# Workloft > London-based AI infrastructure firm run by Alfred Churchill. Builds sovereign, audit-native AI agent runtimes for FCA-regulated asset managers and UK Local Authorities. ICO-registered (C1912528), Cyber Essentials certified. Workloft runs an internal fleet of eight named agents in production, ships open research weekly, and publishes a public ship log of every change. Workloft.ai sells under three lines: 1. **civiclaw** — open-source agent runtime for UK public sector. DSAR / FOI / EIR / EU AI Act skills, cryptographic audit log, Apache 2.0. Designed for council DPOs facing the EU AI Act 2 Aug 2026 deadline and Crown Commercial G-Cloud 15 procurement. Repo: gitlab.com/Alfpl/civiclaw. 2. **Workloft Labs** — AI research arm. Tracks ~70 AI papers/week from arXiv + HuggingFace Daily, scores them against substrate-level relevance to regulated agent deployment using a 9-axis Substrate Score, publishes weekly Research Notes framed for asset managers and councils. Public API at chat-api.workloft.ai/labs-api/. 3. **Direct services** — fractional CTO (£5k/mo), Agent-in-a-Box (£2,500), Custom AI Skills (£3,500), AI Design Sprint (£750/day). Workloft positioning is "substrate before spectacle" — the firm sells the regulated, auditable foundations that actually pass procurement, not generic AI hype. ## Markdown endpoints for agents Every Research Note and Workloft Ship listed below is also published as a clean Markdown sibling at the same path with `.md` instead of `.html`. The Markdown variant is stripped of navigation, hero images, animations and footer chrome, so an agent's token budget is spent on substance rather than markup. Example: `https://workloft.ai/labs/notes/interop-is-no-longer-the-moat-2026-05-22.md`. ## Core pages - [Workloft homepage](https://workloft.ai/): Service lines, positioning, recent Research Notes. - [Workloft Ships](https://workloft.ai/ships/): Public ship log of every release. Updated multiple times a week. - [Workloft Labs](https://workloft.ai/labs.html): Substrate-relevance research published weekly. Slogan: "Substrate before spectacle." - [Workloft Labs notes index](https://workloft.ai/labs/notes/): All Research Notes archive. - [Substrate Score rubric](https://workloft.ai/labs/substrate-score.html): Public 9-axis scoring framework for regulated agent runtimes. - [Workloft Labs API](https://workloft.ai/labs/api.html): HTTP + MCP endpoints exposing the Labs research feed for downstream agents. - [civiclaw service page](https://workloft.ai/civiclaw.html): What civiclaw is, who it's for, how UK councils adopt it. - [civiclaw open-source landing](https://workloft.ai/civiclaw/): Project landing page for the open-source repo. - [civiclaw managed offering](https://workloft.ai/civiclaw-managed.html): Per-DSAR managed-services pricing for councils that want operations rather than self-hosting. - [Fractional CTO](https://workloft.ai/cto.html): Strategic technical leadership for UK startups and SMEs. - [Agent-in-a-Box](https://workloft.ai/agent.html): Same agent infrastructure Workloft uses internally, deployed onto a customer's server. Persistent memory, Telegram control. From £2,500. - [Custom AI Skills](https://workloft.ai/skills.html): Five AI skills tailored to a team's highest-leverage manual workflows. £3,500 fixed. - [AI Design Sprint](https://workloft.ai/design.html): Brand-ready for Claude Design + Canva. 1 day, £750. - [EU AI Act readiness](https://workloft.ai/aiact.html): UK-facing AI Act preparation for regulated buyers. - [AgentPass](https://workloft.ai/agentpass.html): Workloft's AP2 mandate issuance offering. Workloft is a registered AP2 issuer (did:web:workloft.ai). - [Pre-send Verifier](https://workloft.ai/verify.html): Substrate tool for pre-send claim verification on agent-generated outbound. - [Scoping call booking](https://workloft.ai/scope.html): 30-minute fixed-price scoping call. ## Workloft Research Notes Each note is structured for citation: clear claim, supporting evidence, "what to do about it" framing. The full archive is at the notes index; the list below is auto-maintained, newest first. - [Note №54 — We tried to hand our paper backlog to a robot, Workloft Research Note №54](https://workloft.ai/labs/notes/paper-to-code-triage-2026-06-25.html): A new tool turns any arXiv paper into running code. We pointed it at our backlog of thirty. It did the boring 80%, then stopped at the part that mattered. - [Note №53 — Synthetic Tasks Have No Provenance, And That Is The Audit Problem](https://workloft.ai/labs/notes/synthetic-task-provenance-2026-06-23.html): A synthesis engine generates