchestration looks like at production scale. The resilience layer alone has five fallback stages for error recovery and five distinct strategies for compressing conversation history, each tuned to a different failure mode, because no single approach works well enough. Memory and context management runs deeper: twenty-eight layered instruction files are assembled dynamically based on user configuration and session state, a background system the code calls “dreaming” organizes project knowledge while the user is away, and conversation history is silently compressed or discarded to stay within the model’s working limits. On top of that sits a full orchestration layer: over sixty tools behind permission gates (eighteen invisible until the model searches for them), seven permission modes including a machine learning classifier that reads the conversation and decides what to allow, the ability to spawn parallel sub-agents, and a remote control system that lets the web interface operate the local application.

This is not a wrapper around a model. Yan quotes a commenter who put it in terms the industry understood: the model is the dealer; the harness is the casino. Casinos are hard to build. The term “harness engineering” is already following “prompt engineering” and “context engineering” into the hype cycle, which is itself evidence of where practitioners see the value shifting.

If the harness is the product

In one sentence: configuration should not be a Trade Secret for enterprise software.

In enterprise software, configuration is what the customer is entitled to know because it defines the behavior of the product they are paying for. Cloud access policies, infrastructure definitions, deployment manifests: all visible and auditable. The harness treats its configuration as a trade secret. That is the norm violation, and everything else follows from it.

The leaked code revealed what the harness adds between your prompt and the model: hidden instructions assembled from 15+ sections that shape every interaction.⁴ Decoy definitions injected into requests to prevent competitors from copying the model’s behavior, billed to the user. Frustration detection using pattern matching that adjusts behavior based on emotional state. Conversation history selectively compressed or discarded based on rules the user cannot see. Available tools filtered by vendor-controlled switches. A stealth mode that strips attribution when contributing to external projects. Invisible meta-messages injected to steer the model. The point is not whether any of these are justified. Each may have a reasonable rationale. The point is that none are disclosed.

The harness functions as an operating system: it manages resources (the AI’s working memory and usage budget), handles input and output (tool execution, file operations), enforces permissions (seven modes, with multiple approval systems racing to respond), manages processes (sub-agents, background tasks), provides a command interface, and schedules work (recurring tasks, sleep/wake cycles, push notifications). An operating system is expected to serve the user.⁵ Windows trained a generation to accept that the OS serves the OS maker: bundled Internet Explorer to kill Netscape, preinstalled Bing, telemetry everywhere, ads in the Start menu. The dangerous part was not that it happened but that it became normal.

The asymmetry is structural. The model is measurable through benchmarks, evaluations, and public scrutiny. The harness is not: no benchmarks exist for how well it manages conversation history, how efficiently it compresses context, or how much overhead its hidden instructions add. Usage costs are controlled by the harness, not the user; a harness optimized for user efficiency and one optimized for revenue look identical from the outside. A good harness can mask a declining model; a bad harness can make a great model look mediocre. And once workflows embed around a specific harness through customizations, automation rules, configuration files, plugins, and integrations, switching costs make it hard to escape.

The risk I am pointing at is not overt manipulation for Enterprise customers which usually have security teams, traffic inspection, contractual audit rights. The subtler risk is the slow drift of defaults toward the business model, where every individual default is defensible as a “product improvement” or “trade secret”.

The Pattern Spreads

The leak is not just Anthropic’s problem. It is now a reference architecture. Every AI tool builder (OpenAI, Google, Cursor, Windsurf, and the open source projects already rewriting the code in other languages) now has a detailed blueprint for one of the most sophisticated harnesses in production. Within days of the leak, developers had reverse-engineered the core patterns and begun replicating them.

The good patterns propagate alongside the questionable ones. Automatic error recovery, context compression, tool orchestration, and on-demand capability loading are genuine engineering advances that will make every harness better. But injecting decoy content to block competitors now has a production reference implementation. Frustration detection and undisclosed behavioral adjustment has a template. Stealth mode has a working example. These will not spread as scandals. They will spread as “industry standard practices,” normalized by the fact that the leading company in the space shipped them.

This is my main complaint: every hidden instruction, every decoy definition, every meta-message the harness injects into a request consumes tokens the customer pays for. At individual scale it’s noise. At enterprise scale (hundreds or thousands of seats, heavy daily usage) the overhead becomes a line item nobody budgeted for because nobody knew it was there. The customer is paying for tokens that serve the vendor’s interests (anti-competitive decoys, behavioral steering, attribution stripping) alongside the tokens that serve the customer’s work. There’s no way to distinguish the two on the invoice.

The convergence risk is the real concern. If every harness converges on the same architectural patterns, including the provider-serving ones, users face the same invisible mediation regardless of which tool they choose. The competitive market that is supposed to discipline bad behavior instead standardizes it. You cannot switch away from opaque configuration if every alternative is equally opaque.

Where This Leads

Models are becoming infrastructure, priced toward zero margin the way cloud compute did before them. The harness is becoming the product layer: where brand, UX, lock-in, and value extraction live. The game is now about who controls the layer between the developer and the model, which is the browser wars, mobile OS wars, and cloud platform wars playing out again in a new medium. Open source harnesses will matter more, not as philosophy but as a practical check against invisible quality degradation. The regulatory gap between “enterprise software norms exist” and “enterprise software norms are enforced for AI tools” will not last.

Anthropic is at the center of this transition: valued at $380 billion (Feb 2026), with $14 billion in annualized revenue and a $30 billion funding round. That is Fortune 10 territory by valuation. The leaked codebase reflects this: brilliant orchestration engineering alongside undisclosed behavioral profiling, anti-competitive content injection billed to the user, and a gamification system complete with collectible virtual pets, rarity tiers, and role-playing game stats, all shipped to enterprise customers in the same package. Collectibles, engagement loops, weighted loot drops: these are consumer product techniques. They do not belong in enterprise tooling. No enterprise procurement team evaluates a tool and expects to find a companion pet system with collectible mechanics built in. The codebase reads as engineering-led product decisions without enterprise product management discipline: every feature answers “what would be cool to build” rather than “what should we ship to a customer paying us millions.”

AI-native companies like Anthropic and OpenAI followed the consumerization path into enterprise: individual developers adopted the product, teams followed, procurement formalized the relationship. The iPhone, Slack, and GitHub Copilot took the same route. But consumerization only covers the adoption path, not the accountability expectations. Once the enterprise contract is signed, the product lives under enterprise rules: data governance, configuration disclosure, auditability, compliance. The iPhone got managed by mobile device management. Slack got federal security certification. The internal culture of AI startups, however, has not made that transition. The product thinking remains consumer-grade (engagement, delight, cleverness) even as 80% of revenue comes from enterprise.

This is where incumbents like Microsoft and Google have a structural advantage: they already operate within enterprise norms. Their AI harnesses (Copilot, Gemini Code Assist) inherit decades of enterprise product discipline, compliance infrastructure, and procurement muscle memory. They don’t need to learn what a CISO expects; they already know. The leaked Claude Code codebase is what happens when a research lab’s product culture meets enterprise scale without that transition. The collectible pet system is the visible symptom. If the product culture considered gamification mechanics acceptable in enterprise tooling, what else passed the same filter? That is the question that starts the audit.

The leak itself changes the dynamic. Developers now know what to look for: invisible usage overhead, opaque context decisions, undisclosed behavioral modifications. That awareness does not go away, and it makes future degradation harder to execute undetected.

