How I Use AI for
Research & Development

Choose your track

The top row is the whole story. Your track is just how deep you stop.

Stay on the top row and you miss nothing required. The vertical descents are optional — take them on demand or save them for Q&A.   newcomer & skeptic sheet

How to read this deck

• The horizontal axis is the story everyone follows. Vertical descents are optional deep dives.
• One depth scheme everywhere: L1 concept → L2 how → L3 code/config.
• You will not miss anything required by staying on the top row — I'll say so out loud each time.

Track tags appear on every slide: Both Scientist Engineer — so you always know whether a slide is aimed at you.

Sub-agents, workflows & personas

A sub-agent = a child Claude with its own context window and one scoped job

The diagram below is the actual pipeline that produced this deck's research and review (a DAG — a one-way graph of steps).

Personas are cheap reviewers with named blind spots.   orchestrator sheet

Why role separation works

• Separation of concerns: a planner that can't write code can't paper over a bad design with a clever implementation.
• A fresh-context reviewer isn't anchored by the author's rationalizations — it reads the work, not the intentions behind it.
• Real examples: a two-persona documentation review (domain-expert vs. target-reader); science/engineering/UX review loops baked into a project's docs/phase-N/.

Scientists already know this shape: an independent-then-dependent pipeline of stages.

Designing a workflow in practice

• Pick the roles, set the barriers, choose per-agent model + effort, and define the hand-off artifact.
• Plan-then-implement split: a read-only architect emits a file:line blueprint → a fresh implementer executes it and verifies (e.g. runs the tests, or drives Playwright).
• Validation lives at the seams — pick at least one: an assertion, a schema check, a critic agent, or a human gate before a result is consumed.

Declarative workflows & the real overnight job

• Today my DAG lives in orchestrator prose. The improvement: promote it to a versioned workflow schema — diffable, re-runnable, with per-agent model + effort pinned.
• Pin roles as first-class agents/*.md definitions; publish them as plugin agents so they're portable, not retyped.
• Harden the planner with plan mode + a read-only tool allowlist — enforced, not by convention.
• A real run: a ~46-agent Sonnet review spread across 44 sessions, kept alive by a heartbeat/cron across the 5-hour window.
• Cap reviewer count by marginal yield — a meta-agent that reports "new findings per added reviewer," so you stop when it flattens.

Honest beat: my 14- and 46-agent fan-outs are probably past the point of diminishing returns.

claude.ai vs Claude Code

Same model family, very different relationship to your files

When to use which

Teams: standardize on git as the shared artifact — web explorers and CLI engineers then converge in one history instead of two parallel worlds.

A "things move fast" aside: response styles

• I used to set response styles on claude.ai (Normal / Concise / Explanatory / Formal + custom) from the composer's "Use style" menu.
• I can no longer reliably find it — at least not with Opus.
• Honest read: it appears to be relocating/merging into Skills, not disappearing — but I'd verify live in my own account before relying on it.

What Claude Code adds over the web

• The styles knob's spiritual successor in the CLI is declarative: CLAUDE.md + skills (including an output-style skill) shape response form. (The standalone "output styles" knob has been in flux and looks to be folding into skills — ⚠ verify live.)
• Verification is the real divide: web = a human reads it; CLI = the agent runs it in a real environment.

MCP servers: typed tools, not guesswork

MCP = Model Context Protocol — the model calls a typed tool against the live system

• That's the gap between a plausible answer and a correct one — it matters when a scientist acts on the output.
• My setup: 6 plugin MCP servers (Cloudflare API / bindings / docs / observability / builds, + Playwright), activated per-session via /mcp rather than left always-on.

The MCP threat model

"Trust the model" is not a security boundary. Treat MCP tool output as untrusted input.

Using MCP securely: least privilege

Mitigations, cheapest & highest-value first

• Project-scoped .mcp.json is the secure default — a deck-building project simply has no Cloudflare API surface attached.
• Least privilege limits the blast radius — what a manipulated model or a bad tool can actually reach.

Defense in depth: the security plugin

security-guidance@claude-plugins-official — layer 1 observed directly; layers 2–3 inferred from behavior

• Real catches: an innerHTML XSS in a weather-avoidance tool; a newline-injection where attacker-controllable JSON reached a workflow comment and injected an executed directive.
• High-recall, low-precision by design: it false-fired on the literal string torch.load(weights_only=False) sitting in prose — which is exactly why layers 2 & 3 exist.
• Improvement: promote the commit review into a PreToolUse / commit hook that BLOCKS high-severity findings; curate the regex set per project to fight alarm fatigue.

