Back to InsightsAI Architecture

Four Days. Eight Thousand Lines. Zero Rollbacks.

How AI agents actually ship production software.

By Michael Murray

Share

Let me start with the numbers, because the numbers are the argument.

In four days, a fleet of AI agents shipped the backbone of a real product: a data platform where the database schema is the company's core asset, the thing that runs the business at scale. Roughly eight thousand lines of reviewed, merged, tested code. A test suite that grew past five hundred automated checks, every one run against a live database, not mocked. More than two dozen real defects caught and fixed before a single line reached production. Zero rollbacks.

Now the contrast, and this is the part that should make you sit up. A solution of this scope and rigor, a trust-enforcing database schema, a service that puts an AI model behind a governed boundary, a full review-and-write interface, all of it with row-level security, provenance on every fact, and an adversarial security pass, is work a competent senior team would typically scope in weeks, not days.

People assume the tradeoff is speed versus safety. Move this fast and you must be cutting corners. We did not cut corners. We moved this fast because of the discipline, not in spite of it. And it starts before a single agent writes a single line.

Nothing gets built without a definition worth building

Here is the part most people skip, and it is the part that makes the rest possible. We do not build from a vibe or a one-line prompt. We build only from a well-structured solution definition: a clear statement of what the solution is meant to do, the markets it is designed to serve, the users and how they are defined, and the actual problem being solved.

That definition can take many forms. A business plan. A market evaluation. A set of user stories. A full requirements document. Sometimes just a long, honest run of question-and-answer with the agent team until the intent is genuinely pinned down. The format does not matter. The rigor of the thinking does. An agent fleet will build with equal speed whatever you point it at, which means a fuzzy definition gets you a fast, confident, well-tested version of the wrong thing. The definition is the steering. The gauntlet is the brakes and the suspension. You need both, and you need the steering first.

This is why, on this project, the schema change that four rounds of review put through eleven fixes was building toward a scope the client had signed, feature by feature, the week before. The reviewers did not have to guess what "correct" meant. Correct was written down. That is what let the checks be sharp instead of philosophical.

The two camps are both wrong

Most conversations about AI writing code split into two camps. One says the models are magic and old engineering rigor is obsolete. The other says they hallucinate, so keep them on a short leash and check every line by hand. Both are wrong in the same way: they treat the model as the thing to trust or distrust. It is not. The process around the model is.

Once the definition is solid, we run the same loop on every substantial change, with no exceptions when we are in a hurry. Especially not then. We call it the gauntlet.

The loop

Plan before code. Every change starts with a written plan and an explicit sign-off before a line is written. For anything touching the data model or the trust rules, a specialist agent issues its conditions up front, before the builder starts, and those conditions become build requirements word for word. You catch the expensive problems while they are still sentences.

Build in isolation. Each change lives on its own branch, in its own working copy, never on the shared trunk. Unglamorous, non-negotiable. It lets many agents work at once without colliding, and nothing reaches the main line except through the front door.

Review adversarially, and independently. This is the heart of it. When a change is built, separate agents attack it in parallel: one for the trust and data-integrity rules, one running security like an intruder, one writing the tests. The critical word is separate. A model, like a person, prefers its own reasoning. An agent grading its own work is theater. The builder of a thing never certifies that thing.

Fix, then review the fix. When reviewers find something, the builder fixes it and the reviewers look again at the new version. This gets skipped constantly, because a fix feels like an ending. It is not. A fix is new code, and new code is unproven. On one of our schema changes, the fix for one problem quietly introduced a different one. The re-review caught it.

Certify against behavior, not vibes. Before anything merges, a final agent re-runs everything itself. Not "the builder says the tests pass." It runs the full suite against a live database, checks the types, runs the build, looks at the actual rendered screens, and returns a plain go or no-go. It does not take reported numbers on faith. That is the difference between "we tested it" and "it is tested."

Merge on green, keep the receipts. Only a clean certification merges, and the full record of the gauntlet travels with the change.

The numbers behind the numbers

Three moments made the headline figures.

On one schema change, four rounds of review caught eleven real defects before it merged. One was a direct contradiction with a rule the client had signed the week before. One was a hole a fix had just introduced. None were caught by the builder. All eleven would have been production incidents in the asset that is the entire point of the company.

On the next change, the loop ran so cleanly the work merged five days ahead of schedule, with the full safety, not by dropping it. That is the speed-versus-safety tradeoff dissolving in front of you.

On the change after that, the security reviewer flagged a weakness that had sat in the codebase for weeks, untouched by our work. It became dangerous only because a new feature made a privacy control depend on that old, weak code. The gauntlet does not just check the new work. It notices when new work raises the stakes on old work. Fixing it surfaced two more buried defects, including the real cause of a testing problem the team had spent three days calling "flaky." It was not flaky. A single configuration flag was quietly wrong. The process built to find real bugs found that one too. And on the same slice, the final certifier refused to pass it, over every other green check, because a user-facing screen had not yet been looked at by a reviewer. The standard held against our own hurry.

