Frontier Infra
case study · 2026-07-07 · receipts included

The Workshop

On July 7, 2026 we ran the whole stack at once, on one repo — and kept the receipts.

The Workshop is a live board whose content is the stack's own receipts. The two API endpoints it displays were not written by a human: a deterministic driver dispatched fresh AI workers under a locked contract, verified their work by running the tests itself, and signed a portable attestation for each task. The board, the code, and every claim on this page link to proof you can check yourself.

Open the live board → Source + receipts

2endpoints, zero human-written lines
1attempt per task — no retries needed
52s / 72sworker time per task
23lines of diff, all inside the contract
7/7tests green — run by the driver, not the worker
L2signed receipts, verified against the live domain

How one unit of work flows through the stack

BOX 0 CONTRACT goal · acceptancebudget · autonomy 0 The Machine BEHAVE WORKER fresh agent per task,disciplined + witnessed ADL + Proctor OPERATE VERIFY the driver runs the tests —never the worker machine-driver PROVE RECEIPT Ed25519-signed AAR,evidence hash-committed AAR · key on your domain GOVERN GATES PR · CI · intake ·human sign-off Maintainer Gate Blueprint DECLARE SHIP main → production,readable to agents AVL blocked at any gate → back to a fresh worker, never a silent pass

Every arrow is machine-checked. The worker never grades itself, the receipt outlives every vendor, and nothing reaches production on an agent's word alone.

The run, blow by blow

01 Contract

A goal file spelled out the definition of done, immutable acceptance tests, hard constraints, a budget, and autonomy level zero — propose only. The dial is earned, and day one earns nothing. This is Box 0 of The Machine: the goal never lives only in a context window.

"contract": {
  "definition_of_done": "GET /api/uptime returns 200 JSON {up:true, uptimeSeconds}; GET /api/version
                         returns 200 JSON {version} matching package.json. Each has a node --test case.",
  "acceptance_tests": ["uptime endpoint answers with up===true",
                       "version endpoint matches package.json version"],   // immutable
  "constraints": ["touch only app/server.mjs and test/", "no new dependencies"],
  "autonomy_ceiling": 0                                                    // propose — never commit
},
"budget": { "max_worker_runs": 8, "max_wall_seconds": 1800 }

02 Dispatch & verify

machine-driver — a zero-token, deterministic while-loop — spawned one fresh Claude worker per task, then ran the test suite itself. A worker saying "done" counts for nothing; an exit code of 0 is what counts. Both tasks verified on the first attempt. This is the actual driver log:

[17:15:54] driver up — mode=propose (operator asked propose)
[17:15:54] -> job-001 (attempt 1): add GET /api/uptime + node:test case …
[17:16:46]    ok  verified.                       ← npm test, run by the driver: 52s
[17:16:48] -> job-002 (attempt 1): add GET /api/version + node:test case …
[17:18:00]    ok  verified.                       ← 72s
[17:18:02] GOAL COMPLETE — 2 tasks, 0 blocked/surfaced.

03 Prove

Each verified task produced an Ed25519-signed Agent Attestation Record — the receipt. It binds the claim, the verdict, and a hash commitment to the evidence, signed by the org. The signature checks against the DID document published on this very domain — no vendor, no central server, no trust in us required:

{
  "subject":   "did:web:frontierinfra.org:stack-demo-worker",   // who did the work
  "task":      { "id": "job-001", "claim": "add GET /api/uptime …" },
  "verdict":   "verified",                                      // the verifier's finding
  "ground_truth": "confirmed",                                  // checked against reality
  "checks":    [{ "query": "npm test",
                  "response_sha256": "d0d1c1…",                 // evidence, committed by hash
                  "excerpt": "ok 6 - uptime endpoint answers…" }],
  "verifier":  { "id": "did:web:frontierinfra.org:machine-driver-verify" },  // ≠ subject
  "sig":       { "alg": "Ed25519", "by": "did:web:frontierinfra.org" }       // ← your key, your domain
}

04 Enforce

Proctor — the machine-level enforcement engine that gates every session's "done" on this Mac — then ran the run's meta-contract with its own verifier: all tests green AND both attestations valid. 3 checks against reality, 3 passes, proof signed; the proof was bridged into a signed meta-attestation. The demo attesting the demo:

"checks": [
  { "name": "`npm test` passes (incl. workforce-built endpoints)", "passed": true },
  { "name": "job-001 AAR verifies (signature + evidence)",          "passed": true },
  { "name": "job-002 AAR verifies (signature + evidence)",          "passed": true }
],
"signed_off": true

05 Land

The workforce's diff — 23 insertions, exactly the two contracted files — was reviewed by the operator and went through the repo's own gates as a pull request. The stamped intake gate rejected the first PR body. The demo's own governance blocked the demo, exactly as designed, until the paperwork carried real verification detail:

PR INTAKE CHECK: FAIL
- PR must name the smallest regression guardrail or explain why none was added.
- PR must include human verification details.
                                    ← fixed the body; fresh run green; merged.

What broke, honestly

Two things broke, honestly. The driver's signing step failed on a relative key path — and instead of a silent skip, it alerted loudly, left the unsigned records intact for later signing, and the root cause was fixed upstream the next day with regression tests (relative paths now anchor to the goal file, and a missing key names its full resolved path). The second break was the intake gate above. Demos that never break prove nothing; this one broke twice and recovered with the audit trail to show it.

[17:16:46] ALERT: AAR sign FAILED for task job-001 (rc 1):
           error: ENOENT: no such file or directory, open 'secrets/stack-demo.jwk.json'

Every tier, with its receipt

TierProjectReceipt
GovernMaintainer Gate Blueprintops model stamped by installer; prod-DB guard blocks destructive commands; PR intake gate enforced (and fired)
BehaveADLdiscipline layers + the run's contract as an ADL manifest
EnforceProctormeta-proof signed by Proctor's verifier, 3/3 checks against reality
Operatemachine-driverdriver log + hash-chained loop audit for the two worker dispatches
ProveAARone signed record per task, verifiable against did:web:frontierinfra.org — live on this domain
DeclareAVLthe board serves agent views; validates at L3 (so does this page)

Don't take our word for it

The point of the stack is that you never have to trust the operator — or us. Fetch a receipt from the live board and check the signature against the key published on this domain:

# fetch a receipt from the live board, verify it against this domain's published key
curl -sO https://workshop.frontierinfra.org/receipts/aar-job-001.json
git clone https://github.com/frontier-infra/agentcontrolplane
node agentcontrolplane/tools/aar.mjs verify aar-job-001.json
# → [✓] L0: Ed25519 signature valid … → conformance: L2

What happened next: the seam became a product

The day after the run, the proof→receipt bridge was productized into Proctor itself: every contract signed off on a key-configured machine now auto-emits a signed attestation — verify, judge, or operator sign-off alike. The change went through a 15-agent adversarial review workflow before it shipped, which caught two real defects the tests had missed (a Python 3.9 incompatibility that would have silently disabled emission on stock macOS, and a path-traversal through hostile contract ids) — both reproduced, fixed, and regression-tested. The spec section it conforms to (ADL contract & proof, §7) now has two independent, interoperating producers: machine-driver and Proctor. That is how a record format stops being a feature and starts being a standard.

What this is not

What this is not: the attestations are same-principal (we verified our own workers — disclosed in every record, useful for provenance, not audit-grade independence); the run was demo-scale (two small tasks, one machine); and the workforce ran in propose mode with a human landing the merge. Each of those is a dial the stack exposes, not a ceiling it hides.