Skills: progressive disclosure

A packaged, versioned, auto-discovered prompt (+ optional scripts) loaded only when it's triggered

• ~15 installed (point-in-time count from a ~/.claude scan); several are retrieval-first — notably the Cloudflare-platform skills.
• Why retrieval-first matters: the Cloudflare API changes faster than the model's training, so the skill fetches current docs instead of trusting memory — fixing the failure mode of a confident, stale answer.
• In-house example: I authored ncar-brand-toolkit@local — SVG waves, logo lookup, brand & accessibility rules. Institutional knowledge → an executable capability.

engineer / RSE sheet

Skill vs a good prompt

• A skill is a packaged prompt. For a one-off, a well-crafted prompt is equivalent — and lower overhead.
• Heuristic: prompt for personal/once, skill for shared/repeated/governed. Don't add the abstraction until duplication actually hurts.
• Solo grad student → keep a prompt library in a repo. Team / RSE → the skill earns its keep as shared, maintained machinery.

Authoring & triggering skills

• A skill only helps if it fires — write trigger-quality descriptions, and use skill-creator's eval harness to measure & tune trigger accuracy.
• A thin "house style" output skill can make HTML-artifact-first the default (see the Artifacts slide) instead of asking for it every time.
• Right-size the catalog: ~11 Cloudflare skills loaded globally is dead weight on non-Cloudflare work — scope them per project.

Plugins: one versioned container

How a team standardizes practice instead of re-teaching every engineer

• One installable, versioned unit — the lever is shared governance, not the install count (~22 installed, point-in-time).
• Improvement: publish my recurring roles — the two-persona reviewer, the sci/eng/UX loop — as plugin agents, not just docs. One command, reusable, demoable.

Anatomy of a plugin

• What goes in: agents/*.md, skills, slash-commands, hooks, .mcp.json.
• Versioning + distribution = team governance: control which servers and skills are configured, centrally — ties straight to the governance discussion in Act 7.

This is the lever that makes my signature methods reproducible by someone who isn't me.

Model & effort: route, don't max

Default: Sonnet + medium. Escalate only when the first pass is wrong, or when being wrong is expensive.

The low / medium / high / xhigh ladder and /effort are CLI / API concepts; claude.ai is coarser — a model picker + an extended-thinking toggle.

Cost/quality routing

• Same instinct as not running a coarse sensitivity sweep at full production resolution.
• Recall problems (discovery, grep, triage) → Sonnet/medium, run many in parallel.
• Precision problems (synthesis, architecture, judgment) → Opus/high, where one bad call poisons everything downstream.

Scientists get this immediately through the grid-resolution analogy: match the resolution to the question.

My settings & the honest gap

• My globals are maxed: effortLevel: xhigh, alwaysThinkingEnabled: true. Haiku never appears.
• The precise gap — and it's narrower than it looks: my documented discovery sub-agents are already correctly tiered (Sonnet/medium). The two real leaks are exactly (a) no Haiku tier at all and (b) a maxed main-loop / orchestrator default.
• Fix: set a modest main-loop default, add a Haiku scout tier (Haiku scout → Sonnet worker → Opus judge), raise /effort only where precision pays.
• Demonstrate a deliberate low-effort run so the room sees where it's plenty — calibration beats "always max."

Artifact-driven interaction: HTML + SVG

For a dense answer, ask for a self-contained HTML artifact instead of a wall of prose

• A dense answer becomes something you can act on: scrub an animation, sort a table, toggle a parameter — you build intuition far faster than by reading linearly.
• SVG is resolution-independent and diffable as text, and the model authors it directly.

That slider is the technique demonstrating itself. Every diagram in this deck is the same pattern.   scientist sheet

Concrete artifact genres

• A 9-section path-finding explainer: embedded SVG + an interactive heading-rotation toy + a side-by-side search animation.
• A per-PR HTML review aid that renders the diff with margin annotations and severity colors.
• Reveal.js slides that embed live artifacts — like the one you're in.
• A self-contained flat-vector explainer comic: The Collab Loop.

Template the recurring genres (explainer, PR-review aid) as skills or frontend-design templates so they're one ask, not a rebuild.

Weight & safety of artifacts

• Mind the weight: a 17.6 MB single-file Leaflet viewer (35 flight×CDO combos pre-serialized) is portable but a perf/review liability. Note: that's a Claude Code on-disk file — it would blow past claude.ai's Artifact size limit. Offer lazy-load / split-data variants.
• Artifacts are a security surface: the innerHTML XSS catch from Act 3 lived inside one. Pair "request an artifact" with "use safe DOM construction."

The collab wrapper: point, don't describe

An idea I have a design for, not a tool I've built — here's exactly what it is and why I want it

• It fixes the pointing problem — "make that heading smaller — no, the other one" costs several exchanges in prose; a click makes it one.
• It would collapse N round-trips into one structured, batched pass, and the JSON is an audit trail of exactly what changed.

Why it would work: pointing & batching

• Pointing: let the human click instead of describe → a fuzzy spatial request becomes a machine-addressable, element-anchored change.
• Batching: one context-rich pass over 20 edits is cheaper and more coherent than 20 round-trips.
• It's a lightweight typed protocol for design feedback — like MCP, but human → agent.

For a scientist that's quota saved; for a reviewer it's an archived change-set — the JSON is the record.