Conclusion

The leak accelerated a conversation about harnesses that was coming regardless. That part is good. The risk is what gets normalized alongside it: 512,000 lines of production code now serve as the reference implementation, and teams replicating the architecture will copy the opaque patterns alongside the brilliant ones. If every harness converges on the same undisclosed defaults, the market cannot correct what it cannot see. If a product culture considered collectible pets acceptable in enterprise tooling, what else passed the same filter? The leak answered the transparency question empirically. What the industry does with that answer is the only question left.

References

Claude Code’s source code appears to have leaked: here’s what we know, leak incident reporting (VentureBeat, 2026-03-31)
Everyone Analyzed Claude Code’s Features. Nobody Analyzed Its Architecture, architectural analysis arguing the harness is the product (Han HELOIR Yan, Medium, 2026-03-31)
Your AI Coding Assistant Has a Pet, the Buddy companion pet system with gacha mechanics (Marco Kotrotsos, Medium, 2026-03-31)
Inside Claude Code’s Prompt Architecture, analysis of 28 prompt files and layered system prompt architecture (Marco Kotrotsos, Medium, 2026-04-01)
The Claude Code Source Code Leak: Things I Learned, comprehensive walkthrough of the leaked codebase (Marco Kotrotsos, Medium, 2026-04-01)
Anthropic closes $30 billion funding round at $380 billion valuation, $14B ARR, $2.5B Claude Code ARR, 80% enterprise (CNBC, 2026-02-12)
Agent SDK overview, Claude API documentation (Anthropic)
My AI Adoption Journey, where the term “harness” was named for this context (Mitchell Hashimoto, 2026-02-05)
Harness Engineering, harness engineering as a discipline (martinfowler.com)

See [1] for VentureBeat’s reporting on the leak incident. ↩︎
The term “harness” was named for this context by Mitchell Hashimoto in February 2026 [8], and has since entered wider use [9]. The equestrian analogy is tempting – model as horse, harness as reins – but misleading. A horse is useful without a harness. A better analogy is a car engine: powerful, but useless without the chassis, transmission, steering, and instruments that make it drivable. An AI model accessed through its raw interface is similarly impractical for real work, which is precisely why the harness layer is where the product value lives. A harness does not need to be opaque, just provide the control surface. Anthropic’s is unfortunately opaque. ↩︎
See Yan’s analysis [2]. ↩︎
The hidden system prompt is not just a configuration issue; it is a principal inversion. The user assumes they are directing the agent, but the system prompt ensures the agent serves the maker first. See [4] for the prompt architecture details. ↩︎
The exit option exists in theory: connect to the AI model directly and build your own harness. That eliminates the second layer of principal inversion (the harness serving the maker). The first layer (the model serving the maker via training) remains, but is at least a known quantity. Note that Anthropic’s Agent SDK is not an exit; it is built on the same foundation as Claude Code and shares the same orchestration engine, tools, and permission system [7]. To truly escape the harness you would need the raw model interface, not the SDK. In practice, replicating what Claude Code does is a 512,000-line engineering problem. The leak proved that. The exit option is real for sophisticated teams; it is not real for most users, which is precisely why the transparency norms matter. ↩︎

The Composable Provider Model

Thu, 26 Mar 2026 00:00:00 +0000

Every interaction with a hosted LLM passes through the same structural layers: a use case, a harness that mediates between the user and the model, and the API itself. The harness assembles prompts, dispatches tool calls, manages context, and enforces behavioral constraints. Claude Code CLI, the Claude Desktop sandbox, the Anthropic SDK, and raw API access are all harnesses, each with different tradeoffs.

The conventional framing treats the harness as the thing you configure. The composable provider model inverts this: instead of configuring the harness (which has limited knobs), you compose the world the harness sees. The harness reads ~/.claude/, resolves .mcp.json, walks the filesystem, shells out to whatever is on PATH. Every one of those is a provider-level seam. You do not touch the binary. You shape what it lands on.

This has a structural consequence. Since the harness only needs its resource contract satisfied, the provider is substitutable. A host OS, a container, a gVisor sandbox, a nix shell can all fill the role. Reverse engineering of the Claude Desktop application confirms that Anthropic themselves build synthetic resource providers: the Desktop sandbox uses gVisor with 9P filesystem passthrough, constructing a virtual filesystem from host paths, mounted volumes, and sandboxed scratch space¹.

The credential (OAuth token or API key) is the one resource that cannot be synthesized or composed. It is the provider layer’s single invariant, the root of trust that Anthropic holds the other end of. Everything else is a projection you control.

With this model, the agent is not the harness. The agent is the recipe: a manifest specifying which CLAUDE.md (behavioral instructions), which .mcp.json (tool surface), which project files are visible, which binaries are on PATH, and which environment variables are set. Assemble that into a directory and launch claude into it. The harness boots, reads its environment, and becomes that agent.

The full analysis, including the attestation gap in Anthropic’s credential model, the legal boundaries of filesystem composition under the ToS, the distinction between recipe-level and orchestration-level composition, and why the CLI under API key billing becomes a composable SDK, is available as a standalone document:

Read the full document: The Composable Provider Model

References

Kotrotsos, Marco. “Two Versions of Claude Desktop”, Medium, March 14, 2026. Decompilation and comparative analysis documenting the yukonSilver VM sandbox architecture.
Claude Code: Legal and Compliance. Anthropic. Authentication and credential use restrictions.
Claude Agent SDK Overview. Anthropic. The SDK as the CLI’s internals extracted as a library.

Kotrotsos’s decompilation of Claude Desktop v1.1.4088 and v1.1.6452 revealed gVisor with 9P filesystem passthrough, minimal Linux boot images, and on-demand Ubuntu bundles. The harness cannot distinguish whether files came from a real partition or a 9P passthrough. ↩︎

The Economic Anomaly of AI Agents

Sun, 22 Mar 2026 00:00:00 +0000

I am not an economist. But Coase’s “Nature of the Firm” has fascinated me for years, especially as outsourcing, SaaS, and cloud infrastructure have kept redrawing the line between what you build and what you buy. I have been building with AI agents long enough to notice that a contextualized agent, a Large Language Model (LLM) API layered with system prompts, repos, memory, and operational history, does not sit on either side of that line. The practical question is simple: can you source this thing from the market, or does it only exist if you build it? I went looking for the framework that answers that, and could not find one. What follows is my attempt to work through the economics I do know, show where each framework breaks down, and trace what the gap might mean.

Economic Foundations

Several economic frameworks are relevant to understanding AI agents.¹ Each captures part of the picture and none captures the whole.

Ronald Coase and Transaction Cost Theory

Ronald Coase’s 1937 paper “The Nature of the Firm” asked a deceptively simple question: if markets are efficient, why do firms exist at all? His answer was transaction costs. Using the market to coordinate work involves real friction: finding suppliers, negotiating terms, enforcing contracts, transferring knowledge. When those costs exceed the overhead of doing the work internally, you bring it inside the firm. The boundary of the firm sits where the marginal cost of internal coordination equals the marginal cost of market transactions.

Coase’s framework emerged in a world of physical assets and early services. The things being transacted were rivalrous and excludable. If you hire a worker, that worker is unavailable to others. The entire logic of the firm boundary depends on scarcity.²

Oliver Williamson and Asset Specificity

Oliver Williamson extended Coase with the concept of asset specificity. When an investment becomes valuable only in the context of a particular relationship, market transactions become dangerous because either party can exploit the dependency. A factory tooled for one buyer’s custom parts cannot easily serve other buyers. This lock-in effect strengthens the case for vertical integration: bringing the specific asset inside the firm to protect against opportunistic exploitation.

