The Commonplace
Home Papers Evidence Explore Trends Syntheses Digests About 🎲 Workforce Futures
← Papers
Direction, evidence grade, and study type are AI-generated labels (gpt-5-mini), not human-verified. Syntheses are LLM-written. "Tensions" are machine-detected candidates, not confirmed contradictions. A research-acceleration tool, not peer review. How this is built →

Agent configurations for LLM-driven tooling are widely copied and under-governed: 10.1% of tracked paths are exact duplicates across independent repositories and under 1% declare permissions. The paper proposes Rel(AI)Build, a deterministic, content-addressed control plane to audit, lock, and enforce permission and supply-chain invariants before agent execution.

A Deterministic Control Plane for LLM Coding Agents
Padmaraj Madatha · June 25, 2026
arxiv descriptive medium evidence 7/10 relevance Full text usable extracted full text Source PDF
A large-scale scan of public GitHub shows agent configuration files are often exact duplicates, rarely revised, and seldom declare permission boundaries, and the authors propose Rel(AI)Build — a deterministic control plane to manage, audit, and enforce agent configurations before LLM invocation.

LLM coding harnesses grant agents broad file and shell access, yet the configuration layer that steers them -- rules files, agent definitions, IDE-specific markdown -- is largely unmanaged. A prevalence study of 10,008 public GitHub repositories (n=6,145 agent config files) finds that agent configurations propagate as undeclared shared components: 10.1% of tracked paths are SHA-256 exact duplicates across independent repositories (fork-adjusted, threshold-independent), with 75.5% of clone pairs crossing organisational boundaries. Two further patterns are indicative: configurations are rarely revised (58% single-commit; 0.4 vs 0.6 commits/month age-normalised against CI/CD workflows), and rarely declare permission boundaries (<1% of agent configs vs 33% of Actions workflows, n=31 true positives). We propose a deterministic control plane above the harness that maps one-to-one to these gaps. Rel(AI)Build treats agent definitions as a managed supply chain (SHA-256 content addressing, HMAC-stamped lockfiles, hash-chained audit logs); enforces tiered permissions and attack-derived blocklists before LLM invocation; gates feature work through a phase state machine with requirement-to-file-to-test traceability; compiles a single canonical definition to seven IDE targets; and detects prompt drift via Jaccard similarity. Conformance tests on injected violations confirm each mechanism enforces its stated invariant; developer outcomes remain future work. Governance of this layer must be deterministic and tool-agnostic -- not delegated to further LLM orchestration.

Summary

Main Finding

Agent configuration files that steer IDE-integrated LLM coding agents are a largely unmanaged supply chain and propagate widely across repositories. In a 10,008–repository snapshot (6,145 tracked agent config files), exact-duplicate propagation is common (10.1% fork‑adjusted, measured by SHA‑256), and most clone pairs cross organisational boundaries (75.5%). To address integrity, traceability, permission and portability gaps, the paper proposes a deterministic, tool‑agnostic control plane (Rel(AI)Build) that treats agent definitions as managed software artifacts and enforces pre‑execution, deterministic governance (content addressing, install‑time gates, tiered permissions, phase state machine, drift detection, and compile‑to‑many).

