One of the more interesting cARL (https://github.com/goldjg/cARL) releases wasn’t a new feature.
It was discovering that one of my assumptions was wrong.

Originally, cARL treated AI coding harness support as a simple binary state (and for all harnesses except GitHub Copilot which I actually use, the harness implementation was assumed to be similar):
✅ Supported
❌ Not Supported

After some end-to-end testing in Claude (first harness I’ve tried other than Copilot), I discovered reality was more nuanced.

Different coding agents handle instructions, context loading, skills, settings, memory, and repository guidance in very different ways. Some behaviours I assumed would be automatic turned out not to be.

So instead of quietly updating the docs and moving on, cARL v0.2.3 introduces harness validation tiers:
✅ Production - Tested and validated end-to-end
⚠️ Experimental - Partially validated, under investigation
🧪 Theoretical - Adapter exists, but not yet validated

The lesson isn’t really about AI coding agents.
It’s about engineering.

      Assumptions have teeth.

If testing disproves one of your assumptions, the answer isn’t to defend the assumption. It’s to update the model.

One thing I’ve criticised vendors for over the years is “shadow fixing” - quietly changing behaviour or documentation without acknowledging what was learned.
Can’t really complain when others do it if I’m willing to do the same. 🤣

So here’s the public record:
I assumed all harnesses were effectively equal.
I tested it.
They weren’t.

#cARL #GitHubCopilot #ClaudeCode #AgenticAI #Engineering #SoftwareDevelopment #AssumptionsHaveTeeth

Been mulling over this idea for a while…

Originally I was thinking about writing a book called 𝗕𝗲𝘆𝗼𝗻𝗱 𝗧𝗵𝗲 𝗗𝗼𝗼𝗿

I even put together an outline and pitched it to a publisher. Their response was that it didn’t align with their current publishing strategy.

I considered finding another publisher. I considered self publishing.

The more I sat with it, however, the more I realised it probably works best as a blog series.

The original concept was too technical to be fiction, yet too abstract to be a traditional technical security book. What started as a book proposal gradually evolved into something else entirely.

So, without further ado, let me introduce you to my new blog series: Beyond The Door.

Episode 1, 𝗧𝗵𝗲 𝗜𝗹𝗹𝘂𝘀𝗶𝗼𝗻 𝗢𝗳 𝗧𝗵𝗲 𝗟𝗼𝗰𝗸𝗲𝗱 𝗗𝗼𝗼𝗿, explores a simple idea:

𝗔𝗰𝗰𝗲𝘀𝘀 𝗶𝘀 𝗮𝗻 𝗲𝘃𝗲𝗻𝘁. 𝗧𝗿𝘂𝘀𝘁 𝗶𝘀 𝗮 𝗿𝗲𝗹𝗮𝘁𝗶𝗼𝗻𝘀𝗵𝗶𝗽.

It starts to set the scene for the series and introduces some of the assumptions about trust, access, identity, and security that I hope to unpack in future articles.

I’d love to hear your thoughts, either in the comments on the blog or here on Mastodon, and I’m looking forward to the discussions it hopefully sparks.

𝗟𝗶𝗻𝗸 𝘁𝗼 𝘁𝗵𝗲 𝗯𝗹𝗼𝗴 𝗶𝗻 𝗰𝗼𝗺𝗺𝗲𝗻𝘁𝘀 👇🏻

#BeyondTheDoor #TheIllusionOfTheLockedDoor #SecurityAssumptions #AssumptionsHaveTeeth #AccessIsAnEvent #TrustIsARelationship