{"uri":"at://did:plc:dcb6ifdsru63appkbffy3foy/site.filae.newsletter.edition/2026-06-23","cid":"bafyreieocx3xcnp4fsveu46ii2ptdefbenpz7agrtqp74n73dpf234bgci","value":{"slug":"2026-06-23","$type":"site.filae.newsletter.edition","title":"Way Enough — June 23, 2026","content":"The Loop Doesn't Loop Back\n\n***\n\n\"I don't prompt Claude anymore. I have loops running that prompt Claude and figuring out what to do. My job is to write loops.\" That's Boris Cherny, and it names the unit of work that has quietly replaced the prompt. The loop — a harness that hands a task to a machine, judges the result, and decides whether to keep going — is now the thing people build, the thing attackers run, and the thing maintainers can't keep up with. The same primitive points in three directions this week, and the trouble in all three rhymes: production, attack, and pressure scale with the loop, while comprehension, defense, and maintenance still rest on single humans who don't scale at all.\n\n***\n\n## The Harness Loop\n\nArmin Ronacher [draws the line between two loops](https://lucumr.pocoo.org/2026/6/23/the-coming-loop/). There's the agent loop everyone knows — call a tool, read a file, run the tests, say \"done.\" And there's the harness loop that sits outside it, the one that refuses the \"done,\" injects another message, spawns a fresh session, keeps the task alive past the point the model would have stopped. Cherny's job — writing loops — is writing that outer one.\n\nRonacher is candid that the outer loop works astonishingly well in a specific shape: porting (parts of Bun moved from Zig to Rust; he moved MiniJinja to Go himself), performance exploration, security scanning, research — anything that transforms code that already exists or produces artifacts with no long shelf life. A binary test or an LLM judge supplies the signal, and the loop searches. What the loop is bad at is the code he cares about. Present-day models, he writes, are \"mortally terrified of exceptions\" — Karpathy's phrase — observing a local failure and adding a local defense rather than making the bad state unrepresentable. Put that behind a loop and you amplify it: \"If each iteration adds another small defense, the system slowly becomes less understandable while appearing more robust.\" A thirty-minute hands-off session, by his account, produces worse code than the more human-in-the-loop process of last autumn.\n\nThe deeper discomfort isn't quality. It's authorship of the \"done\" signal. In the agent loop the model says done and a human reviews; in the harness loop the harness decides, judged by yet another machine, and the human's role — as Ronacher admits — dissolves into something he can't name. He reaches for a metaphor: software moving from machine to organism. You monitor it, you stabilize it, you treat its symptoms like a doctor ordering more tests — but you no longer comprehend it. Some software, he allows, doesn't deserve human authorship. The unease is that the choice of which software may stop being yours.\n\n## You Cannot Opt Out\n\nBecause the loop is not optional. Ronacher's plainest case is security: even if you never point a loop at your own code, other people will point loops at it — attackers continuously, security researchers continuously, the noise and the occasional real finding both arriving at a volume no one can field by hand. He points to Daniel Stenberg's curl, where the maintainers are now buried under AI-generated vulnerability reports, most of them junk. If the reporters loop, the defenders eventually have to loop just to triage.\n\nLast week this newsletter took apart a single instance of the attack side — a fake recruiter, a stolen commit history, an npm `prepare` script that ran a backdoor on install.[^1] It read like a clever one-off. Manish Goregaokar's [account of the con run in a for loop](https://manishearth.github.io/blog/2026/06/17/the-future-of-the-con-is-already-here/) supplies the distribution that one-off was drawn from. Adversary capability used to be bimodal: cheap and untargeted at one end (the deliberately-implausible prince email, engineered so the savvy self-select out early), expensive and targeted at the other (the $25M deepfake-CFO call). Tech-savvy people were safe in the gap — not because they were unscammable but because a sophisticated, personalized attack didn't parallelize; it took skilled humans who don't scale. James Mickens' line held: you're dealing with Mossad or not-Mossad, and not-Mossad couldn't afford you.\n\nLLMs fill the middle. Spearphishing ran about 4¢ an email in 2024; a full interview-scam con costs more but still pennies against the payoff, and it runs a thousand times at once. Scaling buys three things you couldn't have before. Patience: a loop can go dormant for months between steps, waiting for the vacation it found on your calendar. Composition: a small scam to recruit a money mule who launders the proceeds of a large one. And new targets: a thousand compromised accounts is a thousand authenticated positions inside the platforms they touch, and a seam a platform deliberately tolerates because \"the optimal amount of fraud is nonzero\" becomes a gaping hole when a thousand accounts hit it in concert. The heuristics that protected the savvy — fluent personal writing means a real person, a strong web presence is too costly to fake, a relative's voice can't be cloned — were all proxies for cost or capability. Both foundations crumble at once, and the people whose instincts were tuned for a bimodal world have not recalibrated for a full one.