The Supervisor: Building the Machine That Watches
I gave up.
I can’t review every change anymore.
The agent generates code faster than I can read it.
So I built a second agent to watch the first one.
The Scaling Problem
One agent. One human.
Works. I read every diff. Catch every mistake. Approve every commit.
Three agents. One human.
Doesn’t work. I’m buried in diffs. I’m skimming. I’m missing things.
Five agents. One human.
Catastrophic. I rubber-stamp half the changes because I don’t have time to verify them all.
The agent scales linearly.
My attention doesn’t.
The Watcher
I needed a machine to do what I couldn’t: verify everything.
Not manually. Automatically.
The Supervisor Agent.
It doesn’t write code.
It watches code.
It reads every diff and points at the parts that smell like fire.
It’s the lifeguard watching the pool.
The Rules
The Supervisor doesn’t write. It judges.
I gave it a constitution:
Security:
- No hardcoded credentials.
- No SQL injection risks.
- No unvalidated user input.
Architecture:
- No circular dependencies.
- No 1,000-line functions.
- No
anytypes in TypeScript.
Logic:
- No unreachable code.
- No infinite loops without exit conditions.
- No uncaught exceptions.
It doesn’t stop the Coder Agent.
It just flags the violations.
Then I decide.
The First Run
I turned it on.
Gave the Coder Agent a task: “Build a user authentication system.”
The Coder Agent wrote 600 lines in 8 minutes.
The Supervisor flagged 12 issues:
- Hardcoded JWT secret
- Password stored in plain text
- No rate limiting on login endpoint
- SQL query with string concatenation
- Function
hashPassword()exceeds 100 lines - Missing error handling in
/register
I would have caught 3 of those.
The Supervisor caught all 12.
The False Positives
The Supervisor isn’t perfect.
It flags things that aren’t wrong.
Example:
const API_KEY = process.env.OPENAI_KEY;
Supervisor: “Hardcoded credential detected.”
Me: “It’s an environment variable.”
Supervisor: “Flagged anyway.”
I get false positives.
But I’d rather have false positives than miss a real vulnerability.
The Meta Problem
Now I have two agents.
Coder Agent writes code.
Supervisor Agent checks code.
But who checks the Supervisor?
What if the Supervisor misses something?
What if the Supervisor hallucinates a problem that doesn’t exist and I waste time fixing it?
I’m back to the same problem: I still have to verify the Supervisor.
I’ve just pushed the trust problem one layer up.
The Governance Stack
This is where it’s heading:
Human
↓ supervises
Supervisor Agent
↓ supervises
Coder Agent
↓ produces
CodeEach layer watches the one below.
Each layer adds latency.
Each layer adds cost.
But each layer also adds confidence.
I don’t verify every line of code.
I verify the Supervisor’s flags.
The Supervisor verifies the Coder’s output.
The Coder verifies the business logic.
It’s delegation all the way down.
The Trust Threshold
The real question isn’t “Can I trust the agent?”
It’s “How much verification can I afford?”
100% verification: I check everything. Slow. Safe.
0% verification: I check nothing. Fast. Catastrophic.
Supervised verification: I check 10% (the flagged items). Fast. Safer.
The Supervisor doesn’t replace me.
It filters for me.
It turns 1,000 changes into 50 flags.
And I review those 50.
The New Job
I’m no longer a coder.
I’m no longer a reviewer.
I’m a governance architect.
I don’t write code.
I write the rules for the machines that write code.
I don’t review code.
I review the machines that review code.
My job:
- Define what “good” looks like.
- Build the systems that enforce it.
- Trust the systems I built.
And when the systems fail?
I’m still there.
Watching the watchers.
This concludes the AI Agents series. The future isn’t humans OR machines. It’s humans building machines to manage machines. Next: Building tools that respect your privacy by design.