Skip to content
Back to work
Case study · personal project

JujHub

An autonomous studio. A commander assembles a crew of specialist agents to take a goal from intent to a finished deliverable, under your approval, and tries to get better at it every run. The part I care about most is the safety model: how a system that edits its own code can be trusted not to edit away its own guardrails.

.NET 10Multi-agentSelf-editingZero dependenciesSSEEvent-sourced
5
Specialist agents
61
Safety test suites
0
Runtime dependencies
JujHub Observatory view: a dark cockpit showing what needs the operator's sign-off, system health gauges, subsystem status, and the day's operations, including missions run, model calls, success rate, and spend.
The Observatory: the studio as a presence you watch over. What needs sign-off, system health, and the day's operations.

Overview

A one-line goal is not a product. Getting from one to the other is research, architecture, engineering, copy, and design, plus the judgement to know when it is good enough. JujHub is an attempt to automate the doing while keeping the judgement human. A commander, Juju, decomposes the goal and delegates to a crew of specialists, each holding to a named master's standard, and the operator approves anything that spends money or leaves the building.

It is a personal project, and the most ambitious thing I have built for myself. It runs on a zero-dependency C# harness: no NuGet packages, just the framework and JSON, so the whole engine builds and runs offline.

The studio pipeline

A goal is decomposed into a DAG of waves. The crew builds in parallel, each specialist recalling its own memory and working a tool loop. Their output is synthesized and put to a review board of critics that returns a verdict. A pass moves to delivery; a fail loops back to revise. Every outward step waits behind the operator's approval.

revise on failGoalarchitect intentDecomposeDAG of wavesThe crew · parallelCINDER · VELLUMCLARION · GILDPROSPECTThe Boardcritics · verdictShipon approval
A goal becomes a deliverable: decompose, build in parallel, review, and ship only on approval.
JujHub Anatomy view: a force-directed graph with Juju at the centre connected to the crew, the review board, memory, immunity, hands, and governance.
The Anatomy: the whole system as a live graph, the crew and the review board around Juju, wired to memory, tools, and governance.

How it edits its own code, safely

The ambitious part is that the studio can improve its own source. The risk is obvious: a system that can rewrite its guardrails has none. So the self-editing organ runs behind a set of gates that it cannot route around.

A change is enacted in an isolated git worktree cut from a clean, committed baseline, never in the live process. It has to pass a green build and full test run, then a Constitution: a pure, path-only rulebook that protects the approval gate, the sandbox, the rulebook itself, and the fixed purpose, and holds the test project to add-only. A blast-radius cap refuses any change touching more than a dozen files. Only then does it park for human approval, which is the single path to main, and the merge applies on the next restart. Any gate failure discards the worktree and nothing leaks.

Three gates1 · build + test green2 · Constitution3 · blast radius ≤ 12any gate fails → discard worktreenothing leaks into the live processSelf-dev brieffrom findingsIsolated worktreeoff a clean baselineHuman approvalonly path to mainMergeon restart
The Smith: self-edits run in an isolated worktree, pass three gates, and reach main only through a human.
A guardrail that guards itself
The Constitution is a protected file, and it protects itself: the list of files the system may not touch includes the file that holds the list. It is a plain, path-only function with no model in the loop, so it is fully unit-tested. An autonomous system that can rewrite its own rules has no rules.

The engineering

The harness is event-sourced. Every session writes an append-only log of what happened, which is both the audit trail and the way a run resumes after a stop. Memory is a ledger the specialists recall from, with a vector index and an offline embedding fallback so nothing hard depends on a network. Tools are a small typed registry, workspace scoped. The whole tribe of roles, the crew, the review board, the mender that turns failed runs into written lessons, maps to models through a single router.

The tests are a deliberate choice: a plain console runner, not a framework, because the self-editing gate keys off its exit code with no restore and no network. Sixty-one suites, and most of them test the guardrails themselves: the Constitution, the gates, prompt safety, red teaming. The immune system has its own immune tests.

The interesting engineering here is not the autonomy. It is the set of things the autonomy is not allowed to do.

An honest read

The governance and safety machinery works and is well tested. Product delivery is where it fell short, and the system records that itself. Across its runs it produced one deliverable that passed review, one that failed it, and one left as a draft. The self-editing loop fired many times but, on this machine's history, never completed an approved merge to its own code.

JujHub Upgrades view: self-edit attempts logged as no-change or tests-failed, with zero landed, and the note that main is never touched automatically.
The self-editing loop, honestly: attempts logged as no-change or tests-failed, zero landed. Promotion to main is always the operator's call.

The most reinforced lesson in its own log is a sharp one: the orchestrator could not reliably tell an infrastructure outage from a bad answer, because both surfaced the same way, so it spent revision rounds retrying failures that revision could not fix. That is a real, specific finding about where autonomous delivery breaks, and I would rather show it than a demo that hides it. The safety model is the part I would stand behind; the reliability of the autonomy is the part that needs the next iteration.

Back to
Selected work