Key Points

  • Prevalence evidence
    • 10.1% of tracked config paths are exact duplicates across independent repos (fork‑adjusted; SHA‑256 content hashing).
    • 75.5% of duplicate/clone pairs cross organisational boundaries.
    • 58% of agent config files appear in the corpus as single‑commit artifacts (shallow revision depth).
    • Age‑normalised commit rates show configs are revised less often than CI/CD workflows (0.4 vs 0.6 commits/month).
    • Declared permission boundaries are rare: <1% of agent config files declare permissions vs ~33% for GitHub Actions workflows (permission detection limited by a fragile parser; n=31 true positives used for calibration).
  • Structural risks identified (the “thin governance surface”)
    • Gap 1: Configs are unmanaged software artifacts (no provenance, tamper evidence, or canonical approved version).
    • Gap 2: Execution can be unbounded (no enforced requirement→implementation→test trace, no hard caps on self‑correction loops). This is an architectural/process risk and not observable in static configs.
    • Gap 3: Expertise does not port across harness dialects (multiple config dialects, tool syntaxes).
    • Other concerns: prompt drift, dangerous commands, and lack of enforced traceability.
  • Proposed deterministic control plane (Rel(AI)Build)
    • Treats agent definitions as a supply chain with SHA‑256 content addressing, HMAC‑stamped lockfiles, and append‑only hash‑chained audit logs.
    • Enforces deterministic pre‑execution guardrails: tiered permission model bound to the supply chain; attack‑derived command/path blocklists applied as install‑time and pre‑tool‑use hooks; post‑delegation scan/diff gate.
    • Provides a tokenisation‑normalisation pipeline and prompt‑drift detector (Jaccard similarity) to detect cosmetic prompt edits as an operational risk surface.
    • Implements a deterministic phase‑gated lifecycle (state machine) enforcing ordering and requirement→file→test traceability; blocks execution on invariant violations.
    • Implements define‑once / compile‑to‑many transformer to emit canonical definitions across seven IDE targets to port expertise.
    • Determinism scope: install‑time gates, blocklists, and phase transitions are deterministic code; linkage of trace artifacts is cooperative and auditable post‑hoc (not LLM‑enforced).
  • Implementation & evaluation notes
    • Reference implementation in Node.js with modular, auditable components (hashing, HMAC, state machine, Jaccard drift calc).
    • Runtime artifacts: phase‑state.json, trace.json, lockfile, and hash‑chained audit logs.
    • Conformance tests: injected‑violation tests confirm mechanisms enforce stated invariants (N reported as 10/15/20 across test sets).
    • Empirical work includes prevalence measurement, conformance tests, and a DRIFT vignette; author notes outcomes for developer productivity are future work.

Data & Methods

  • Corpus and measurement
    • Snapshot: 10,008 public GitHub repositories, yielding 6,145 tracked agent configuration files.
    • Duplicate detection: SHA‑256 content hashing (threshold‑independent), fork‑adjusted counts to remove obvious copy relationships; duplicate rate = 10.1%.
    • Cross‑organisation analysis: measured clone/duplicate pairs across organisational boundaries; 75.5% cross orgs.
    • Revision depth: commit counts per file; 58% single‑commit majority.
    • Age‑normalisation: compared commits/month for agent configs vs CI/CD workflows (0.4 vs 0.6 commits/month).
    • Permission declaration detection: fragile parser; results calibrated on n=31 true positives; observed <1% permission declarations for agent configs vs ~33% for Actions.
    • Credential patterns and dangerous command heuristics: a small % (3.18%) credential hits (not primary focus).
  • Implementation & testing
    • Rel(AI)Build modules implemented in Node.js; CLI and optional MCP server interface.
    • Deterministic mechanisms implemented as testable modules: content hashing, HMAC lockfiles, append‑only hash‑chained audit logs, phase state machine, tokenisation normaliser, Jaccard similarity drift detector, compile‑to‑many transformer.
    • Conformance testing: injected violations to verify each deterministic invariant (reported test counts N=10/15/20).
    • DRIFT vignette and examples provided (single‑case illustrative; not a behavioural validation).
  • Limitations called out by authors
    • Static repo analysis cannot observe runtime process governance or enforceability of human‑in‑the‑loop constraints (Gap 2).
    • Permission detection relies on a fragile parser; permission absence finding is indicative, not definitive.
    • Evidence is preliminary and characteristic of early‑stage SE work; no controlled developer productivity study yet; deployment‑level impacts unmeasured.
    • Corpus limited to public GitHub snapshot (June 2026) — harness formats and practices evolve quickly.