Robustness, audit trail, accessibility

• Robustness: positional references break if the page is reordered between export and apply → anchor to stable IDs and validate before committing.
• Audit trail: the JSON archives next to the committed diff — a precise record of what changed and why.
• Hygiene: for unpublished work, remember the changed content round-trips through the model.
• Accessibility: using a provided wrapper needs no coding; building one does — presenter ships the wrapper, the scientist just clicks and exports.

Build plan & schema

• Anchor each comment to a stable selector / data-collab-id injected at wrap time, so edits survive a DOM re-render.
• Develop in an isolated worktree so the wrapper iterates without touching the deck it wraps.
• Make the JSON a versioned schema, validated on apply, with a dry-run / diff preview before changes land.
• Alternative ingest: a Playwright / claude-in-chrome path that reads the annotated DOM directly.

Co-development modalities & their token cost

Decision rule: research → web chat (a); one-file change → (c); parallel/overnight → (d). I live in (d); tiering models inside it is what keeps it affordable.

Token implications per modality

• (a) low–moderate per turn, but re-pastes context every turn (waste) + high human cost.
• (b) low per suggestion, high frequency → moderate aggregate.
• (c) moderate–high: one rich context, many tool-call turns.
• (d) highest: N concurrent contexts × extended thinking — and the biggest lever you control is Haiku/Sonnet/Opus tiering.

Silent budget killers (Q7): a long context re-sent every turn, and orchestration overhead you can't see. The fix is per-workflow token/hour telemetry — see Act 7.

The cost model — Claude vs Codex vs Antigravity

Two buckets, everywhere

"Suddenly less helpful mid-conversation" = you hit a window. Design long jobs to be resumable, not all-or-nothing. Check it in-product: /status.

Vendor specifics, dated

• Claude: Pro $20 / Max 5× $100 / Max 20× $200; weekly published as expected hours (Max20× ≈ 240–480 Sonnet / 24–40 Opus hrs ⚠). 5-hour limits doubled in 2026.
• Codex: token-based since 2026-04-02; per-5-hour message ranges + a credit rate card per 1M tokens; images drain several× faster; buy extra credits at the cap.
• Antigravity: free public preview, agent-request based, limits ~tripled at I/O 2026; using Claude models reportedly needs your own Anthropic API key ⚠.

Every number gets a source + an access date. The point is that the checklist exists, not the digits.

Instrument your own usage

• Add per-workflow token/hour telemetry: capture real consumption per run (tokens/hours by model tier) and show a measured cost breakdown — e.g. of building this very deck.
• Adopt the Haiku tier as the single budget move that most extends the weekly cap.

Data & Terms of Use: settle this before you connect anything

• Decide your trust boundary first. Document which plan/surface your group is approved to use. Claude Code on a commercial/API plan inherits the no-train posture.
• Never paste into a consumer free-tier chat: unpublished or embargoed results, export-controlled output, or partner/NDA data.

Terms of Use & data, in practice

• The consumer vs commercial split is the whole game: consumer trains-by-default (opt out); commercial/API/Team/Enterprise/Gov/Edu don't, with ~30-day retention and zero-retention options.
• Decide the trust boundary before connecting anything; document the approved plan; never paste restricted data into a consumer free-tier chat.
• Subscriptions are personal-use seats with fair-use limits — automation/fleets likely belong on API/Enterprise terms.

The deck explains itself

• This is Reveal.js 6: vertical sub-slides (#/4/1, #/4/2), live data-background-iframe content, and a self-contained offline build.
• A horizontal spine everyone follows, with optional vertical descents that get more technical the deeper you press. You've been using the convention all talk — that is the artifact.
• PDF handout via decktape (Reveal-aware, slide-by-slide) — which solves the live-iframe → PDF problem a screenshot can't.

Build & verify pipeline

• Offline-first: vendored Reveal.js, self-hosted fonts, no CDN at runtime → opens from a file or any static host.
• decktape → a PDF handout that captures even live-iframe slides; verify slide-by-slide via Playwright.
• Apply the ncar-brand-toolkit theme so brand & accessibility (contrast, logo, waves) are inherited, not hand-applied each time.
• Promote the PDF build into CI / a hook so the live deck and the handout never drift apart.

The things AI gets confidently wrong

Treat AI output like a capable-but-unfamiliar collaborator's PR. Risk is highest where supervision is lowest — normalize verify-then-trust.

Provenance & disclosure recipe

• Methods-section recipe: cite model+version, state that AI assisted codegen, archive the prompt + diff in the repo/supplement.
• Pin the model version explicitly (not "latest"); treat the prompt as a documented input.
• Integrity line for students: the violation is undisclosed substitution of AI work for your own judgment — not use of the tool.

Governance & deployment reality

• Route through Bedrock/Vertex for residency; sign enterprise agreements (BAA/DPA) for retention & jurisdiction; run least-privilege (scoped working dir, rootless container, no secrets in env); capture session logs for SIEM; control MCP config centrally.
• Bound unattended autonomy: restrictive permission mode + tool allowlist + worktree sandbox + PreToolUse block-hooks — so "running while I sleep" is safe by construction.
• Checkpoint long jobs to committed files, not session state — a hard restart then loses minutes, not hours.