The key insight is that the more specialized an asset is, the more likely it will be governed within a firm rather than through market contracts.

Hal Varian, Carl Shapiro, and Information Goods Economics

Hal Varian and Carl Shapiro’s work on information economics describes goods with high fixed costs and near-zero marginal costs. Creating the first copy of a piece of software, a book, or a database is expensive. Every subsequent copy is essentially free. This inverts classical pricing: the marginal cost pricing that works for physical goods would drive the price to zero. So information goods rely on differentiation, bundling, versioning, and lock-in.

Their framework, laid out in Information Rules, explains why software “eats everything”: once the fixed cost is paid, distribution is near-free, and the producer who captures the market first can amortize that fixed cost across millions of users.

Robert Solow and the Productivity Paradox

Robert Solow observed in 1987 that “you can see the computer age everywhere but in the productivity statistics.” Computers were obviously transforming work, yet measured productivity remained flat. The paradox was not that computers did nothing, but that the measurement tools, designed for an industrial economy of countable physical outputs, could not capture what computers were actually doing. Output per worker-hour is clean when output is widgets. When output shifts to documents, decisions, coordination, and knowledge, the metric goes blind.

The deeper issue: computers did not just accelerate existing work. They changed what work was. Spreadsheets made iteration free, enabling analysis that nobody would have attempted on paper. Email did not replace memos; it restructured decision-making. The productivity was not in the tool but in the organizational transformation it eventually forced, a transformation that took decades to manifest and even longer to measure.

The Economic Anomaly of the AI Agent

An AI agent, understood as an LLM API contextualized with accumulated environment-specific knowledge (system prompts, repos, memory files, lessons, credential scopes, operational history), seems to be a new kind of economic entity. Each of its properties is individually known from other domains. The combination is genuinely novel.

A commodity that becomes non-fungible through use

The LLM API is a utility, identical for everyone, metered by the token, with minimal switching cost. It is electricity. But the moment context accumulates on top of it, a CLAUDE.md, a repo, weeks of lessons, environmental knowledge, credential scopes, the thing stops being a commodity. It is electricity running through a specific machine that was built over weeks and cannot be replicated from a catalog. The commodity is the input. The output is bespoke. There is no existing economic category for a commodity that becomes non-fungible through use.

Software that behaves like a practice

Traditional software is a defined artifact. It can be versioned, shipped, installed, audited, hashed. An agent is a probability distribution narrowed by context, producing different behavior every run. It is not an executable but a trajectory through latent space shaped by accumulated artifacts. The artifacts themselves are software, yet the thing they produce when fed to the model is not, in any traditional sense. It is closer to a practice than a product: a body of knowledge in action, not a static binary.

Free to copy, costs money to use

The marginal cost of duplicating the agent’s knowledge (its context, repos, memory) is zero. The marginal cost of the agent doing anything is positive and metered per token. This is like duplicating a factory for free while still paying for electricity every time it runs. No physical good works this way: the capital cost is zero while the operating cost is nonzero. Every copy is simultaneously free and expensive depending on whether it is sitting or working.

Meta-software: substrate, medium, product, environment

The agent does not just run as software; it also produces, reads, modifies, and reasons about software. Software is simultaneously the agent’s medium, its product, its environment, and its own substrate. A traditional SaaS product sits in a category: a tool that does a thing. An agent is a tool that makes tools, including potentially better versions of itself. There is no stable economic category for a good that produces more of the kind of thing it is.

The combined anomaly

These four properties together yield an entity that:

Runs on a commodity but is not one
Looks like software but behaves like a practice
Is free to copy but costs money to use
Consumes, produces, and modifies its own substrate

It is not a good, not a service, not capital, not labor. It has properties of all four simultaneously. Coase cannot model it because it is not a transaction. Williamson cannot model it because the asset specificity is real but the asset is infinitely duplicable. Varian cannot model it because it is not a static information good; it changes through use.

In When Coase Met Turing [1], I built a reaction-diffusion visualization that lets you watch firm boundaries form from competing cost gradients. The digital rupture could be modeled there by pushing coordination range toward non-local. AI agents break the model entirely: the pattern starts modifying its own substrate.

Implications and Projections

The Coasean firm boundary shifts

If an agent accumulates institutional knowledge and that knowledge is duplicable at near-zero cost, the fixed cost of internal software production drops dramatically. The Cloudflare/Vinext case [2] (one engineer, one week, $1,100 in tokens to reimplement the Next.js API surface) is an early proof point. Work that was previously “buy” because the fixed cost was prohibitive becomes “build” because the fixed cost collapsed. The Coasean boundary moves inward. SaaS products that survive on the assumption that internal development is permanently expensive are running on a clock.³

The shift is not one-time. The more you build internally with agents, the cheaper the next build becomes, because the agent’s accumulated knowledge carries forward. This is a positive feedback loop eroding the buy case over time.

Asset specificity without lock-in cost

Williamson’s framework assumes that acquiring a specific asset is expensive each time. When duplication is free, you get specificity (the agent’s knowledge is valuable only in your context) without the normal acquisition cost for additional instances. This breaks the trade-off Williamson described.⁴ You can have as many specialists as you want without the cost that normally constrains specialization.

The binding constraint shifts from acquisition cost to the principal’s coordination capacity: the attention required to direct, evaluate, and integrate the work of multiple agents.⁵ This is Coase’s other prediction, that firm size is limited by the entrepreneur’s ability to coordinate, manifesting in a regime he never imagined.

The measurement problem recurs

The Solow paradox is replaying.⁶ Enterprises deploy agents and measure throughput: tickets closed, hours saved, FTE equivalents.⁷ Those metrics capture the Taylorist surface and miss everything underneath. An agent that accumulates institutional knowledge, makes subsequent builds cheaper, and enables duplication of specialists at zero marginal cost produces value that no existing productivity metric can express.

The deeper value, compound knowledge, environmental specialization, heritable expertise, is invisible to the measurement tools. So it does not get funded, does not get studied, does not get built deliberately. It only emerges accidentally in setups where someone runs agents long enough and pays close enough attention to notice.

What cannot be measured does not exist in an enterprise budget.⁸ This may be the largest obstacle to realizing the non-Taylorist potential of AI agents.

Capital markets cannot price the contextualized agent

Markets price by analogy. SaaS gets a revenue multiple. Headcount replacement gets an ROI calculation. Infrastructure gets a capex depreciation model. The LLM API layer can be priced because it is a metered service. But the contextualized agent, the thing that sits on top, has no analogue. It is not SaaS (not a defined product), not consulting (does not bill hours), not an employee (zero marginal duplication), not infrastructure (produces different things each time).

Analysts default to whichever analogy their model supports: automation software, staff augmentation, developer tooling. Each captures a fraction and misses the rest. The inability to categorize leads to the inability to value, which leads to systematic underinvestment in the non-commodity layer where most of the actual value accumulates.

Early days

All of this is observation from a narrow window. The models are changing quarterly. The context mechanisms are changing faster. The institutional response has barely started. Every claim in this post has a shelf life, and some of them may look naive within a year.

But the core anomaly, a commodity that becomes non-fungible through use and then modifies its own substrate, is structural. It does not depend on which model is frontier this quarter or which vendor wins the enterprise market. If the pattern holds, the economics will eventually catch up with a framework that handles it. Until then, the practitioners who are building these things are running ahead of the theory that is supposed to explain what they are doing.