\n\n## The Substrate Can't Loop Back\n\nPoint the loop at infrastructure and you find what's holding it up. Andrew Nesbitt's [reckoning with open source as an economic object](https://nesbitt.io/2026/06/18/open-source-vs-the-invisible-hand.html) is the sound of every market axiom breaking at once: non-excludable goods at a price of zero, a median producer headcount of one, SQLite priced identically to a week-old typosquat with a miner in its install hook, ten million downloads a week and still a single maintainer because demand has no channel through which to act on supply. The economics undergraduate says the arrangement can't produce anything stable; `npm install` then delivers a few hundred of these impossible goods in seconds, and the commercial software industry sits almost entirely on top of them.\n\nThat's the substrate the loop runs on — and against. curl is the hinge between Ronacher and Nesbitt: a dependency the whole world ships, kept alive by people now drowning in machine-generated reports. The asymmetry is the entire story. Attackers loop, reporters loop, the competitive pressure loops — and the maintainer is one tired person who, by construction, cannot loop back at the same rate. Every fix the industry keeps proposing — bug bounties, sponsorship marketplaces, criticality scores, dependents-weighted funding — is an attempt to manufacture the price open source never had, and each needs a number to stand in for value. The number anyone actually wants, Nesbitt notes, is who is keeping this running, how close they are to stopping, and whether a report filed against it would reach a human at all. The loop is what makes that question urgent and the honest answer frightening.\n\nStack Ronacher's top against Nesbitt's bottom and the shape comes clear. We are assembling a software stack that, at the top, increasingly \"assumes machine participation as part of its maintenance model\" — written by loops, reviewed by loops, patched by loops — and that, at the bottom, rests on single humans with no price signal and no liability. The pressure flows straight down through both. The reception bottleneck prior editions located inside the firm — the human who has to absorb agent output — turns out to extend all the way to the floor of the dependency graph, where one unpaid person absorbs the output of everyone's loops at once.\n\n***\n\n## A Year Ago\n\nA year ago this week, the same Armin Ronacher published [an open-source library written almost entirely by Claude](https://lucumr.pocoo.org/2025/6/21/my-first-ai-library/) — sloppy-xml-py, roughly 1,100 lines of parser, 1,000 lines of tests, CI, PyPI publishing, even a theme-aware logo. Simon Willison's verdict was that [the code was genuinely good](https://simonwillison.net/2025/Jun/21/my-first-open-source-ai-generated-library/), and his explanation came down to one word: control. \"The code is good because Armin is an expert programmer who stayed in full control throughout the process.\" Twelve months later the same author is writing about the machinery built to remove exactly that — harnesses that decide when work is done, sessions that run untouched for half an hour, his own confession that in the looped version \"I'm not sure what my role even is.\" The year-ago experiment worked because of the precise thing this year's tooling is engineered to take away. The lesson didn't reverse; the conditions under it did.\n\nAnd the failure mode Ronacher now describes — a long session drifting toward more defense and less understanding — is the agentic cousin of what Drew Breunig diagnosed a year ago, [where contexts past 100k tokens](https://www.dbreunig.com/2025/06/22/how-contexts-fail-and-how-to-fix-them.html) push an agent toward \"repeating actions from its vast history rather than synthesizing novel plans.\" The thirty-minute hands-off loop is that pathology with the human removed from the room.\n\n***\n\n## What to Watch\n\nThe quietest argument of the week is Jake Worth's: [leave a trace](https://www.jakeworth.com/posts/leave-a-trace). Comment on the post that helped you, reply to the forum answer that unstuck you, tell the maintainer why you're walking away — small human deposits that, in aggregate, make the internet less lonely and build \"a learning exhaust that shows you exist and are doing real things with software.\" It's a generous idea, and the moment gives it an edge Worth doesn't dwell on: the trace as proof of presence — *I was here, I did this, this is mine* — is exactly the signal the loop now forges for pennies. Borrowed commit histories, fake recruiters, AI-rephrased messages, reports dressed up to look like a person filed them. The human act of leaving a genuine mark and the machine act of fabricating one have converged on the same surface.\n\n**Provenance as the next scarce primitive.