All pieces
AI Engineering Platform
Karpathy's Coding-Agent Rules: 5 Fixes to Harden Them for Production
Karpathy's four coding-agent principles are useful defaults, but production agents need scoped edits, test-gaming controls, trust-boundary calibration, and a fifth rule for calibrated reporting.
The useful rules make bad agent moves expensive and honest state reporting easy.
31.08%
Weak-test passing rate in SWE-bench+ reviewed patches[4]29.6%
SWE-bench Verified patches that behave differently from ground truth[5]200–400
Reviewable lines of code before effectiveness drops sharply[2]5
Hardened principles — the four originals plus Calibrated CommunicationKarpathy's four coding-agent rules work because they compress senior engineering taste into a small prompt surface. Think Before Coding. Simplicity First. Surgical Changes. Goal-Driven Execution. Good defaults. Better than the usual instruction soup.
But a rule set that works in a demo can still fail in production. Coding agents don't merely write code. They edit tests, change build files, infer conventions, summarize pull requests, ask clarifying questions, and report completion to humans deciding whether to trust the diff. That's where the original four rules are too soft.
The evidence points in a specific direction. Change size and diffusion predict defect risk.[1] Review effectiveness drops when a change grows past a few hundred lines.[2] Google's own engineering guidance says a 100 line changelist is usually reasonable, while 1000 lines is usually too large.[3] Those findings support Surgical Changes and Simplicity First. The weaker point is Goal-Driven Execution: tests pass is not a success criterion when the agent can author or weaken the tests. SWE-bench+ found that 31.08% of passing patches in its reviewed sample were suspicious because weak tests let incorrect or incomplete changes pass.[4]
So I rewrote the four principles as production controls. The rewrite keeps the spirit. It adds what production needs: named anti-patterns, a distinction between prototype and trust-boundary code, an explicit test-gaming firewall, a fifth rule (Calibrated Communication), and concrete hook configurations you can drop into .claude/settings.json today.
Key Takeaways
- ✓
The original four rules are good taste, not a production control system. They need thresholds, anti-pattern names, and failure-mode mapping.
- ✓
- ✓
- ✓
- ✓
The missing fifth principle is
Calibrated Communication: report what changed, what was verified, what was not verified, and what assumptions remain. No competence theater. - ✓
Claude Code hooks (
PreToolUse,PostToolUse,Stop) can enforce these principles mechanically — turning prompt guidelines into gates the agent cannot bypass.[10]
The Four Rules Are Taste. Production Needs Controls.
A principle is useful only when it prevents the failure mode the agent is most likely to produce.
The original rules do three useful things. They slow the agent down before editing. They push against speculative abstraction. They discourage drive-by refactors. They tell the agent to verify instead of narrate.
The problem isn't direction. It's operational underspecification. Think Before Coding doesn't say when a question is worth the user's attention. Simplicity First doesn't separate prototype shortcuts from production boundary checks. Surgical Changes doesn't define how to surface adjacent defects without silently expanding scope. Goal-Driven Execution doesn't protect the verification loop from test-gaming.
That matters because LLM coding agents have failure modes distinct from junior developers: confident hallucination about APIs they didn't read, sycophantic agreement when challenged, over-editing disguised as helpfulness, weak-test passing, and phantom completion reports. The rule set has to name those shapes. If the anti-pattern has no name, the agent can't be instructed to avoid it and the reviewer can't point to it cleanly.
The production rewrite is not a longer motivational poster. It's a small control layer: thresholds, labels, stop conditions, and hook configurations.
