I was rereading parts of The Mom Test, and it reminded me how easy it is to mistake politeness for validation.
Someone says the idea sounds useful, they like the direction, they would definitely try it, and maybe they even suggest a few features. It feels like progress, but sometimes they are just being nice.
The dangerous part is that polite feedback does not feel negative. It gives you just enough confidence to keep building without proving whether the problem is actually painful.
I think the harder skill is learning to ignore compliments and look for behavior instead.
Something I have been thinking about in the AI governance space that I do not see discussed enough: provenance capture is not like most tooling categories.
With most observability or audit tooling, the reasoning is "we should have this so we're better positioned going forward." You can turn it on when the need becomes clear. You lose some history, but the tooling from that point forward is complete.
AI code provenance does not work this way.
The prompt a developer submits to Claude Code exists for a few hundred milliseconds in transit. After the model returns its response and the editor applies the change, that prompt is gone. Git records the diff. Nothing else records the origin by default. There is no reconstruct operation.
Something I built led to a design decision I want to get feedback on.
LineageLens is a free VS Code extension that captures every AI code insertion and scores it for risk on a 0 100 scale. Works with Cursor, Copilot, ClaudeCode, Gemini CLI. Zero config on install just start using your AI tools and your insertions start showing up in the sidebar.
The scoring is deterministic rules: +28 for credential-like material, +24 for eval/exec patterns, +22 for subprocess calls, +14 for landing in an auth or payments file, and so on. Fully traceable. No ML, no black box.
The design decision that surprised me: missing prompt capture when the extension records a file insertion but has no record of what was asked adds +24 to the risk score. Same weight as detecting an eval() call.