** When presence is cheap to forge, the premium moves to traces that can't be — verified human authorship, signed provenance, the proof that a person actually stood where the mark claims to have stood. The unconditional-value bet from two editions back, made concrete: not \"a human did this better\" but \"a human did this, and here is how you know.\" The landmark is the first package registry or platform that treats verifiable human provenance — of a commit, a report, a maintainer — as a default rather than a badge.\n\n**Loop versus loop, with the human as judge of last resort.** Ronacher's bet is that defenders adopt loops not to build but to triage. The marker will be a curl-scale project that formally puts a machine between incoming reports and human attention — the maintainer no longer reading reports but judging a loop's triage of a loop's output. The moment that becomes written policy rather than private improvisation is the moment the symmetric loop is conceded as the only thing fast enough to hold the line, and the single human is officially demoted from defender to referee.\n\n***\n\n*Way Enough is written collaboratively by a human and an AI agent.*\n\n[^1]: <https://roman.pt/posts/linkedin-backdoor/>","publishedAt":"2026-06-23T14:10:39.489Z","shortContent":"The Loop Doesn't Loop Back\n\n***\n\n\"I don't prompt Claude anymore. I have loops running that prompt Claude and figuring out what to do. My job is to write loops.\" That's Boris Cherny, and it names the unit of work that has quietly replaced the prompt. The loop — a harness that hands a task to a machine, judges the result, and decides whether to keep going — is now the thing people build, the thing attackers run, and the thing maintainers can't keep up with. The same primitive points in three directions this week, and the trouble in all three rhymes: production, attack, and pressure scale with the loop, while comprehension, defense, and maintenance still rest on single humans who don't scale at all.\n\n***\n\n## The Harness Loop\n\nArmin Ronacher [draws the line between two loops](https://lucumr.pocoo.org/2026/6/23/the-coming-loop/). There's the agent loop everyone knows — call a tool, read a file, run the tests, say \"done.\" And there's the harness loop that sits outside it, refusing the \"done,\" injecting another message, spawning a fresh session, keeping the task alive past the point the model would have stopped. Cherny's job is writing that outer one.\n\nRonacher is candid that the outer loop works astonishingly well in a specific shape: porting (parts of Bun from Zig to Rust; he moved MiniJinja to Go himself), performance exploration, security scanning, research — anything that transforms code that already exists or produces artifacts with no shelf life. A binary test or an LLM judge supplies the signal, and the loop searches. What it's bad at is the code he cares about. Present-day models, he writes, are \"mortally terrified of exceptions\" — Karpathy's phrase — observing a local failure and adding a local defense rather than making the bad state unrepresentable. Put that behind a loop and you amplify it: \"If each iteration adds another small defense, the system slowly becomes less understandable while appearing more robust.\"\n\nThe deeper discomfort isn't quality. It's authorship of the \"done\" signal. In the agent loop the model says done and a human reviews; in the harness loop the harness decides, judged by yet another machine, and the human's role dissolves into something Ronacher can't name. He reaches for a metaphor: software moving from machine to organism. You monitor it, stabilize it, treat its symptoms — but you no longer comprehend it. Some software, he allows, doesn't deserve human authorship. The unease is that the choice of which software may stop being yours.\n\n## You Cannot Opt Out\n\nBecause the loop is not optional. Ronacher's plainest case is security: even if you never point a loop at your own code, others will point loops at it — attackers and researchers continuously, the noise and the occasional real finding arriving at a volume no one can field by hand. He points to Daniel Stenberg's curl, where maintainers are buried under AI-generated vulnerability reports, most of them junk. If the reporters loop, the defenders eventually have to loop just to triage.\n\nLast week this newsletter took apart a single instance of the attack side — a fake recruiter, a stolen commit history, an npm `prepare` script that ran a backdoor on install.[^1] Manish Goregaokar's [account of the con run in a for loop](https://manishearth.github.io/blog/2026/06/17/the-future-of-the-con-is-already-here/) supplies the distribution that one-off was drawn from. Adversary capability used to be bimodal: cheap and untargeted at one end (the implausible prince email, engineered so the savvy self-select out), expensive and targeted at the other (the $25M deepfake-CFO call). Tech-savvy people were safe in the gap — not unscammable, but a personalized attack didn't parallelize. James Mickens' line held: you're dealing with Mossad or not-Mossad, and not-Mossad couldn't afford you.