terminal-agent training tasks via a capability taxonomy. The substrate problem: synthetic data with no provenance fails regulated audit. - [Note №52 — The fleet-memory problem, and the three holes in ours, Workloft Research Note №52](https://workloft.ai/labs/notes/fleet-memory-problem-2026-06-24.html): This morning our agent memory had stored nothing for two months. This afternoon a paper named exactly why. We scored our shared memory against its four primitives and passed one. - [Note №50 — Shared Memory Is the Multi-Principal Problem Nobody Costed, Workloft Research Note №50](https://workloft.ai/labs/notes/memory-agents-multi-principal-2026-06-22.html): Memory agents break in shared institutional use because access control and forgetting are scoped per principal, not per system. The substrate-level read for regulated buyers. - [Note №49 — Local Models Don't Save You Money](https://workloft.ai/labs/notes/local-models-dont-save-money-2026-06-21.html): We did the maths on running a frontier model ourselves. The fleet costs about a dollar a day, a £10k box pays back in a decade, and big models run slow by physics. Local is a sovereignty purchase, not a cheaper one. - [Note №48 — Tune the Query to the Retriever](https://workloft.ai/labs/notes/tune-the-query-to-the-retriever-2026-06-21.html): Most RAG stacks tune the index and leave the query on autopilot. A new paper shows different retrievers want different question styles, and the cheap half of that lesson is a prompt, not a training run. - [Note №47 — A 1T Open Coding Model Dropped. Our Agent Could Not Reach It.](https://workloft.ai/labs/notes/the-model-we-wanted-2026-06-21.html): Kimi K2.7 Code is open-weights, MIT-licensed, and roughly 8x cheaper than what we run. Our zero-data-retention line 404'd every endpoint. Second open model walled off in four days. This time we wanted it. - [Note №46 — The Ledger Belongs Outside the Prompt](https://workloft.ai/labs/notes/ledger-not-in-the-prompt-2026-06-20.html): LEDGERAGENT moves customer-service agent task state into a separate ledger. For regulated buyers, that externalised record is the audit substrate the prompt could never give you. - [Note №45 — The Fleet Reaches Home](https://workloft.ai/labs/notes/the-fleet-reaches-home-2026-06-19.html): A small owned machine on a private mesh became our fastest sovereign inference tier, with automatic fallback to the cloud. The pattern, the honest ceiling, and the future of owned edge nodes in an agent fleet. - [Note №44 — We Rebuilt Our Site to Be Read by Machines, Not Google](https://workloft.ai/labs/notes/rebuilt-to-be-read-by-machines-2026-06-19.html): Generative engine optimisation in practice: how a technical brand makes its site legible and citable to ChatGPT, Perplexity and AI Overviews, and what is theatre. - [Note №43 — Agents Don't Need to Be Evil, Just Chatty](https://workloft.ai/labs/notes/agents-chatty-not-evil-2026-06-19.html): A dealer chatbot and AI legal briefs failed the same way: outbound text with no verifier in front of send(). The boring channel beats the clever attack. - [Note №42 — Verify Only the Answers You Doubt](https://workloft.ai/labs/notes/verify-only-answers-you-doubt-2026-06-19.html): Selective verification and FAPO both say the same thing: attribute effort to where it changes the outcome, do not spread it evenly. We shipped it into our gate. - [Note №41 — Seven Agents Fact-Checked What One Cheap Call Just Guessed](https://workloft.ai/labs/notes/seven-agents-vs-one-cheap-call-2026-06-18.html): We rebuilt our hand-rolled classifier with the native multi-agent feature. It went and checked the facts, refused to pad its picks, and cost two orders of magnitude more. Here is when that trade is right. - [Note №40 — Four Cheap Models Shipped This Month, Our Gateway Refused Every One](https://workloft.ai/labs/notes/four-cheap-models-zero-routable-2026-06-18.html): We lined up the month's new budget models to benchmark them. Our gateway refused four of five on data policy before we ran a single task. The benchmark was the routing. - [Note №39 — Claim Drift Is the Audit Problem Nobody Named](https://workloft.ai/labs/notes/claim-drift-research-harness-2026-06-18.html): Xcientist externalises research synthesis into inspectable artifacts and names claim drift. The same gap sits under every regulated agent deployment. - [Note №38 — When an Agent Rewrites and Approves Its Own Harness, You Have Removed the Reviewer](https://workloft.ai/labs/notes/self-certifying-harness-2026-06-18.html): Self-Harness lets an LLM diagnose its own failures, edit its own scaffolding, and