It's unlikely that Cackle will ever be completely impossible to circumvent. That doesn't mean that it isn't useful though. Think of it like an antivirus that only knows about 90% of viruses.

If you've found a neat way to circumvent Cackle to sneak in some API usages that it shouldn't allow, great, especially if there's a way to plug the hole. If there isn't a practical way to plug the hole, then my thoughts are that we probably shouldn't provide detailed instructions for people who want to perform supply-chain attacks. The goal is to make things as hard for them as possible.

So I'd say, if the problem is fixable, feel free to just file a bug or send a PR. If it's not fixable, or you're not sure, feel free to just email me. You can find my email address by looking through the commit logs for David Lattimore.