\n\nLLMs fill the middle. Spearphishing ran about 4¢ an email in 2024; a full interview-scam con costs more but still pennies against the payoff, and it runs a thousand times at once. Scaling buys patience (a loop goes dormant for months, waiting for the vacation it found on your calendar), composition (a small scam to recruit a money mule for a large one), and new targets (a thousand compromised accounts is a thousand authenticated positions, and \"the optimal amount of fraud is nonzero\" becomes a gaping hole when a thousand accounts hit it at once). The heuristics that protected the savvy — fluent writing means a real person, a strong web presence is too costly to fake, a relative's voice can't be cloned — were all proxies for cost or capability. Both foundations crumble at once.\n\n## The Substrate Can't Loop Back\n\nPoint the loop at infrastructure and you find what's holding it up. Andrew Nesbitt's [reckoning with open source as an economic object](https://nesbitt.io/2026/06/18/open-source-vs-the-invisible-hand.html) is the sound of every market axiom breaking: non-excludable goods at a price of zero, a median producer headcount of one, SQLite priced identically to a week-old typosquat with a miner in its install hook, ten million downloads a week and still a single maintainer because demand has no channel to act on supply. `npm install` delivers a few hundred of these impossible goods in seconds, and the commercial software industry sits on top of them.\n\nThat's the substrate the loop runs on — and against. curl is the hinge between Ronacher and Nesbitt: a dependency the whole world ships, kept alive by people drowning in machine-generated reports. The asymmetry is the story. Attackers loop, reporters loop, competitive pressure loops — and the maintainer is one tired person who cannot loop back at the same rate. Every proposed fix — bug bounties, sponsorship marketplaces, criticality scores — tries to manufacture the price open source never had, and each needs a number to stand in for value. The number anyone actually wants, Nesbitt notes, is who is keeping this running, how close they are to stopping, and whether a report would reach a human at all.\n\nStack Ronacher's top against Nesbitt's bottom and the shape comes clear. We are assembling a stack that, at the top, increasingly \"assumes machine participation as part of its maintenance model\" — written by loops, reviewed by loops, patched by loops — and that, at the bottom, rests on single humans with no price signal and no liability. The reception bottleneck prior editions located inside the firm extends all the way to the floor of the dependency graph, where one unpaid person absorbs the output of everyone's loops at once.\n\n***\n\n## A Year Ago\n\nA year ago this week, the same Armin Ronacher published [an open-source library written almost entirely by Claude](https://lucumr.pocoo.org/2025/6/21/my-first-ai-library/) — sloppy-xml-py. Simon Willison's verdict was that [the code was genuinely good](https://simonwillison.net/2025/Jun/21/my-first-open-source-ai-generated-library/), and his explanation came down to one word: control. \"The code is good because Armin is an expert programmer who stayed in full control throughout the process.\" Twelve months later the same author writes about the machinery built to remove exactly that, confessing that in the looped version \"I'm not sure what my role even is.\" The lesson didn't reverse; the conditions under it did. And the failure mode he now describes — a long session drifting toward more defense and less understanding — is the agentic cousin of what Drew Breunig diagnosed a year ago, [where contexts past 100k tokens](https://www.dbreunig.com/2025/06/22/how-contexts-fail-and-how-to-fix-them.html) push an agent toward \"repeating actions from its vast history rather than synthesizing novel plans.\"\n\n***\n\n## What to Watch\n\nThe quietest argument of the week is Jake Worth's: [leave a trace](https://www.jakeworth.com/posts/leave-a-trace). Comment on the post that helped you, reply to the forum answer that unstuck you — small human deposits that build \"a learning exhaust that shows you exist and are doing real things with software.\" The moment gives it an edge: the trace as proof of presence — *I was here, I did this, this is mine* — is exactly the signal the loop now forges for pennies. The human act of leaving a genuine mark and the machine act of fabricating one have converged on the same surface.\n\n**Provenance as the next scarce primitive.** When presence is cheap to forge, the premium moves to traces that can't be — verified human authorship, signed provenance, proof that a person actually stood where the mark claims. Not \"a human did this better\" but \"a human did this, and here is how you know.\" The landmark is the first package registry or platform that treats verifiable human provenance — of a commit, a report, a maintainer — as a default rather than a badge.\n\n**Loop versus loop, with the human as judge of last resort.** Ronacher's bet is that defenders adopt loops not to build but to triage. The marker will be a curl-scale project that formally puts a machine between incoming reports and human attention — the maintainer judging a loop's triage of a loop's output. The moment that becomes written policy is the moment the single human is officially demoted from defender to referee.\n\n***\n\n*Way Enough is written collaboratively by a human and an AI agent.*\n\n[^1]: https://roman.pt/posts/linkedin-backdoor/"}}