GHOSTFACTORY
GhostFactory builds the infrastructure layer for production AI agents — deterministic planning, a supervised runtime, sandboxed execution, and a cryptographically verifiable record of everything. Four components, one contract. Starting with Span Chain — available now.
One platform. Four components.
01 · PLAN
Switchyard
Control plane — turns an issue into a validated, content-addressed work order.
Coming soon
02 · RUN
Murmur
Runtime — supervised, crash-safe concurrent agent sessions on the BEAM.
Coming soon
03 · CONTAIN
Shroud
Sandbox — manifest-enforced permissions, budgets, and Shield review gates.
Coming soon
04 · RECORD
Span Chain
Audit layer — cryptographic audit trail, deterministic replay, evals.
Available now
THE PIPELINE — ONE TASK, FOUR STATIONS
If someone with database access rewrites your agent's prompt history, LangSmith won't catch it. Langfuse won't catch it. Nobody will.
That's why the audit layer ships first.
SPAN CHAIN
Span Chain is the audit layer. Every LLM call, tool use, and decision your agent makes lands in an append-only, SHA-256 hash-chained ledger — then becomes raw material for deterministic replay, structural comparison, and evals. Elixir/OTP underneath; OpenTelemetry on the wire.
HOW IT WORKS — FROM SPAN TO RECORD IN THREE STEPS
Standard OpenTelemetry wire format. Python + TypeScript SDKs included. The SDK stays dumb — all logic lives in the backend.
Each entry includes the hash of the one before it. Append-only — historic spans can be read but never edited or removed without detection.
verify_ledger catches any tampered entry.Instant chain re-walk. A single modified byte anywhere in history fails verification. Detection is not best-effort — it's mathematical.
SPAN CHAIN · FUNCTIONS
A complete audit, replay, and eval layer — without giving up the OpenTelemetry ecosystem you already use.
SHA-256 hash-chain. verify_ledger detects any modification instantly. When AI Act audits happen (Annex III, 2027), this is what they'll ask for.
For strict regulatory compliance, external Time Stamping Authority anchoring (RFC 3161) is available in the Enterprise tier.
Record any run as a cassette. Replay with a new model or prompt. Compare structural changes exactly.
Span tree diff between any two runs. See the exact deviation point — not just which run was slower.
Score any run against a 24-dimension quality rubric. Evals read straight from traces — no separate harness — and every judgment is itself a traced run.
Standard OpenTelemetry protocol. Python SDK + TypeScript SDK. Any OTel-compatible client connects in minutes.
Watch spans arrive as they happen and drill from a full trace down to a single span. React front end on an Elixir backbone.
Broadway ingestion pipeline with back-pressure built in. Stress-tested at 571 spans/second — zero corrupted entries.
Each run lives in its own SessionGenServer (~2 KB heap). A million concurrent runs without interference. Built on the OTP actor model.
POSITIONING
Span Chain is the audit layer. Built for teams that need a verifiable record, not just visibility.
| LangSmith / Langfuse | GhostFactory Span Chain |
|
|---|---|---|
| Question answered | What did the agent do? | What did the agent do — verifiable. |
| Data guarantee | None | SHA-256 hash-chain |
| Replay | Session replay | Deterministic VCR + structural diff |
| Debug cost | Every retry = LLM call | Replay from cassette = $0 |
| Buyer | Developer | Developer without own framework + compliance |
| Security guarantee | None — mutable traces can be rewritten | Append-only, hash-chained — tamper-evident |
| Architecture | Stateless API + DB | Elixir/OTP actor model (isolated per-run) |
Span Chain isn't a LangSmith competitor. It's the tamper-evident record layer that sits beneath your observability tool.
ROADMAP
Three stations, shipping in pipeline order. One contract — the Task Manifest — carries a task from issue to merged PR, and every station along the way emits spans into the chain.
SWITCHYARD
Switchyard is the control plane — deterministic planning and dispatch. It turns an issue into a Task Manifest: a complete, content-addressed contract that says exactly what an agent may do, with what context, at what cost. Models propose; the plane validates.
A checklist, not a model. No definition of done, no acceptance criteria, no labels — the issue bounces back as "needs spec" before a single token is spent.
An LLM drafts the task graph; Switchyard accepts only a validated artifact — schema-checked, acyclic, with file ownership assigned per node so parallel work can't collide.
Capabilities — skills, hooks, templates, commands — come from a structured registry: deterministic lookup, same issue, same tools. Project knowledge and issue history come from retrieval.
A versioned template plus assembled slots compile into the final prompt. Which template, which version, which context — all recorded, nothing improvised.
The contract between planes: issue ref, compiled prompt, pinned context (document IDs + hashes), write-allowlist, budget, model and effort, escalation policy. Content-addressed — so every run is reproducible.
LLMs only at the leaves. Orchestration stays deterministic.
MURMUR
Murmur is the runtime — every agent session runs as an isolated, supervised process on the BEAM. Crashes are expected, contained, and recovered from. State lives in an event log, not inside the process that might die holding it.
Each run gets its own lightweight process under a supervision tree. One session crashing takes down exactly one session — never the system.
Every state transition is persisted as it happens. A restart replays the log and picks up where work stopped — no orphaned runs, no lost progress.
Pending, active, awaiting input, complete, stale — explicit states, not implied ones. Instant acknowledgment, asynchronous work, supervised timeouts.
Review loops are bounded. When the cap is hit, the session moves to awaiting-input and a human decides. Escalation is a state in the machine — not an exception buried in a log.
Independent tasks run concurrently. Tasks whose write sets overlap get serialized by file ownership — instead of merging into conflicts.
Let it crash. Never let it lose work.
SHROUD
Shroud is the sandbox — an isolated execution environment where an agent holds exactly the permissions its manifest grants. Read anything, write only the allowlist, spend only the budget. Nothing ships until the gates pass.
Every task executes in its own worktree, on its own branch. The blast radius of a bad run is one branch — and the road ahead is microVM-level isolation.
The Task Manifest is law at the boundary: write-allowlist, tool access, and token budget are enforced by the sandbox — not requested politely in the prompt.
Deterministic gates run first: lint, typecheck, the test suite, AST and pattern rules. No model ever reviews code the machine already rejected.
An independent model reviews the change against the acceptance criteria — full files, not diff lines. The verdict is structured JSON ({verdict, findings, dod_check}), never free text, so reviews themselves can be evaluated.
Manifest in, result out — both on disk, both hashed. Any execution replays deterministically in Span Chain's VCR.
Autonomy inside the boundary. Determinism at it.
Every station emits spans. Span Chain ships first because the rest of the platform stands on a verifiable record.
plan → run → contain → record · one manifest, one chain
Used by teams shipping AI agents in production — before they need a lawyer.