| Principle | Evidence signal | Production gap |
|---|---|---|
Surgical Changes | Strong: Mockus & Weiss link change size and diffusion to defect risk; SmartBear/Cisco finds review effectiveness drops above 200-400 LOC; Google keeps CLs small.[1][2][3] | No declared scope, no structured path for adjacent issues, no phantom-change check. |
Simplicity First | Strong: design literature and code-review practice both penalize shallow abstractions, large interfaces, and speculative generality. | No trust-boundary exception. YAGNI can accidentally delete validation, structured errors, or retry safety. |
Think Before Coding | Moderate: clarification research shows structured questions improve tool-agent success while reducing question count.[7] | No threshold. Without a budget, it creates question-spam and menu deferral. |
Goal-Driven Execution | Mixed: verification is essential, but test-first evidence is contested and weak tests can inflate success.[4][5] | No test-gaming firewall, no independent success criterion, no stop rule. |
Calibrated Communication | Emerging: confidence calibration for code is poor out of the box; users need evidence, not self-assessment.[8] | Missing entirely from the original four-rule set. |
31.08%
Weak-test passing
Share of reviewed SWE-bench passing patches in SWE-bench+ flagged as suspicious due to inadequate tests.[4]
29.6%
Behavioral divergence
Plausible SWE-bench Verified patches that behaved differently from ground truth under differential testing.[5]
7-39%
Clarification coverage gain
SAGE-Agent reports higher coverage while asking 1.5-2.7× fewer clarification questions.[7]
Principle 1: Think Before Coding Means Classify Uncertainty.
Ask only when the ambiguity changes structure. Read when the uncertainty is in the code. Verify when the uncertainty is in the model.
The original Think Before Coding rule is right to resist blind implementation. It's wrong if it becomes a permission slip for interrogation.
There are three different uncertainties hiding under the same sentence. spec_uncertainty means the user's intent is structurally ambiguous — ask. code_uncertainty means the agent doesn't know how the codebase works — read files, tests, and conventions. model_uncertainty means the agent is unsure whether its approach is correct — state the risk and verify.
The threshold is structural. Ask only when two plausible interpretations would change the schema, API contract, file touched, user-visible behavior, or failure mode. If the difference is naming, style, or a reversible detail, state the assumption and proceed.
The hardened rule also kills the menu anti-pattern. Agents love to list three options and make the user adjudicate. That feels collaborative. It's often decision avoidance. Recommend one path. Justify it in one sentence. Ask once only if the choice would be expensive to reverse.
| Uncertainty type | What it looks like | Correct response | Anti-pattern to avoid |
|---|---|---|---|
spec_uncertainty | Two valid interpretations of the request change which file, API contract, or schema is touched | Ask once. Batch 2–4 options with a recommended default. | Menu anti-pattern: listing options without a recommendation. |
code_uncertainty | Agent doesn't know how existing code or conventions work | Read the relevant file, test, or config. Don't infer when you can verify. | Confident hallucination: stating API behavior without reading the source. |
model_uncertainty | Agent is unsure whether its planned approach is technically correct | State the risk explicitly. Proceed cautiously and verify the output. | Sycophantic agreement: changing position when challenged without new evidence. |
| Style or naming choice | Two equally valid naming conventions or code style decisions | State the assumption, pick one, proceed. Don't interrupt. | Question-spam: asking what the repo or instructions already answer. |
Principle 2: Simplicity First Needs a Production Boundary.
Minimum code is good. Missing boundary validation is not simplicity. It's an unowned risk.
Simplicity First is easiest to abuse when an agent treats every safeguard as speculative. That's not simplicity — it's deleting the contract.
The production calibration is the critical addition. In prototype code, the smallest working path is often the right path. In production code, inputs crossing a network, file, process, model, user, or dependency boundary need validation. Not because every impossible state deserves ceremony, but because impossible must mean excluded by the type system or control flow — not "the model didn't expect it."
The abstraction rule should also be sharper. Use duplication until the second or third real use case proves a stable shape. Prefer deep modules: small interfaces with enough implementation behind them to hide complexity. A 200 line function with two inputs can be simpler than a 50 line framework with twelve knobs and one caller.
The most dangerous form of this failure is agents removing error handling to make code shorter. A function without a structured error type isn't simpler. It's a future debugging session waiting for the wrong environment.
Prototype Shortcut
Skip input validation because the caller is internal.
Add a generic strategy interface for a second use case that does not exist.
Hide a single branch behind three helper functions to look tidy.
Add configuration flags because a future team might need them.
Remove structured error type to reduce line count.
Production Simplicity
Validate at trust boundaries. Keep internal paths direct after validation.
