Jon Gerton

Just went through the readme. The three queries at the top are doing a lot of work, anyone who's shipped a CTE DELETE has felt #1 in their bones. Real Q: is the rule severity tunable per project, or is "block" baked in? Curious how you're thinking about FP noise as adoption scales.

Late April: viral Reddit thread about an AI agent deleting someone's production database. The fear was real. Nine days later, I shipped a Python bridge to my own Convex prod database. Still running. No incidents logged so far. The agent didn't write any of the safety. The substrate did. Four files shape every Claude Code session. Identity and memory load by default. The other two load on demand. • CLAUDE.md is the load-bearing identity file. Who I am, what I sell, the 90-day priorities. The agent doesn't ask. It reads. • MEMORY.md is auto-memory across sessions. User profile, feedback rules, project state. The agent doesn't relearn me every conversation. • framework.md is the operator playbook. How decisions get made. • decisions/log.md is the append-only why-log. Reversible decisions get one line. Load-bearing ones get the full receipts. The bridge itself is stdlib Python the agent calls but did not generate on demand. Prod writes need an env flag plus a 401-preflight against an allowlisted Convex deployment. Composite idempotency key. Redacting logger before any line hits the journal. Codex reviewed the spec twice. First pass killed a cookie-auth ToS blocker. Second pass drove the prod-write guard. Both still missed an inferred field assumption. The dry-run caught it. The cache had a quieter bug. The corruption test caught it before the canary ran. None of the guardrails came from the agent improvising. They came from the spec. The spec came from research. Research came from a workflow rule in ~/.claude/projects/-home-jon/memory/MEMORY.md: research, planning, spec, implementation, with Codex adversarial review at each phase. The agent doesn't relearn it every session. It just does it. If you're going to copy one piece, copy connections.md. The registry of every external system your Agent OS can reach. Cheapest unlock there is.

An AI agent wiped a prod database on Reddit. Nine days later, I shipped a Python bridge to my own prod DB with no incidents logged so far. The agent wrote none of the safety. The spec, guardrails, idempotency keys, and dry runs did. Four files run every session: identity, memory, framework, and a decisions log. If you run agents in prod, your safety lives in your spec, not in the model.