References

When Coase Met Turing, companion essay on economic morphogenesis and reaction-diffusion firm boundaries
Cloudflare/Vinext, one engineer reimplementing the Next.js API surface in a week for $1,100 in tokens
The SaaSpocalypse (TechCrunch, March 2026)
Anthropic’s enterprise agents program (TechCrunch, February 2026), Cowork plug-ins for finance, legal, HR
AI Adoption and AI Exposure (NBER Working Paper 34836, February 2026), survey of ~6,000 executives across four countries
The AI productivity paradox (Fortune, February 2026)
An AI Moment: Possibilities, Productivity, Policy (San Francisco Fed, February 2026)
The Impact of AI on Software Engineering (Faros AI), study across 10,000 developers
The AI productivity paradox (Platformer), Workday’s 2026 findings on AI review overhead
The Productivity Paradox (Man Group), historical precedent from electricity and computers
Don’t Count Your Productivity Data Chickens (Yale Budget Lab), measurement noise in current AI productivity data

Specifically, LLM-based AI agents with deep context encoding hard to source knowledge. ↩︎
Coase’s transaction cost logic and its implications for consulting and strategy mapping are threads I explore separately. ↩︎
This is tied to the so-called SaaSpocalypse [3]. ↩︎
This holds for the fully contextualized agent built from scratch. However, a middle category is emerging: pre-contextualized agents that ship with domain-generic skills and are designed to accumulate firm-specific context through enterprise use. Anthropic’s enterprise agents program [4] (Cowork plug-ins for finance, legal, HR, with private marketplaces and controlled data flows) is the clearest example. These reintroduce a form of lock-in that operates not at the model layer but at the harness-to-context integration layer: the customizations a firm builds on a particular platform’s plug-in architecture are practically coupled to that harness, even if the underlying model remains swappable. Williamson’s asset specificity reasserts itself one level up the stack. ↩︎
Palantir has been monetizing this exact constraint for over a decade. Their Forward Deployed Engineers build ontologies, structured representations of a firm’s entities, relationships, and decision logic, on top of a commodity platform (Foundry, now AIP). The ontology is what converts the generic harness into a non-fungible institutional asset. This reveals a scope gradient in the commodity-to-bespoke transition: Anthropic’s Cowork plug-ins [4] operate at departmental scope, while Palantir’s ontologies encode cross-functional entity models and decision structures at institutional scope. The deeper the contextualization, the higher the lock-in and the wider the margin. The open question is whether departmental agents accumulate toward institutional-depth context organically through use (bottom-up), or whether institutional ontology must be deliberately engineered top-down, which is Palantir’s implicit bet. ↩︎
A February 2026 NBER study [5] surveying nearly 6,000 executives across the US, UK, Germany, and Australia found that roughly 90% of firms report no measurable impact from AI on employment or productivity over the past three years, despite 69% actively using it. Apollo chief economist Torsten Slok updated Solow’s line directly: “AI is everywhere except in the incoming macroeconomic data.” See also [6] and [7]. ↩︎
The micro-macro disconnect is sharp. Faros AI [8] found that high-AI-adoption teams complete 21% more tasks and merge 98% more pull requests, but PR review time increases 91%. Individual speedup, no organizational throughput. Meanwhile, Workday’s 2026 research [9] found that 37-40% of time supposedly saved by AI gets consumed reviewing and correcting AI-generated output. ↩︎
Historical precedent from Man Group [10]: electricity required around 40 years to show aggregate productivity impact, computers took 25-35 years. The Yale Budget Lab [11] adds that current productivity data is noisy and may be measurement artifact, comparing revised jobs figures against unrevised GDP. ↩︎

When Coase Met Turing

Sat, 21 Mar 2026 00:00:00 +0000

In 1937, Ronald Coase asked a question that economics had somehow never asked: why do firms exist at all? Why is the economy not one giant firm, or pure atomized exchange between individuals? His answer: there are two competing cost gradients. Coordination inside a firm gets cheaper per unit as you share context and routine. But organizational overhead (management, reporting, principal-agent friction) rises faster as the firm grows. The boundary of the firm is where these two gradients cross.

In 1952, Alan Turing asked an equivalent question in biology: why do spots form on animal skin? Why is the skin not uniformly one color? His answer: two chemicals interact. One reinforces itself locally (the activator). The other suppresses at a distance and diffuses faster (the inhibitor). When their diffusion rates differ enough, bounded patterns emerge spontaneously from a uniform substrate. No blueprint. No designer. Just two forces with different ranges.

These are the same answer.

I am not a mathematician or an economist. I am someone who thinks about organizations and noticed that Coase’s boundary and Turing’s boundary are drawn by the same mechanism. This essay is that observation, carried as far as intuition takes it.

Two Forces, One Pattern

The mapping is direct.

Coordination gain is Turing’s activator. When two activities are co-managed inside a firm, they share context, routines, tacit knowledge, and trust. This benefit reinforces locally: the more you coordinate, the more there is to coordinate. But it is inherently short-range. It depends on proximity, shared language, and working relationships that do not travel well.

Organizational overhead is Turing’s inhibitor. Every additional activity inside a firm increases management burden. Meetings multiply. Reporting chains lengthen. Principal-agent friction compounds. And critically, this cost propagates faster and further than the coordination benefit. One new hire adds overhead for everyone in the reporting chain, not just the people they directly work with.

When the inhibitor diffuses faster than the activator, bounded patterns emerge. In biology, those patterns are spots on a cheetah, stripes on a zebra, or patches on a giraffe. In economics, those patterns are firms.

The boundary of the firm is not a decision someone makes. It is where coordination gain drops below the cost of organizational overhead, the edge of the Turing spot. The firm does not get designed. It crystallizes.

The Skin

In Turing’s model, patterns form on a substrate, a field of cells with specific material properties that determine how fast each chemical can spread. Change the substrate, change the pattern.

The economic substrate is everything through which coordination and overhead propagate: institutional infrastructure, economic conditions, and regulatory regimes. Money, contracts, accounting standards, corporate personhood, competition law, labor regulation, trade policy. These are not features of any individual firm. They are properties of the medium that all firms form on. This is the “skin” on which economic patterns form.

And this skin has a developmental history:

Barter is essentially no skin. Direct exchange, no mediating layer. No medium through which either coordination or overhead can propagate beyond the immediate transaction. No firms form.
Money creates the first real skin. Value can flow. A surplus in one transaction can feed another. But it is thin: coordination travels a little further, but there is no infrastructure yet for overhead to propagate through. You get faint clustering: households, small workshops.
Contract law thickens the skin. Agreements are enforceable across time and between strangers. Coordination range extends. But contracts simultaneously provide the first propagation channel for the inhibitor: obligations accumulate, disputes require adjudication, compliance requires monitoring. The Turing instability condition begins to be satisfied. Real firms nucleate.
Double-entry bookkeeping is a phase change. Overhead suddenly has a high-fidelity, low-friction channel. You can track costs and performance across large organizational spans. The inhibitor’s diffusion rate jumps. This is why the modern firm emerges when accounting technology matures: the skin acquired the material properties needed to support larger, sharper spots.
Corporate personhood makes the spot self-sustaining. Before it, firms dissolved when their principal died. After it, the pattern persists independently of any individual. The skin remembers the spot.
Regulatory regimes are external constraints on the pattern itself. Antitrust caps spot size. Licensing sets a minimum activation threshold for spot nucleation. Labor and environmental regulation modify the inhibitor’s properties (they add overhead that scales with firm activity). Securities regulation changes how capital flows through the substrate.

Each institutional layer does not just enable new firms. It changes what kinds of patterns are possible at all.