Implications for AI Economics

  • Systemic risk and externalities
    • High duplication and cross‑org sharing of agent configs imply correlated exposure: a malicious or erroneous config template can propagate widely and rapidly, increasing systemic vulnerability and potential expected losses from supply‑chain attacks (typosquatting, malicious hooks).
    • Standardised, content‑addressed registries and lockfile practices reduce uncertainty about provenance and tamper risk, lowering expected incident frequency and severity — this is a positive externality for adopting organisations and their supply networks.
  • Costs and adoption tradeoffs
    • Implementing a deterministic control plane introduces direct compliance and engineering costs (writing/maintaining canonical definitions, running install‑time gates, CI validators, audits). Firms will weigh these against reduced risk and possible regulatory/compliance requirements.
    • For regulated industries (finance, healthcare, critical infra), deterministic governance is likely to produce net economic benefits by enabling safer LLM tooling use and reducing audit/compliance overheads; for small teams, upfront costs may deter adoption unless third‑party tooling or managed registries emerge.
  • Productivity and labour economics
    • The define‑once / compile‑to‑many approach can reduce duplication of effort across IDEs and teams, lowering maintenance costs and friction from multi‑tool environments — potential long‑term productivity gains.
    • The net effect on developer productivity is undetermined: phase gates and mandatory traceability can increase process overhead (slower iteration) but could prevent costly debugging/security incidents downstream. A controlled developer study (recommended) is needed to quantify this tradeoff and inform ROI calculations.
  • Market structure and incentives
    • The architecture creates a new product category (canonical registries, governance toolchains, compile‑to‑many transformers) with positive network effects: widely adopted canonical definitions and registries improve trust and interop, potentially concentrating market power among registry providers or tool vendors.
    • Deterministic governance could become a compliance differentiator; firms may pay premiums for certified control‑plane providers or audited registries, creating monetisation pathways for vendor tooling.
  • Regulatory and policy alignment
    • Deterministic, auditable governance maps well to emerging standards (NIST, SLSA, OWASP) and could lower regulatory compliance costs by providing deterministic evidence trails (HMAC lockfiles, hash‑chained logs).
    • Policymakers may incentivise or mandate such supply‑chain controls for agentic systems in sensitive sectors, shifting market demand toward control‑plane solutions.
  • Measurement and further research needs
    • Economic value estimates require quantifying: (a) frequency and cost distribution of config‑driven incidents today, (b) overheads of adopting deterministic governance, and (c) productivity impacts of phase gating vs incident avoidance.
    • Recommended next steps for economic analysis: controlled field/developer studies measuring cycle time, error rates, incident remediation costs; cost‑benefit models for small vs large orgs; simulations of propagation and expected loss under different registry/adoption scenarios.

Summary conclusion: The paper documents empirically that agent configuration files are commonly duplicated and unmanaged across repositories, creating correlated supply‑chain risk. Rel(AI)Build proposes a deterministic, testable control plane that treats these configurations as managed software artifacts and enforces pre‑execution governance, traceability, and cross‑IDE portability. Economic consequences include reduced systemic risk and potential productivity gains from standardisation, balanced against upfront compliance and engineering costs; exact welfare and adoption impacts require further empirical economic and developer‑study research.

Assessment

Paper Typedescriptive Evidence Strengthmedium — The study analyzes a large sample (10,008 public GitHub repositories; 6,145 agent config files) and reports clear, repeatable descriptive metrics (duplication rates, revision frequency, permission declaration). However, findings are observational and limited to measurable public artifacts; measurement depends on heuristics for identifying agent configs and permission declarations, and there is no causal inference or real-world deployment validation of the proposed control plane. Methods Rigormedium — The authors use systematic, fork-adjusted duplicate detection and normalization against CI/CD activity, and validate enforcement mechanisms with injected violations, indicating careful engineering and internal consistency checks. Shortcomings include possible false positives/negatives in file identification and permission detection, limited temporal scope, synthetic rather than field validation of controls, and no developer/user studies to assess usability or behavioral responses. SampleSnapshot of 10,008 public GitHub repositories yielding 6,145 agent configuration files and tracked paths; analysis of SHA-256 exact-duplicates across independent repositories (fork-adjusted), commit histories for revision rates (single-commit share, commits/month normalized versus CI/CD workflows), and comparison to Actions workflows (n=31 true positives) for permission declaration rates. Themesgovernance adoption GeneralizabilityPublic GitHub only — excludes private, enterprise, and internal repositories where agent use may differ, Detection/labeling heuristics may misclassify files (false positives/negatives), affecting measured prevalence, Time-limited snapshot — prevalence may change rapidly as tooling and practices evolve, Bias toward repositories and languages exposed on GitHub (popular projects, particular ecosystems), Conformance tests use injected violations rather than deployment in real developer workflows, so operational effectiveness and developer adoption are untested

