Appendix B: Source Index
Intent as the new source code
Research spine: this chapter stays grounded in NIST AI Risk Management Framework and NIST Secure Software Development Framework, then applies that evidence to the operating judgment in the book. Read this alongside the Spec Is The Program book, the AI-Native thesis, and the full book library when you want the surrounding argument.
- Fred Brooks, "No Silver Bullet": https://worrydream.com/refs/Brooks-NoSilverBullet.pdf
- OpenAPI Specification: https://swagger.io/specification/
- JSON Schema: https://json-schema.org/
- Hypothesis documentation: https://hypothesis.readthedocs.io/
- Pact documentation: https://docs.pact.io/
- TLA+ resources: https://lamport.azurewebsites.net/tla/tla.html
- GitHub Copilot productivity study: https://arxiv.org/abs/2302.06590
- SWE-bench: https://www.swebench.com/
- DORA State of AI-assisted Software Development: https://dora.dev/dora-report-2025/
- NIST Secure Software Development Framework: https://csrc.nist.gov/pubs/sp/800/218/final
- SLSA supply-chain framework: https://slsa.dev/
- OWASP Top 10: https://owasp.org/www-project-top-ten/
- OWASP Top 10 for LLM Applications: https://owasp.org/www-project-top-10-for-large-language-model-applications/
Key Takeaways
- Intent as the new source code
- The practical test is whether a team can name the evidence, owner, and failure mode before it changes behavior.
- Read this with The Spec Is the Program and the adjacent chapters when you need the wider AI SDLC and Specs frame.
Operational note
This short chapter is a map, not a full argument. Its job is to keep Appendix B: Source Index usable inside Spec Is The Program: define the terms, point to the sources, and make the next decision easier to replay.
Use it as a checkpoint before you treat the surrounding chapters as advice. A reader should be able to name the claim, the evidence, the risk boundary, and the follow-up page without interviewing the original author. If that replay fails, the chapter has not done its job yet.