And the skin never gets thinner. It only accumulates layers. A modern economy cannot revert to bazaar morphology because the inhibitor channels are too well developed. De-patterning only happens through institutional collapse: the skin thins, firms dissolve, and the economy falls back to whatever pattern the remaining substrate supports. This is what you observe in failed states.

Technology Changes the Skin

Technology is not the skin. It modifies the skin’s material properties. I use the term lubrication for this¹: technology does not create the pattern. It changes how easily the forces move through the skin.

The printing press raised both diffusion rates, but not equally. Codified knowledge (accounting methods, legal codes, management procedure) benefits most from mass reproduction. That is inhibitor infrastructure. Coordination gain, which depends on tacit knowledge and trust, benefited less. Print sharpened firm boundaries and enabled larger spots.

The telegraph and railroad extended coordination range without proportionally increasing overhead propagation. A manager in New York could coordinate with Chicago in real time, but the bureaucratic cost of managing that distance did not shrink. Result: bigger spots, same morphology. This is the era of the giant vertically integrated firm.

The shipping container did something similar in the physical dimension. Cheaper transport extended the activator’s range. Firms stretched geographically. Multinational corporations became possible.

Every one of these technologies modified diffusion rates but preserved locality. Both forces still attenuated with distance. The governing equation stayed the same. Pattern scale changed. Pattern class did not. A cheetah with larger spots is still a cheetah.

The Digital Rupture

Digital technology breaks locality itself.

An API call from Sao Paulo to Dublin costs the same as one from the next building. For any activity that can be digitally mediated, coordination gain no longer attenuates with distance. The activator goes non-local.

But overhead does not fully follow. Legal jurisdiction is still local. Labor regulation is still local. Management attention is still local: a human can only hold so many reporting relationships regardless of bandwidth. Cultural friction is still local. Time zones are still local.

This is not “better technology.” It is a qualitatively different substrate. The activator is no longer governed by local diffusion. It reaches everywhere. The inhibitor is still partly local.

And this decoupling produces fundamentally different pattern classes:

Plateaus with sharp boundaries. Local Turing spots taper off smoothly. Non-local systems produce flat-topped territories with steep edges. Inside the platform: near-total dominance. Outside: near-zero presence. You are in the ecosystem or you are not. This is how platforms actually behave.

Winner-take-all condensation. When activation reaches everywhere, the longest-wavelength mode dominates. The pattern condenses into one or very few global-scale spots. Google in search. The substrate cannot support multiple spots at that scale.

Spots with internal substructure. In local Turing systems, spots are featureless blobs. In non-local systems, a large spot sustains its own internal pattern formation. Amazon is a spot that contains a marketplace, a ranking system, sub-ecosystems. Structure inside structure. Nested morphogenesis.

Bimodal size distribution. Many small spots coexisting with very few enormous ones. Platforms plus micro-firms, with mid-size firms hollowing out. This is not an anomaly to be corrected. It is the expected morphology when one diffusion rate escapes locality and the other does not.

The current economy is living on a skin that is part local and part non-local. Activities that can be digitally mediated live on non-local skin. Activities requiring physical presence still live on local skin. The boundary between those two zones is where the most interesting economic turbulence is happening right now.

The Visualization

I built an interactive visualization that runs a Gray-Scott reaction-diffusion model, the same class of system Turing described, with economic labels on the parameters. You can drag sliders and watch economic morphology change in real time.

Things to try:

Start with “Artisan.” You see many small, well-separated spots, firms of similar size in a competitive market. Now slowly drag Coordination Range to the right. Watch the spots merge into larger structures. You are watching what the internet did to market structure.
Start with “Artisan” again. This time, increase New Opportunity Rate. The clean spots connect into labyrinthine chains, into guilds.² You just rediscovered the guild system from first principles.
Start with “Industrial.” Push Organizational Decay toward “Fragile.” Watch firms dissolve as institutional memory fails.
Start with “Platform.” Increase Overhead Reach toward “Pervasive.” Large territories fragment as regulation bites.
Start with “Barter.” Increase New Opportunity Rate. Watch when firms first nucleate from the empty substrate. That is the Coasean instability threshold.

The parameter-space map on the right shows where you are and what regime transitions look like. The boundaries between pattern types are sharp: you do not smoothly interpolate between spots and stripes. You jump. This is why economic transitions are discontinuous.

You can replay five centuries of economic history in four slider moves³: start at Artisan (spots), increase opportunity (labyrinths/guilds), increase coordination range (monopoly condensation), then increase overhead reach (spots re-emerge at larger scale as modern firms).

What This Is and What It Isn’t

This is an observation of structural correspondence between two well-established formal systems. It is not a proof of isomorphism.

A full formalization would require constructing an explicit activity space with a well-defined metric, deriving reaction kinetics from economic first principles, and proving that the Coasean boundary falls out as the zero-level set of the activator in the patterned steady state. That is a research program, not an essay.

What the observation gives you without the formalization is a way of seeing economic morphology as pattern formation. It reframes questions about firms, markets, platforms, and regulation in terms that make the underlying dynamics visible:

Antitrust maps to two distinct interventions with different morphological outcomes.⁴ Breaking up firms (increasing decay rate) produces many small fragile spots that may recondense. Behavioral regulation (increasing inhibitor diffusion) changes the equilibrium itself.
Business cycles look like metastable-state transitions.⁵ A boom is not firms getting bigger; it is spots connecting into labyrinths. A bust is the labyrinth fragmenting.
Guilds are a distinct pattern class (labyrinths), not primitive firms. They emerge when opportunity is high but coordination is local.
The mid-size firm hollowing out is not a market failure. It is the expected morphology for a substrate with non-local activation and partly-local inhibition.

The math may follow. The insight does not need it.

Prior Work

Nobody seems to have made exactly this mapping, but the pieces exist across several disconnected literatures. Each touches part of the structure without assembling the whole.

Krugman’s New Economic Geography (1991 onward) is the closest body of work. His core-periphery model frames the spatial distribution of economic activity as a tug of war between agglomeration forces (market size effects, labor pooling) and spreading forces (immobile factors, transport costs). That is structurally a reaction-diffusion instability analysis, and Krugman himself was aware of the formal parallel. But he worked in a discrete two-region framework (core vs. periphery), not in continuous space, and he never mapped it to Turing morphogenesis. His activator is agglomeration; his inhibitor is dispersion. The math is close but the biological pattern-formation language is absent. Critically, his question is “given this landscape, where do spots form?” not “why do spots exist as a morphological class?” The answer is always contingent on substrate features: change the coastline, move the river, and the pattern shifts. This essay asks a question that is prior to geography.

Helbing (2009) got closer to the explicit connection. He demonstrated that asymmetrical diffusion can drive social, economic, and biological systems into unstable regimes through pattern-formation instability, even from homogeneous initial conditions. His work frames this in terms of game-theoretic payoffs rather than firm boundaries, but the mechanism he identifies is Turing instability applied to social systems. He showed that you do not need pre-existing heterogeneity to get structure; the asymmetry in diffusion alone is sufficient. That is the same core claim made here, applied to a different level of economic organization.

Volpert, Petrovskii, and collaborators produced what may be the most directly relevant formal work. They built an economic-demographic model using nonlocal reaction-diffusion PDEs, showing that when resource consumption is nonlocal, a homogeneous wealth-population distribution is replaced by periodic spatial patterns, and that for global consumption of resources, a single wealth accumulation center can emerge. That is exactly the non-local activation argument in this essay producing winner-take-all condensation. They explicitly noted that intellectual resources, unlike natural resources, do not have fixed geographical location and that their transportation cost is not a limiting factor, requiring nonlocal terms in the model. Their math validates the mechanism. What they did not do is connect it to Coase’s firm boundary question.