The fleet that ran this build

The loop above is not abstract. It ran as a named roster, each agent with one job and hard walls between them. This is the roster that did the work.

AgentRole on this build
Baker
lead agent
Plans the build, gets the plan approved, directs construction, coordinates every review round, and holds merge authority. Builds nothing he certifies; certifies nothing he builds.
Builder agents
per-slice
Purpose-spawned constructors that write the code for one change under Baker's written spec, then hand it to the gauntlet. Deliberately disposable, one per slice. The disposability is the point: no builder accumulates authority over the thing it built.
Bastion
trust-path guardian
Rules on the data model and trust invariants before code is written, and its conditions become build requirements word for word, then it re-reviews the actual change. On this build: the pre-pass on the schema slice, the eleven-defect review arc, and the binding conditions now gating the next slices.
Breaker
adversarial security
Attacks each change like an intruder: authorization, data isolation, privacy egress, cost abuse. On this build: caught spend-before-authorization on the AI service, and the weeks-old inherited hole that a new privacy control was about to depend on.
Bench
QA and test engineering
Writes and extends the automated test suite against a live database, including the negative controls that pin every fixed defect. On this build: grew the suite past five hundred checks and found two defects hiding inside other agents' fixes.
Beacon
independent certifier
Re-runs every gate itself, types, lint, full suite, build, and reading the rendered screens, and returns go or no-go. Accepts no one's reported numbers, including Baker's. On this build: held two no-gos over unseen screens with every other check green.

Why this is the actual frontier

The hard part of AI-built software was never getting a model to produce code. Models have been able to write a function for years. The hard part is keeping many agents changing one complex system, week after week, without it quietly pulling apart. That is an orchestration problem, a trust problem, a governance problem. It is the problem.

We are not the only ones who see it there. Chamath Palihapitiya raised a reported $135M Series A for 8090, took the CEO seat himself, and framed the mission as a governed "Software Factory" where people and AI agents build and change enterprise software together with, in the company's own words, full control, visibility, and auditability over every decision from start to finish. His own public line is that he set out to rewrite the legacy software of the world with modern alternatives. Different scale, same conviction: the winning move is not a smarter single model, it is a governed system of agents that can be trusted together. Where 8090 is building the factory floor for the regulated enterprise, we run the shop in categories where we have depth of experience earned over decades, and for the ventures we build and hold equity in, on the same core belief: structure and independence between agents is what turns raw model capability into solutions you can actually ship.

The principles, which generalize past code

Define before you build. A fleet builds the wrong thing just as fast as the right one; the definition is the steering.

Independence beats inspection. Safety comes from separating builder and checker, not from staring harder.

Re-check after every change, because the change is the new risk.

Certification means behavior observed, not claims accepted. "It should work" is not a state you are allowed to end in.

Own your corrections in both directions. When a reviewer is wrong, we say so on the record. Earlier in this same sprint one of our agents pushed a bad instruction twice before a teammate corrected it, and the record says exactly that. When the builder is wrong, the gauntlet says so.

Accuracy is the product. Comfort is not.

The honest cost, and what it buys

This is not free. A single change costs a full live-database test run, usually more than once, plus the fix rounds. Minutes to an hour of machine time per change. Nothing in that loop waits on a human or a clock, so it is all work and no delay, but it is real work and real spend.

What it buys is the thing both camps called impossible: agents writing production code, fast, with the schema-level rigor you would demand of a senior team, and a week of shipping with nothing to undo. Not because the model is trusted. Because it is never trusted alone.

Here is the shift that matters, and it is bigger than our shop. For most of the history of building things, rigor and speed were opposites. You paid for quality in time, or you paid for time in quality. That tradeoff is over. With a well-structured definition at the front and a real gauntlet around the work, rigor and speed have become the same thing. The discipline is not the tax on the speed. The discipline is the engine of it.

That changes who gets to build. It is no longer only large, well-funded engineering teams who can ship serious software with serious rigor. A founder with a clear definition and a governed agent fleet can now do it in days. There is a new class of builders and creators being handed capability that used to take a department. If that is you, the message is simple. Define the thing well. Build it with a process that refuses to trust any single output alone. Then build.

The build, by the numbers

4 days
from start to shipped backbone
~8,000
lines of reviewed, merged, tested code
500+
automated checks, every one against a live database
24+
real defects caught before production
11
defects caught on a single schema change, over four review rounds
5 days
ahead of schedule on the cleanest change, with full safety
2
certifier no-gos held over unseen screens, every other check green
0
rollbacks

Accuracy is the product. Comfort is not.

Four days. Eight thousand lines. More than two dozen caught defects. Zero rollbacks. That is not the ceiling. That is the new operating baseline.

MM

Michael Murray

Michael Murray is the Managing Partner of Abeba Co, which builds and ships business solutions that scale with and through a fleet of AI agents, with the discipline of a senior engineering team.

Share

This is how it is done now.

Go build. Then tell us what you shipped.