{"slug": "your-ai-agent-s-smallest-diffs-are-its-most-dangerous", "title": "Your AI agent's smallest diffs are its most dangerous", "summary": "A developer warns that AI coding agents' smallest diffs are often the most dangerous, as they optimize for minimal code changes while ignoring blast radius. The developer built Guardsman, an open-source tool that enforces risk-tiered testing and structured logging to prevent untested changes on sensitive code paths.", "body_md": "Last month, an AI coding agent handed me a beautiful fix. Five lines. Elegant. It reused an existing helper, matched the codebase style, compiled on the first try. Exactly the kind of diff we've all learned to praise since \"make the agent write less code\" became the standard advice.\n\nIt was also completely untested, and it sat on a password-recovery path.\n\nThat diff taught me something I now consider the central problem of AI-assisted coding in 2026: **we've spent a year teaching agents to write less code, and almost no time teaching them to prove the code they kept actually holds.**\n\nEvery AI coding agent fails in one of two directions.\n\n**Failure mode #1: the over-build.** You ask for a date comparison; you get a new dependency, a `ValidationService`\n\nclass, and a config layer. This one is well known — it's why minimal-code prompts and skills became popular, and they genuinely work on it.\n\n**Failure mode #2: the confidently small diff.** Minimal, clean, written after reading *half* the flow, verified never — dropped onto a path that handles money, auth, or user data. It compiles. It demos. It detonates in week three.\n\nHere's the uncomfortable part: **fixing #1 aggressively makes #2 more likely.** When the objective function is \"shortest diff,\" the first things to quietly disappear are edge-case handling, failure-path tests, and the guard clause that looked optional. The diff gets smaller. The blast radius doesn't.\n\nA five-line change to a payment path is more dangerous than a four-hundred-line internal script that runs once. **Code size is not risk. Blast radius is risk.** Yet almost every skill and prompt in this category optimizes for size alone.\n\nThis is why I built [ Guardsman](https://github.com/hedimanai-pro/guardsman) 💂 — an open-source skill that behaves less like a minimalist and more like the royal guard in front of the palace: nothing passes the post unchallenged, and the level of challenge depends on what's behind the gate.\n\nThree duties, on every task:\n\n**1. Read the standing orders.** Before writing anything, a deterministic script detects the repo's real conventions — language, formatter, linter, actual test command — and the agent greps how *this* codebase already solves the nearest similar problem. Your patterns win over its defaults. Always.\n\n**2. Set the threat level.** Every change gets a risk tier before a single line is written:\n\n| Tier | When | The challenge |\n|---|---|---|\n| trivial | internal one-off | one manual run, output shown |\n| standard | everyday feature work | one check written and executed this turn |\n| sensitive | money, auth, user data in the blast radius | a test exercising the failure path\n|\n| critical | getting it wrong is an incident | full coverage, or the gap is surfaced as a blocker |\n\nTwo rules keep the tiers honest: when signals disagree, the higher tier wins — and the agent never infers a downgrade just because the code looks simple. A confident walk is not a countersign.\n\n**3. Issue the challenge.** Non-trivial logic isn't \"done\" when the code is written. It's done when the check behind it was actually *run*, in the session, with output shown. A test that was written but never executed doesn't count. A promise to test later doesn't count.\n\n`TODO`\n\ncomments rot. Nobody greps them, nobody triages them. Guardsman replaces them with structured watch-log entries:\n\n```\n# guardsman: retry capped at 3, no backoff config | severity:med | revisit:second-caller-appears | cost:none\n```\n\nSeverity and revisit trigger are both **required** — a shortcut nobody can triage is worse than an unmarked one, because it creates false confidence that it's tracked. A bundled scanner harvests the whole repo and reports open entries by severity, overdue first. Your deferred work stops being folklore and becomes a list with dates on it.\n\nGuardsman ships with a rule I haven't seen in this category: **it never invents numbers about your repo.** It will not tell you it \"saved you 12,000 lines\" — there is no unbuilt baseline of your codebase to diff against, so no tool can honestly compute that figure. Its status mode reports only what is directly countable, live, or says \"nothing computed yet.\"\n\nAnd that rule applies to the project itself, which is why I'm launching with **zero benchmark numbers**. What the repo contains instead is a fully [pre-registered protocol](https://github.com/hedimanai-pro/guardsman/tree/main/benchmarks): 12 realistic tickets against a pinned open-source FastAPI + React codebase, 43 pre-registered guard checks (no user enumeration on the recovery endpoint, webhook signature verified before any field is trusted, idempotent retries…), four arms including the most popular minimal-code skill, and frozen scoring rules — including the disclosure rule that any published result **must** include cases where Guardsman did worse, if they exist.\n\nThe tasks and rubric were committed before any run, so the report can't be bent around the results afterward. Numbers get published when they're measured, with raw diffs and full transcripts. And if you don't want to wait for mine: third-party runs are welcome via PR.\n\nClaude Code, two commands:\n\n```\n/plugin marketplace add hedimanai-pro/guardsman\n/plugin install guardsman@guardsman\n```\n\nCodex, Cursor, or any agent that reads an `AGENTS.md`\n\n: a condensed, self-contained adapter ships in [ adapters/AGENTS.md](https://github.com/hedimanai-pro/guardsman/blob/main/adapters/AGENTS.md) — the tiers, the ladder, and the challenge floors travel everywhere.\n\nRepo: [https://github.com/hedimanai-pro/guardsman](https://github.com/hedimanai-pro/guardsman)\n\nIf you've been burned by a confidently small diff — I'd genuinely like to hear the story in the comments. It's the failure mode nobody benchmarks, and I'm collecting cases.\n\nNo diff ships unchallenged. 💂\n\n*I'm Hedi Manai — AI & backend engineer building reliability tooling for AI agents. Also the author of ToolOps, middleware for agent tool-calling. Find me on LinkedIn and X.*", "url": "https://wpnews.pro/news/your-ai-agent-s-smallest-diffs-are-its-most-dangerous", "canonical_source": "https://dev.to/hedimanai/your-ai-agents-smallest-diffs-are-its-most-dangerous-jp5", "published_at": "2026-07-13 00:18:31+00:00", "updated_at": "2026-07-13 00:43:58.879478+00:00", "lang": "en", "topics": ["ai-safety", "ai-agents", "developer-tools", "ai-ethics"], "entities": ["Guardsman", "hedimanai-pro/guardsman"], "alternates": {"html": "https://wpnews.pro/news/your-ai-agent-s-smallest-diffs-are-its-most-dangerous", "markdown": "https://wpnews.pro/news/your-ai-agent-s-smallest-diffs-are-its-most-dangerous.md", "text": "https://wpnews.pro/news/your-ai-agent-s-smallest-diffs-are-its-most-dangerous.txt", "jsonld": "https://wpnews.pro/news/your-ai-agent-s-smallest-diffs-are-its-most-dangerous.jsonld"}}