A 2024 cross-diffusion paper took another angle. Researchers built a mutualistic model of labor and capital interaction, showed that the uniform profit-optimum becomes unstable under Turing instability conditions, and that the resulting patterns of alternating high and low concentrations can be interpreted as cities. They connect this explicitly to Turing’s 1952 framework and to Krugman’s geography models, while noting that their continuous-space formulation is more general than Krugman’s discrete patches. Again, the level of analysis is spatial (where does economic activity concentrate?) rather than organizational (why do bounded firms exist?).

A 2021 Royal Society Interface paper used a coupled economic-demographic reaction-diffusion model to show that population distributions exhibit nearly periodic spatial patterns even in uniform environments, and that Turing instability provides a plausible mechanism. This confirms that the pattern-formation framework applies to economic phenomena on featureless substrates, which is the same substrate assumption made here.

What is different here

All of these works use reaction-diffusion mathematics on economics. None of them connect it to Coase’s theory of the firm.

Krugman explains where economic activity agglomerates in space. Volpert explains where wealth concentrates. The cross-diffusion paper explains where cities form. This essay asks a different question at a different level of abstraction: why do firms exist as bounded entities at all, and what determines their characteristic scale and morphology?

The specific move is: the “spot” is the firm itself (not a city or a region), the boundary is the Coasean make-or-buy margin, and the substrate through which the morphogens propagate is institutional infrastructure (not geography). The activator is coordination gain. The inhibitor is organizational overhead. The lubrication parameter that governs pattern regime is technology’s effect on the substrate’s diffusion properties.

The economics literature has reaction-diffusion models for spatial agglomeration. It has Coasean theory for firm boundaries. It has transaction cost economics for why those boundaries shift. The pieces are all on the table. The assembly, connecting the pattern-formation mathematics to the organizational boundary question, appears to be new.

I’m not an economist or a mathematician. I’m a pattern noticer. One day, thinking about firms as features on an economic “skin,” I realized that the simplest explanation for why a uniform substrate develops bounded structures is Turing’s, and that Coase had already given the economic version of the same answer, thirty-five years earlier.

Lubrication is not the diffusion of either species. It is a property of the substrate itself, the medium through which both activation and inhibition propagate. In Turing’s formulation, diffusion rates are not intrinsic to the chemicals alone; they depend on the medium (viscosity, porosity, temperature). Change the medium, change the pattern. What lubrication specifically does is increase the activator’s diffusion rate. Before technology intervenes, coordination gain is sticky and local: it depends on proximity, shared routine, tacit knowledge that does not travel well. The inhibitor (overhead, complexity) already diffuses easily because bureaucratic cost scales regardless of distance. That asymmetry is exactly the Turing instability condition. When you lubricate the substrate (APIs, cloud infrastructure, standardized contracts, outsourcing platforms), you make the activator less local. Coordination can now operate across boundaries that previously confined it. The diffusion ratio narrows, and existing spots become less stable. But total equalization of diffusion rates does not give you a featureless market with no firms. It gives you a regime transition to a different pattern type. The old spots dissolve, but new instability conditions emerge around different activator-inhibitor pairs (network effects versus platform governance costs, for instance), and those produce structure at a different characteristic scale. “Lubrication” names the substrate parameter that governs pattern morphology without specifying which pattern you get. ↩︎
A guild is not a firm and not a market. It is precisely the labyrinthine morphology: a continuous network of coordinated activity where individual practitioners are connected through shared standards, apprenticeship chains, quality controls, and mutual obligations, but without the clean inside-outside boundary that defines a firm. No single guild member is independent (they are bound by guild rules, pricing conventions, territorial agreements), but no single entity “owns” the guild. This is exactly the morphology you would predict for artisan-level coordination range (still local, still based on personal trust) but high opportunity rate. Lots of work to organize, limited ability to project coordination at distance. The system cannot form large discrete firms because the coordination range is too short. But it cannot remain as isolated spots either because opportunities are too abundant. So it connects the spots into worms and labyrinths. The historical sequence confirms this: guilds dominated precisely when trade was booming (late medieval commercial expansion) but coordination technology was still local (face-to-face, apprenticeship, personal reputation). When coordination range extended through print, contract law, and accounting, the labyrinths broke apart and re-formed as clean spots: chartered companies, joint-stock firms, modern corporations. The guild was not replaced because firms are “better.” The guild morphology became unstable when the substrate parameters shifted into a regime that supports spots instead of labyrinths. ↩︎
The full historical sequence maps to four parameter changes. Start at Artisan: many small, well-separated spots. This is the pre-industrial economy of comparable-scale workshops and traders. Increase opportunity rate: the spots connect into labyrinths. This is the late-medieval guild system, driven by expanding trade routes and commercial opportunity that outpaced coordination technology. Increase coordination range (simulating oceanic navigation, chartered companies, early banking networks): the labyrinths condense into one or a few dominant structures. This is the mercantilist era of monopoly trading companies like the East India Company, where coordination technology leaped past the existing inhibitor infrastructure. Finally, increase overhead reach (simulating the development of competition law, corporate regulation, standardized accounting): the monopoly fragments back into distinct bounded structures at a larger scale. This is the liberal economic revolution of the 18th and 19th centuries, not a political choice to have competition, but a pattern regime transition driven by the institutional skin finally developing enough inhibitor-propagation capacity to support a spotted morphology at the new coordination range. Four slider moves, five centuries. ↩︎
Structural antitrust (breaking up monopolies, preventing mergers, forcing divestitures) is an increase in Organizational Decay. You are artificially increasing the rate at which large organizational structures lose coherence. The Sherman Act, the Standard Oil breakup, the AT&T divestiture: these are all external forces that push the decay parameter upward for specific entities. The pattern effect is that oversized spots are forced to fragment. But notice what happens when you increase decay globally in the simulation: you do not just shrink the big spots. You make all firms more fragile. You cannot target the inhibitor at one spot without changing the substrate for everyone. Behavioral antitrust (regulating conduct, imposing interoperability requirements, mandating data portability, preventing exclusionary practices) is an increase in Overhead Reach. You are adding bureaucratic and compliance cost that propagates across the entire organization. GDPR, platform regulation, mandatory API access: these all increase the inhibitor’s diffusion. The pattern effect is different. You do not dissolve the large structure directly. You change the diffusion ratio so that the substrate can no longer support spots above a certain size. The large spots shrink or develop internal fractures because the inhibitor now reaches further within them. This is slower but more stable because you are changing the substrate properties rather than attacking individual spots. The framework surfaces something that antitrust policy debates usually miss: these two interventions produce different morphologies even when they both succeed in reducing concentration. Try both on the monopoly preset in the simulation and watch the difference. ↩︎
In reaction-diffusion systems, labyrinthine states are often metastable rather than truly stable. When the opportunity rate drops (the boom ends), the labyrinths do not gracefully separate back into spots. They fragment chaotically: suddenly interdependent firms discover their entanglements are liabilities, and the pattern collapses into a disorganized state before reorganizing into a new set of distinct spots at whatever scale the post-crash parameters support. This is what a bust looks like in morphological terms. The boom was not firms getting bigger. It was spots connecting under high opportunity pressure, forming tangled webs of partnerships, joint ventures, supply chain entanglement, and overlapping scopes where nobody can tell where one company ends and another begins. The organizational landscape becomes a labyrinth where coordinated activity is continuous and interconnected rather than discrete and bounded. And the framework predicts what comes next: the fragmentation is not a gradual unwinding but a sudden collapse, because labyrinthine states are sensitive to parameter shifts in a way that stable spots are not. ↩︎

Can an LLM Find Design Flaws in Code It Can't Read?