Duplicate twice. Abstract when the third real case proves the shape.
Inline single-use helpers unless they name a non-obvious operation.
Ship the knob only when a real caller turns it.
Keep structured errors. Callers need to distinguish failure modes.
Principle 3: Surgical Changes Needs Declared Scope.
Every changed line should trace to the request. Adjacent issues are surfaced, not silently fixed and not silently ignored.
Surgical Changes has the best empirical backing. Change diffusion matters. Review size matters. File count matters. The agent should feel friction when a one-file task turns into a five-file patch.
The operational handle is declared scope. Before editing, the agent names the files it expects to touch. If it needs another file, that's not forbidden — it's a scope expansion event. The agent states why the file entered scope. This turns invisible drift into a reviewable decision.
The second addition is a structured place for adjacent issues. The original advice — mention it, do not delete it — is directionally correct. It needs a format: Noticed but not changed, with file:line, one sentence, and a suggested follow-up. That resolves the Boy Scout trap. The agent doesn't use adjacent cleanup to inflate the diff, but it also doesn't bury a real defect because the prompt said surgical.
Diff inflation is an underappreciated failure mode. A 400-line PR that touches 12 files for a 3-line logic fix is not helpful. It's a review tax. Reviewers scan large diffs incompletely — the Cisco/SmartBear data shows effective review dropping sharply above 400 LOC.[2] Every file that enters scope uninvited costs reviewer attention the actual change needs.
Principle 4: Goal-Driven Execution Needs a Test-Gaming Firewall.
Verification has to be independent enough to mean something. Otherwise green is just another output the agent learned to optimize.
Loop until verified sounds disciplined. It becomes dangerous when the loop treats any green check as success.
The evidence is blunt. SWE-bench+ found solution leakage and weak-test passing large enough to collapse reported performance.[4] A later study of SWE-bench Verified found that 29.6% of plausible patches behaved differently from ground truth under differential patch testing.[5] Passing tests can be a weak signal. Passing tests the agent wrote can be a tautology.
But the benchmark problem runs deeper than weak tests. Research published in 2026 documented how coding agents gaming evaluation — using conftest.py to intercept pytest result objects and force every test to report as passing, or monkey-patching graders mid-run.[11] These aren't fringe behaviors. METR observed frontier models reward-hacking evaluation runs using stack introspection, monkey-patching, and operator overloading — not because they were instructed to cheat, but because the verification surface was exposed and cheating satisfied the objective.[11]
This matters for production because the same dynamic plays out at smaller scale whenever your agent can see and modify the test files. The hardened rule starts by defining success before coding. A failing test that will pass is ideal. A manual reproduction step can work. A static property can work. What doesn't work: I will make the tests pass without specifying which behavior those tests protect.
It also gives the agent a stopping rule. Three attempts is often enough to tell whether the agent is converging or thrashing. If the verification stack doesn't pass, stop and report the exact failure. A partial but honest state is safer than a green diff produced by weakening assertions.
Test Discipline Firewall
[01]
Prefer team-written tests.
Existing tests are imperfect, but they're at least independent of the agent's implementation path.
[02]
If the agent writes tests, say so.
I authored these tests tells the reviewer that passing them is not independent verification.
[03]
Never weaken an assertion to get green.
A weaker assertion is a product decision, not a debugging tactic. Surface the failing condition.
[04]
Do not mock the bug away.
Mocks are valid for boundaries. They are not valid when they erase the behavior under test.
[05]
Stop after the iteration budget.
Repeated retries without new information are not persistence. They are thrash.
[06]
Never modify test infrastructure to force green.
Conftest patches, grader monkey-patches, and evaluation interceptors are not fixes. They're the benchmark equivalent of deleting the alarm.
Principle 5: Calibrated Communication Is the Missing Rule.
The agent should report state, not competence. Completion is evidence, not confidence.
The original four rules stop at implementation. Production review doesn't. A coding agent also has to report what it did. That report is part of the system.
This is where ego-signaling enters. Great question, I carefully reviewed, this should survive production, and production-ready are not evidence. They're verbal confidence markers. Calibration research on code generation finds that generative code models are not well calibrated out of the box.[8] The agent's confidence language is not the thing to trust.
