001 · July 2026
The evaluator that caught my own bug
I build my local agent console under a rule I stole from decades in the trades: the person who sweats the joint doesn’t get to sign off on the joint. Every build gets attacked by an independent AI evaluator — a separate adversarial pass, running locally, whose only job is to break my guarantees before I call anything done.
During the portability build, it earned its keep. The console has a hard rule: if the model-selection state is corrupt, chat must fail closed — block and explain, never silently fall back to a default model. My tests were green. The evaluator went around them: it corrupted the selection state and then explicitly requested a model by name, and that request path slipped past the guard my tests were watching. Real bug, in code I’d already trusted.
I fixed it, the evaluator re-attacked the fix, and the build stood. Then the second half of the lesson arrived: a later adversarial round claimed anotherbypass — a cached-state attack that sounded completely plausible. This one didn’t survive contact with a reproduction. I wrote a runnable test that performed the exact attack against the real code; the guard held on every variant, so the claim was recorded as refuted, with the script kept as the receipt.
That’s the whole system in one story. Findings aren’t trusted because an AI said them — a bug isn’t real until it reproduces, and a green bar isn’t safety until something adversarial has failed to break it. If you’re building agents that touch real files, build the attacker before you build the features.
The system this happened to is on the Work page.