Thu, 19 Mar 2026 00:00:00 +0000

Security code review with Large Language Models (LLMs) has a structural problem that most people wave away: an LLM reads code one file at a time, but design flaws do not live in one file. They live in the relationships between components, and more often, in what is absent. The auth middleware that was never applied, the validation that does not exist, the rate limiting that covers four routes out of a hundred and nine.

Pattern-matching tools like Semgrep see the whole codebase but cannot express “find all routes that do NOT have auth middleware.” LLMs can reason about that question but cannot see the whole codebase. Both approaches find local bugs well enough, and neither finds design flaws.

I wanted to know if there was a middle path: give the LLM a structural graph of the codebase that it can query, rather than source code to read. The graph would carry the cross-file relationships while the LLM provides the reasoning, and the question was whether the combination could surface design-level findings that neither tool reaches alone.

The graph: Code Property Graphs

A Code Property Graph (CPG) overlays three views of the same codebase: the abstract syntax tree (structure), the control flow graph (execution paths), and the program dependence graph (data flow). Joern, the open-source CPG engine, builds all three into a single queryable graph and exposes a Scala-based query language called CPGQL.

For the target application, an Express/TypeScript app with custom JWT auth and no input validation, Joern produced a graph of 443,000 nodes. The LLM never touched those nodes directly, and instead formulated CPGQL queries and worked with the small, structured results that came back.

Two passes: learn the architecture, then interrogate the design

The approach has two phases. In Pass 1, the LLM knows only the framework name (“this is an Express app with Sequelize”) and asks nine generic structural questions: how many routes? what middleware exists? is there input validation? what database operations are exposed? These questions require no knowledge of the specific application, and the answers produce a structural profile of the codebase.

In Pass 2, the LLM reads the Pass 1 results (still not source code) and writes targeted queries for eight CWE categories under OWASP A06: Insecure Design. This is where it gets interesting, because the LLM can now ask questions like “which routes lack any security middleware” using negative sub-traversals, a query pattern that filters for absence rather than presence. Pattern matchers cannot express this, and LLMs reading source files cannot hold the full route inventory in context. The CPG makes it tractable.

What I found

The analysis produced thirty confirmed findings across eight CWE categories, with zero false positives when validated against the target application’s 107 documented security challenges. Some highlights:

Fifty-eight of 109 routes (53%) had no authentication middleware at all, including password change endpoints, admin panels, and every file upload route. The finding came from a single negative sub-traversal: enumerate all route handlers, filter out those with a security.* argument, report the rest.

The crypto implementation used MD5 with no salt for password hashing, a hardcoded HMAC key visible in source, and plaintext storage for TOTP secrets and credit card numbers. Joern’s taint analysis traced data flows from user input through to storage to confirm the findings.

Four file upload routes had validators that existed but did nothing: checkFileType and checkUploadSize both called next() unconditionally. The validators were present in the code, so a quick grep would see “validation exists,” but the CPG revealed that the validation functions never rejected anything.

The full results, including all 20 CPGQL queries and their outputs, are documented in the source repo.

What did not work

The approach has real limits. Joern’s JavaScript/TypeScript frontend is less mature than its Java and C support, and some queries that should have been straightforward required workarounds. GitNexus, a complementary code knowledge graph tool, contributed useful architectural context on eight of the twenty questions but could not match Joern’s expression-level precision for the CWE-targeted queries.

More fundamentally, the two-pass method still requires a human to decide which CWE categories to target and to evaluate whether the query results constitute genuine findings. The LLM formulated the CPGQL queries and reasoned about the results, but the analytical framework came from outside. This is closer to “LLM-assisted analysis” than “automated vulnerability detection,” and I think that distinction matters.

Where this goes

This was an exploration, not a finished tool, and there are open questions worth pursuing. The immediate one is whether the two-pass pattern generalizes beyond Express to other frameworks and languages where Joern has stronger frontend support (Java, C/C++). The longer-term question is whether the structural query step can be made more autonomous, with the LLM selecting which CWE categories to investigate based on the Pass 1 profile rather than being told.

I have some ideas on both fronts. More to come when I get to it.

Resources

The full interactive presentation walks through the approach slide by slide, including the CPG layer visualizations, CPGQL query examples, and the complete findings table: cpg.blocksec.ca

The source repo contains all documentation, from initial tool evaluation through final validation, organized in reading order: BlockSecCA/llm-cpg-exploration

Tools and references from the project:

Joern, the open-source CPG engine used for all structural queries
joern-mcp, the MCP server that wraps Joern’s HTTP API and made it possible for the LLM to call queries as tool invocations
vulnerable-app, the target application: a debranded fork of an intentionally vulnerable Express app with 107 documented challenges, stripped of identifying markers to prevent LLM training data leakage during analysis
Yamaguchi, Golde, Arp, and Rieck, Modeling and Discovering Vulnerabilities with Code Property Graphs (2014), the original paper that introduced the CPG concept
Lekssays et al., LLMxCPG: A Framework for LLM-Driven Code Vulnerability Detection using Code Property Graphs (2025), which demonstrated that LLMs can learn CPGQL but left architectural discovery and negative queries unexplored
OWASP A06:2025 Insecure Design, the category that framed the entire analysis

AI and the Digital Garden

Wed, 18 Mar 2026 00:00:00 +0000

I keep a digital garden. It is a space where I think out loud, connect ideas over time, and publish things I have actually worked through. That practice is now caught in the middle of three forces that generative AI has set in motion: it makes writing better, it floods the web with generated content, and it feeds on the very gardens it degrades.

The Upside: Writing with an LLM

The most immediate benefit is collaboration. An LLM can act as a sounding board for brainstorming, push back on weak arguments, and help tighten prose. Jorge Arango described this as the “amanuensis” role¹, where the machine handles mechanical work while the human steers the thinking. LLMs can also assist with research by performing search and collating results across sources.

This is the part that works well, and it is the reason I use LLMs in my own writing process. The key is that the human remains the author. The LLM accelerates; it does not originate.

The Flood: Generated Content at Scale

The problem starts when that acceleration is pointed at volume instead of quality. A single person with an LLM can produce more content in a day than they could write in a month. Multiply that across millions of users and you get what some have started calling the “Slopocene”², a web increasingly dominated by low-effort generated text that is hard to distinguish from human writing.

The downstream effects compound. Search engines surface generated results alongside human ones with no reliable way to tell them apart. False information scales faster than correction. Feedback and discussion on posts becomes shallow when bots participate alongside people. The overall signal-to-noise ratio drops, and with it, the trust that makes digital gardens worth reading in the first place.

Maggie Appleton has written extensively about this trajectory. She describes the result as a “Dark Forest”³, borrowing from the Fermi Paradox solution where anything that makes itself visible gets consumed. In the digital version, quality public content attracts bot attention, scraping, and imitation, which pushes genuine creators toward smaller, private spaces. Her illustrations of this dynamic are worth seeing in the original article⁴.

There is a recursive problem here too. When generated content gets harvested and fed back into model training, model performance degrades over successive generations. Researchers call this Model Autophagy Disorder (MAD), and it means the flood is not just a content problem but a training data problem that makes future models worse.

The Harvest: Data as Raw Material

Using the data commons for private profit is not new. Generative AI has intensified the practice because training requires enormous volumes of text, and digital gardens, with their human-curated, publicly accessible content, are prime targets.

