Back to Research

Evaluating AI coding tools that hold up

Evaluating AI coding tools by the audit trail they leave: connector cards, child receipts, decision stubs, and scope ledgers a stranger could review.

Chinese Literatus in an Autumn Landscape, landscape painting by Josui Sōen (1475).
Rogier MullerApril 11, 20266 min read

The best way to evaluate an AI coding tool is to give it real work and then read the trail it leaves behind in review. A good tool leaves an audit trail: a record clear enough that a stranger opening the repo cold can trace what was touched, why, and how it was verified. The demo tells you what a tool can generate. The trail tells you what your reviewers will have to live with, and that is the part that decides whether a tool holds up.

Most evaluations grade the wrong half. We remember the sessions that ended in a celebrated merge and quietly forget the ones that died in review, so speed gets all the credit and explanation gets none. The Pragmatic Programmer warned about outrunning your headlights. A tool that only wins on speed is just outrunning them faster.

Run the same task and grade four artifacts

Give every candidate tool the same real task, not a demo prompt, then grade four things it should leave behind. Each one maps to a place where delegation usually goes quiet.

The first is MCP blast radius. Wire a connector quickly and it will eventually touch data nobody drew on the diagram. The Model Context Protocol specification defines what a connector can do, and the OWASP Top 10 for LLM applications lists what tends to break when nobody drew a trust boundary. The fix is a connector card: one markdown card per MCP server listing allowed actions, forbidden actions, owner, and rollback. A tool that cannot work inside that card is telling you something.

The second is recursive handoff blur. Chained agents hand back tidy summaries that omit the paths the child actually touched. The fix is a child receipt: every delegated run returns the paths it changed, the commands it ran, and the tests that prove the regression guards held. Tools that support this through something like the Claude Code getting started flow or a scripted Codex run keep delegation inspectable.

The third is review queue theater. CI is green, yet a reviewer still asks "why this approach?" and finds no written answer. The fix is a decision stub: three lines in the PR template covering constraints considered, alternatives rejected, and verification proof. A tool that fills that stub plainly beats one that narrates confidence.

The fourth is scope fog. In Cursor, .mdc rules read as precise until two reviewers disagree about what they actually permitted. The Cursor agent docs describe the machinery, and the boundaries stay your job. The fix is a scope ledger: five lines in the parent chat for goal, allowed paths, forbidden paths, verification command, and merge owner. Review then becomes ledger against diff, which any inheritor can do.

Drop the harness into one boundary file

You can carry all four checks in a single file at the root of the repo. Adapt the globs to your layout and keep it short enough that people actually read it.

---
description: Delegation boundary snapshot (adapt globs to your repo)
globs:
  - "**/*"
alwaysApply: false
---

- Cursor: keep scopes explicit in `.mdc`; forbid undeclared MCP domains.
- Claude Code: cite `CLAUDE.md` precedence before expanding bash scope.
- Codex: ensure `AGENTS.md` carries replay-friendly verification notes for CLI runs.

This is the same bar we apply across agentic coding governance, and it holds for small surfaces too. A narrow, single-job skill is just this argument in miniature, the same shape the OpenAI Skills repository standardizes in public.

Score each tool against an audit gate

Once a tool has run the task, grade it on whether files alone can answer four questions. If you need the operator in the room to answer them, the tool failed the gate.

Gate Question
Risk routing Were red folders touched, and who approved?
Replay proof Which commands prove the regression guards?
Receipt match Does the PR body list scopes plus the verification transcript?
Rules precedence Which .mdc, SKILL.md, or CLAUDE.md governed behavior?

Here is a checklist you can paste straight into a PR template so the gate runs on every merge, not just the ones you remember to inspect.

  • Forked agent work lists parent and child responsibilities.
  • Red-folder paths received explicit human acknowledgement.
  • Scopes in the PR body match the folders in the diff.
  • Primary-doc links were smoke-checked after publishing edits.

For the comparison itself, hand each tool's output to an engineer who did not run the session and time how long they need to defend the merge. The shortest defensible trail wins. That single measurement separates tools that explain themselves from tools you have to babysit.

What no tool can save you from

A repo that cannot state its own boundaries will sink any tool you adopt, because the agent has to guess, and guesses scale badly. The NIST AI Risk Management Framework gives that problem a formal name. The repo is the shared brain, and chat is not. A tool holds up exactly as well as what it writes back into that brain.

Common questions

  • What does evaluating AI coding tools actually involve? Give each candidate the same real task, then audit the result. Evaluating AI coding tools means requiring the same receipts from every tool and grading whether a stranger can trace intent, scope, and verification from files alone. Demos measure generation. The audit measures what your reviewers will have to maintain after the excitement fades.

  • Which audit artifacts should a tool produce? Four of them: a connector card for each MCP server it uses, child receipts for delegated work, a decision stub for the approach, and a scope ledger that matches the diff. Tools differ in how naturally they feed these artifacts, and that difference is exactly what your evaluation is measuring.

  • When should a team drop a tool? Drop it when its merges stop being defensible by anyone except the operator who ran them. Surprise dependencies, verification commands that were never pinned to a PR, and summaries that omit touched paths are the early symptoms. A tool you can only trust while watching it is not holding up. It is being babysat.

  • Does a stronger model make the trail less necessary? No. A stronger model writes more code faster, which raises the volume of decisions a reviewer has to trust. The audit trail is what keeps that volume reviewable. Model quality changes how much a tool generates, not whether a stranger can defend the result.

Start here

Pick one tool, run today's real task through it, and grade the trail with the audit gate table above. If you want the full rollout order, our white paper packages the gate, the receipts, and the steps for teams formalizing their evaluation.

Related training topics

Related research

Ready to start?

Transform how your team builds software.

Book a 15-minute sync