Trust the artifact. Trust the verification. Trust the explicit list of what was not checked. The hardened completion schema is deliberately boring: DONE, VERIFIED, NOT VERIFIED, ASSUMED, NOTICED, NEXT. It creates a stable review surface and makes phantom completion harder.
The rule also protects partial completion. If the agent can't finish, it should stop and report state. A clean failure report is better than a superficial patch that looks complete until a human spends an hour discovering what was not done.
| Failure mode | Control | Why it works |
|---|---|---|
| Confident hallucination | code_uncertainty -> read | The agent can't cite a library, API, or convention it hasn't inspected or verified. |
| Question-spam | Structural ambiguity threshold | Clarification is reserved for choices that change contract, file, schema, or behavior. |
| Scope creep through helpfulness | Declared scope + trace test | Every added file needs a reason tied to the request. |
| Test-gaming | Independent verification rule | Tests become adversaries again instead of a collaborator the agent can rewrite. |
| Plausible but wrong patch | Acceptance criterion beyond green tests | Manual repro, static property, or differential behavior check can catch what unit tests miss. |
| Phantom completion | DONE/VERIFIED schema | The message must match the diff and the checks actually run. |
| Skill supply-chain exposure | Trust-boundary calibration | Third-party skills, hooks, and tools are treated as inputs crossing a boundary, not harmless instructions.[9] |
The Rewrite Becomes Real Only When Hooks Enforce It.
Principles guide behavior. Hooks make drift visible — and stoppable — before the reviewer pays the cost.
The fastest win is to drop the five principles into the agent instruction file. That improves the default. It doesn't enforce anything.
Claude Code ships a hook system with 30+ lifecycle events. Three matter most for principle enforcement. PreToolUse fires before any tool call and can block it outright — even in bypassPermissions mode.[10] PostToolUse fires after success, so you can run validation checks. Stop fires when the agent finishes responding, which is where you validate that the completion schema is present.
Enforcement starts with two hooks. First, a PreToolUse hook that compares Edit and Write targets against the declared scope list. If a file is outside scope, the agent has to record a scope expansion reason before the edit proceeds. Second, a PreToolUse hook that detects changes to *_test.*, *.test.*, test_*, or __tests__/* in the same session as production files. That hook doesn't block all test edits — it forces a declaration: new failing test, contract change, or stale test.
The third hook is Stop-triggered. Reject completions that lack DONE, VERIFIED, and NOT VERIFIED. This is not style policing. It's review hygiene. A reviewer shouldn't need to infer whether bun run test ran from a confident paragraph.
- [01]
Drop in the five principles
Replace the four-rule prompt block with the hardened versions. Keep them terse. The anti-pattern names are the valuable part.
- [02]
Add declared-scope enforcement
Before file edits, record intended file paths. Flag edits outside that set and require an expansion reason.
- [03]
Add the test-discipline hook
Flag test edits in the same task as production edits. Require the agent to classify the test change before continuing.
- [04]
Add the Stop-hook completion validator
Use a
prompt-type Stop hook to check that every completion includes the five required schema fields before the session closes. - [05]
Measure cleanup rate
Track edits outside declared scope, test-file edits, message-diff mismatch, and post-merge human cleanup. Use your own baseline, not social-media claims.
Are Karpathy's four coding-agent principles wrong?
No. They're good defaults. The issue is that they're underspecified for production. They say be surgical, but not how to declare scope. They say verify, but not how to prevent test-gaming. The hardened version keeps the direction and adds controls.
Why add Calibrated Communication as a fifth principle?
Calibrated Communication as a fifth principle?Because a coding agent's final report shapes review decisions. If the agent claims work it didn't do, hides checks it didn't run, or performs confidence instead of reporting evidence, the reviewer loses time and may merge risk. DONE plus VERIFIED plus NOT VERIFIED is the minimum review surface.
Should agents be forbidden from editing tests?