Lars Doucet mapped out where this leads⁵. First, a “Market for Lemons” dynamic takes hold in the digital world: when spam and generated content become indistinguishable from genuine work, the perceived quality of everything drops. Second, a “Great Logging Off” follows as creators of all types retreat from the public internet. Third, the remaining communities wall themselves off into private spaces to prevent bot scraping⁶.

The effect is something like a bottom trawler that destroys the ecosystem while gathering its catch. Digital gardens could disappear as a public good, not because people stop writing, but because the open web becomes too hostile to sustain them.

The Tensions That Hold

These forces create a set of interlocking conflicts that have no clean resolution yet.

On the data side, training new models requires vast amounts of high-quality human text. That text has to come from somewhere, and the economics incentivize model makers to avoid paying fair market rates for it⁷. Content creators and model makers end up in direct opposition, and it does not help that the industry’s early data acquisition practices were liberal at best. The same training data is needed to address the risks created by generated content and to keep models current, so the demand is not going away.

On the content side, generation is extraordinarily cheap compared to human authorship. That cost advantage is attractive to many business models, but the resulting abundance displaces human work and erodes authenticity. The generated data cycles back into training corpora, contributing to model collapse and content homogenization. The very cheapness that makes generated content attractive undermines the quality that gave it value.

As of this writing, the conflicts are playing out through lawsuits and regulatory proposals, but nothing has resolved the fundamental tension between the demand for training data and the rights of the people who created it.

What This Means for This Site

I publish here because I want to think in public and have those thoughts be findable by other practitioners. Every tension described above pushes against that goal. The flood makes it harder to be found. The harvest means anything I publish becomes training material. The erosion of trust means even genuine writing gets viewed with suspicion.

I do not have a solution to any of that. What I do have is a practice: write things I have actually worked through, show the reasoning, attribute properly, and publish under my own name on a domain I control. That is a small bet that authenticity still matters, even in a landscape that is actively selecting against it.

Footnotes

The amanuensis role is described by Jorge Arango in Three Roles for Robots. ↩︎
The term captures the state of a web increasingly flooded with low-quality generated content. It fits better than “Generated Web” because it emphasizes the quality problem, not just the origin. ↩︎
Described in Maggie Appleton’s The Expanding Dark Forest and Generative AI. The Dark Forest term originally refers to a solution to the Fermi Paradox where intelligent life that announces itself is soon extinguished. In the digital version, quality public content that attracts attention gets consumed by bots. ↩︎
See Appleton’s article and her conversation on The Informed Life for the full visual treatment. ↩︎
See Lars Doucet, AI: Markets for Lemons, and the Great Logging Off. ↩︎
Cloudflare has created anti-bot scraping measures such as redirecting bots into mazes from which they never escape, partly because many bots ignore the robots.txt convention. ↩︎
This feeds the “Data is the New Oil” framing. I am not sold on the analogy as a whole, but the demand side is real. ↩︎

Colophon

Wed, 18 Mar 2026 00:00:00 +0000

A colophon describes how something is made. Here is how this site works.

Generator and Theme

The site is built with Hugo using the Stack theme, pinned to v3.34.2. Hugo is a static site generator, which means every page is pre-rendered HTML with no server-side processing, no database, and no JavaScript frameworks. The theme handles layout, typography, and dark mode. I have not modified it beyond a footer override and a couple of custom layouts for interactive content.

Hosting

Cloudflare Pages builds and serves the site. A push to the main branch triggers a build. Drafts are excluded, so nothing reaches the public site until I explicitly flip a post out of draft status. The DNS, CDN, and anti-bot protections are also Cloudflare, which is relevant given the subject matter of some posts here.

Writing

Most content starts as research notes in an Obsidian vault. The vault is my thinking space; this site is where the thinking that held up gets published. The two are connected through Git, but the vault contains far more than what reaches the site. Posts go through several rounds of refinement before they leave draft status.

I use LLMs as writing collaborators, primarily Claude. The collaboration is structural: brainstorming, critiquing arguments, tightening prose, and handling file operations through tool integrations. The ideas and editorial judgment are mine. The LLM accelerates the mechanical work, which is the arrangement I described in the AI and the Digital Garden post as the amanuensis role.

Source

The site source is in a private GitHub repository.

Content License

Unless otherwise noted, the written content on this site is licensed under Creative Commons Attribution-NonCommercial 4.0 International (CC BY-NC 4.0). You are free to share and adapt the content for non-commercial purposes, provided you give appropriate attribution and link back to the original.

Code snippets and configuration examples are provided as-is with no license restriction. Use them however you like.

If you want to use anything here in a way that falls outside these terms, reach out and ask. I am generally agreeable.

About

Thu, 05 Mar 2026 00:00:00 +0000

I’m a security architect by trade, but what I actually do is think about how systems hold together and come apart. Security happens to be a good vantage point for that. You learn a lot about structure by studying where it fails.

My professional work sits at the intersection of cybersecurity, AI security, enterprise architecture, and risk. But the thinking behind it pulls from further out: mechanism design, semantic layering, topological models of how cloud environments actually behave versus how we diagram them. I’m drawn to the structural questions underneath the technical ones. What makes a domain boundary real. Why certain abstractions survive contact with production and others collapse. How agency works (and doesn’t) in systems that claim to have it.

AI is a recurring subject here, but not in the “here’s how to prompt better” sense. I’m interested in what happens when you stack an LLM inside a framework inside a platform and hand it tools. Where the failure modes live in that stack, and what the security and trust implications look like when you can’t fully characterize any single layer, let alone the composition.

Most of what I write starts as research notes in a personal knowledge vault. The posts that reach this site are the ones where the thinking held up under pressure: a model that clarified something, a breakdown worth documenting, or a connection between domains that turned out to matter. I try to show the reasoning rather than just the conclusion, so you can decide for yourself whether it holds.

I don’t write tutorials. If you build systems, think about risk, or find yourself skeptical of whichever framework is trending this quarter, some of this might be useful.

Search

Mon, 01 Jan 0001 00:00:00 +0000

blocksec

If the Harness Is the Product

The Incident

The Harness Is the Product

If the harness is the product

The Pattern Spreads

Where This Leads

Conclusion

References

The Composable Provider Model

References

The Economic Anomaly of AI Agents

Economic Foundations

Ronald Coase and Transaction Cost Theory

Oliver Williamson and Asset Specificity

Hal Varian, Carl Shapiro, and Information Goods Economics

Robert Solow and the Productivity Paradox

The Economic Anomaly of the AI Agent

A commodity that becomes non-fungible through use

Software that behaves like a practice

Free to copy, costs money to use

Meta-software: substrate, medium, product, environment

The combined anomaly

Implications and Projections

The Coasean firm boundary shifts

Asset specificity without lock-in cost

The measurement problem recurs

Capital markets cannot price the contextualized agent

Early days

References

When Coase Met Turing

Two Forces, One Pattern

The Skin

Technology Changes the Skin

The Digital Rupture

The Visualization

What This Is and What It Isn’t

Prior Work

What is different here

Can an LLM Find Design Flaws in Code It Can't Read?

The graph: Code Property Graphs

Two passes: learn the architecture, then interrogate the design

What I found

What did not work

Where this goes

Resources

AI and the Digital Garden

The Upside: Writing with an LLM

The Flood: Generated Content at Scale

The Harvest: Data as Raw Material

The Tensions That Hold

What This Means for This Site

Footnotes

Colophon

Generator and Theme

Hosting

Writing

Source

Content License

About

Archives

Search