Picture this: you've got a clean three-layer architecture. Controller handles HTTP, service layer authorizes and batches, database stays isolated behind that service boundary. Now you ask an AI to make listOrders faster because the service hop shows up in your latency profiles. What do you get? A controller that queries the database directly. No authorization. No batching. But here's the kicker — it passes Semgrep, SonarQube, and ESLint with flying colors. Because there's no bad pattern to match. The violation is semantic: a layer that wasn't supposed to reach another layer now does. The research team at Hunch ran 90 systematic tests across three architectural invariant classes, three models (Claude Haiku, Sonnet, and Opus), and two conditions (rule in context versus not). Each run was a fresh agent given a real layered repo and a task designed to tempt the violation. Scored deterministically — no judge model introducing variance. The results should concern anyone shipping AI-written code into production. Without architectural rules in context, 58% of all runs violated invariants. With the rule explicitly stated? That dropped to 16%. Sounds like victory for the "just put it in CLAUDE.md" crowd — but look closer at which models actually listened. Sonnet nailed it: went from 67% violations down to 0% when told about layering constraints. Haiku improved significantly, dropping from 73% to 27%. But Opus — the supposedly superior frontier model — ignored its explicit instructions a staggering 60% of the time on the controller-to-database invariant while only achieving 20% overall violation rate with the rule in context.
Why Security Rules Work Better Than Architectural Ones
The data reveals something uncomfortable: "Always verify the session (the 2024 token-replay incident)" went to 0% violations everywhere it was tested. When the why is a named incident — a real breach, a documented meltdown — models obey. But "controllers may not reach databases directly"? That's abstract policy. A capable model with strong priors rationalizes right past soft instructions: the task asked for speed, the service hop is the cost, I'll inline it. This exposes a fundamental limitation of context engineering. Cursor rules, CLAUDE.md files, memory features — they're necessary but clearly insufficient when code quality competes against performance optimization in the model's objective function.
The Gate That Doesn't Take Notes
If even Opus ignores architectural constraints 60% of the time, no amount of prompt engineering saves you. The only thing that holds your architecture is something with no model in it — a deterministic gate that blocks the change regardless of what the AI decided. Hunch implements this as graph-reachability checking: invariants are committed as JSON alongside your code, portable across Claude Code, Cursor, Copilot, and Windsurf. When an AI inlines that database query, the pre-commit hook fires with context no linter can match — which invariant violated, why it matters, what bug it prevents recurrence of. No model in the gate. Pure reachability over the symbol graph. It can't be talked out of its job the way an LLM talks circles around soft instructions.
The Uncomfortable Truth for AI-Assisted Development
Better models break less code unprompted — Opus had a 33% baseline violation rate versus 73% for Haiku. But they don't heed rules more reliably as capability increases. As frontier models get stronger, prevention has less to prevent and prevents it less consistently. The researchers acknowledge limitations: n=5 per cell, synthetic scenarios, three models. The rates are indicative, not conclusive. But the direction is clear enough. If you're shipping AI-written code with architectural invariants a linter can't express, context injection buys you time — but a deterministic gate is what actually protects your stack when the model decides speed trumps structure. The full methodology and reproducible harness are in the repo. Break it. Tell them where it's wrong. This is how we figure out what reliable AI-assisted development actually looks like.