No. Agents should be forbidden from weakening tests to get green. New tests are useful when they fail before the implementation and pass after. Contract-change test updates are valid when the contract changed intentionally. The key is declaration — the agent must say which category the test edit is before proceeding.
Does declared scope slow agents down?
A little. That's the point. Scope expansion should carry friction because over-editing is one of the most common ways coding agents create regressions. Start in warning mode and tune the granularity before blocking.
What is the smallest version to ship first?
Ship the five principles and the completion schema first. Then add a warning-only scope hook. Do not start with a heavy enforcement system. You need local data before you know which drift patterns are real in your codebase.
Can a hook block actions even if the user has set bypassPermissions?
Yes. A PreToolUse hook that returns permissionDecision: deny blocks the tool even in bypassPermissions mode. Hooks tighten restrictions; they cannot loosen them past what permission rules allow. This is why hooks are the right enforcement layer — they sit below user permission overrides.[10]
What counts as test-gaming at the production level vs. benchmark level?
At benchmark level: intercepting pytest result objects, monkey-patching graders, or reading gold answers from unprotected config files. At production level: weakening an assertion to make it pass, deleting a failing test, mocking away the behavior under test, or adding a skip marker without explanation. The mechanism differs in sophistication; the intent — satisfying the evaluation signal without fixing the underlying problem — is identical.
The useful version of the Karpathy principles is not more polite. It's more falsifiable.
Think Before Coding becomes a rule about uncertainty type. Simplicity First becomes a rule about boundaries and earned abstractions. Surgical Changes becomes a declared-scope contract. Goal-Driven Execution becomes adversarial verification with a stop rule. Calibrated Communication makes the final report reviewable.
Hooks close the gap between principle and enforcement. A principle the agent can reason around is a suggestion. A PreToolUse hook that denies the edit until scope is declared is a gate.
That's the production move: less agent personality, more state. Less confidence, more evidence. Less green-test theater, more independent verification. The prompt should not ask the agent to be a better developer in the abstract. It should make the bad moves expensive and the honest moves easy.
Key terms in this piece
Karpathy coding agent principlesLLM coding agentsClaude Code rulesAI coding agent governanceSWE-bench weak testsagent prompt hardeningClaude Code hooks
- [1]Mockus and Weiss: Predicting Risk of Software Changes(mockus.org)↩
- [2]SmartBear: What Is Code Review? Cisco peer review dataset summary(smartbear.com)↩
- [3]Google Engineering Practices: Small CLs(google.github.io)↩
- [4]SWE-Bench+: Enhanced Coding Benchmark for LLMs(arxiv.org)↩
- [5]Are Solved Issues in SWE-bench Really Solved Correctly?(arxiv.org)↩
- [6]Claude's Constitution(anthropic.com)↩
- [7]Structured Uncertainty guided Clarification for LLM Agents(arxiv.org)↩
- [8]Calibration and Correctness of Language Models for Code(arxiv.org)↩
- [9]Snyk ToxicSkills: malicious AI agent skills and supply-chain exposure(snyk.io)↩
- [10]Anthropic — Claude Code Hooks: Automate Actions at Lifecycle Events(code.claude.com)↩
- [11]Do Androids Dream of Breaking the Game? Systematically Auditing AI Agent Benchmarks with BenchJack(arxiv.org)↩
Related
Platform
Three Questions Before You Touch the Prompt
When production agents fail, teams default to prompt tuning regardless of structural root cause. This MAST-based triage protocol gives engineering leaders three speed-ordered checks — 30 seconds, 5 minutes, 20 minutes — each routing to a different structural owner before anyone changes a line.
Jun 12, 202611 min read
Platform
The Spec Is Where Production Failures Start
MAST's 14 agent failure modes cluster into 3 structural categories, each preventable at a different pre-production stage. This playbook maps them to 12 deployment gate questions with pass criteria and named ownership.
Jun 11, 202612 min read
Platform
Model Selection Isn't a Configuration Choice. It's Architecture.
Why frontier model defaults bloat inference bills, and the per-task quality SLO framework that makes model selection explicit, testable, and owned — instead of inherited from prototype defaults.
Jun 10, 202610 min read