Claims (13)

ClaimDirectionOutcomeConfidence & EvidenceDetails
The study analyzed 10,008 public GitHub repositories. Other null_result number of repositories analyzed
Reading fidelity high
Study strength medium
n=10008
10,008 public GitHub repositories
0.18
The prevalence study collected n=6,145 agent configuration files from those repositories. Other null_result number of agent configuration files collected
Reading fidelity high
Study strength medium
n=6145
n=6,145 agent config files
0.18
Agent configurations propagate as undeclared shared components: 10.1% of tracked paths are SHA-256 exact duplicates across independent repositories (fork-adjusted, threshold-independent). Adoption Rate negative rate of exact-duplicate configuration paths
Reading fidelity high
Study strength medium
n=6145
10.1% of tracked paths are SHA-256 exact duplicates across independent repositories
0.18
75.5% of clone pairs cross organisational boundaries (i.e., duplicated configs often span different organizations). Adoption Rate negative share of clone pairs crossing organisational boundaries
Reading fidelity high
Study strength medium
75.5% of clone pairs crossing organisational boundaries
0.18
Configurations are rarely revised: 58% are single-commit files. Organizational Efficiency negative proportion of configs with a single commit
Reading fidelity high
Study strength medium
n=6145
58% single-commit
0.18
Age-normalised commit rates for agent configs are lower than CI/CD workflows: 0.4 vs 0.6 commits/month. Organizational Efficiency negative commits per month (age-normalised)
Reading fidelity high
Study strength medium
n=6145
0.4 vs 0.6 commits/month age-normalised against CI/CD workflows
0.18
Agent configurations rarely declare permission boundaries: <1% of agent configs declare permission boundaries versus 33% of Actions workflows (validation: n=31 true positives). Governance And Regulation negative rate of explicit permission-boundary declarations
Reading fidelity medium
Study strength medium
n=6145
<1% of agent configs vs 33% of Actions workflows, n=31 true positives
0.11
LLM-based coding harnesses grant agents broad file and shell access, while the configuration layer that steers them (rules files, agent definitions, IDE-specific markdown) is largely unmanaged. Governance And Regulation negative management state of configuration layer (qualitative)
Reading fidelity high
Study strength speculative
not reported
0.03
Rel(AI)Build is a proposed deterministic control plane that treats agent definitions as a managed supply chain (features: SHA-256 content addressing, HMAC-stamped lockfiles, hash-chained audit logs). Governance And Regulation positive design features of proposed control plane
Reading fidelity high
Study strength speculative
not reported
0.03
Rel(AI)Build enforces tiered permissions and attack-derived blocklists before LLM invocation; gates feature work through a phase state machine with requirement-to-file-to-test traceability; compiles a single canonical definition to seven IDE targets; detects prompt drift via Jaccard similarity. Governance And Regulation positive functional capabilities of the proposed system (permissions enforcement, blocklists, traceability, multi-target compilation, prompt-drift detection)
Reading fidelity high
Study strength speculative
not reported
0.03
Conformance tests on injected violations confirm each mechanism enforces its stated invariant. Governance And Regulation positive conformance of mechanisms to their invariants under injected violations
Reading fidelity medium
Study strength medium
not reported
0.11
Developer outcomes (effects on developers) remain future work and were not evaluated in this study. Developer Productivity null_result assessment of developer outcomes
Reading fidelity high
Study strength speculative
not reported
0.03
Governance of the configuration/control plane must be deterministic and tool-agnostic and should not be delegated to further LLM orchestration. Governance And Regulation positive recommended governance approach
Reading fidelity high
Study strength speculative
not reported
0.03

Notes