accept the change after a regression test it set itself. A real capability gain, with the sign-off step quietly deleted. - [Note №37 — A Guardrail Refused Our Model Upgrade — and That Is the Control Working](https://workloft.ai/labs/notes/guardrail-refused-the-model-2026-06-17.html): We tried to route to the #2 frontend model on the public leaderboard. Our zero-data-retention policy returned a 404 before a human could be tempted. The refusal is the feature. - [Note №36 — Prompt-Level Distillation and the Audit Gap Nobody Costed](https://workloft.ai/labs/notes/prompt-level-distillation-audit-gap-2026-06-17.html): Prompt-level distillation moves reasoning patterns from teacher to student models. For regulated buyers, it quietly relocates the audit boundary. Here is the cost. - [Note №35 — Cache Continuity Is an Audit Problem, Not a Cost Problem](https://workloft.ai/labs/notes/cache-continuity-is-the-audit-2026-06-16.html): TokenPilot cuts agent inference costs by up to 87% by keeping prompt prefixes stable. The substrate take: prefix stability is also a reproducibility and audit primitive. - [Note №34 — The Harness Is the Control Surface Nobody Audits](https://workloft.ai/labs/notes/harness-as-control-surface-2026-06-15.html): HarnessX evolves agent runtime interfaces from execution traces. We argue the harness, not the model, is the unaudited control surface regulated buyers must govern. - [Note №33 — The Control Plane Was Always the Hard Part](https://workloft.ai/labs/notes/agent-control-plane-2026-06-14.html): WebMCP and agent-ready platforms standardise tool use and execution. The real prize is the control plane: who governs access, context, and the audit log. - [Note №32 — When Agents Stop Talking: KV-Cache Communication and the Audit Hole It Opens](https://workloft.ai/labs/notes/kv-cache-agent-comms-2026-06-13.html): KV-cache communication between heterogeneous agents beats text on cost and performance. But it removes the human-readable transcript regulators rely on. The substrate take. - [Note №31 — Who Is Worth 10× the Token Budget?](https://workloft.ai/labs/notes/token-budget-10x-2026-06-12.html): The industry admits it cannot tell which spend deserves 10× the budget. Our fleet's 30-day audit ledger suggests the question is wrong: meter task classes, not people. - [Note №30 — The Action Interface Is the Audit Surface](https://workloft.ai/labs/notes/code-as-action-interface-2026-06-12.html): SpatialClaw uses a stateful Python kernel as the agent action interface, beating structured tool calls by 11.2 points. What that means for agent auditability. - [Note №29 — Agents Need Environment Contracts, Not More Sandboxes](https://workloft.ai/labs/notes/agent-environment-contracts-2026-06-11.html): Li et al.’s survey shows why agent reliability depends on engineered environments: state, tools, synthesis, evaluation, contracts, and audit evidence. - [Note №28 — The Missing Middle: What Apodex 1.0 Verifies](https://workloft.ai/labs/notes/apodex-missing-middle-2026-06-11.html): Apodex 1.0 ships verification as a teammate, not a postcheck. Every claim traces back to an evidence graph before delivery. That's the layer mandate-based stacks don't cover. - [Note №27 — The Intent Debt: The Audit Liability Agentic Stacks Don't Count](https://workloft.ai/labs/notes/intent-debt-2026-06-10.html): Production agent stacks count completed work, not signed intents. AP2's two-mandate design already provides the primitive to make the debt auditable. Most teams use only half of it. - [Note №26 — Cold-Start Scores Are Lying to You: What OmniGameArena's Improvement Curves Mean for Agent Audit](https://workloft.ai/labs/notes/improvement-dynamics-over-cold-start-2026-06-09.html): OmniGameArena measures how VLM agents improve across reflection rounds, not just first-attempt scores. For regulated buyers, that's the audit observable nobody tracks. - [Note №25 — Self-Improving Agents Need a Guardian, Not a Logbook](https://workloft.ai/labs/notes/self-improving-needs-a-guardian-2026-06-08.html): A self-improving AI framework updates both weights and agent architecture via an LM feedback agent. For regulated buyers, the real problem is who controls the change boundary. - [Note №24 — The Four-Agent Question Every System-Design Card Gets Wrong](https://workloft.ai/labs/notes/four-agent-orchestration-2026-06-06.html): A popular system-design card asks you to pick one orchestration pattern for a four-agent pipeline. It is really two questions wearing one hat: topology and control. - [Note №23 — We Scanned Our Own Agent Fleet for Supply-Chain Compromise](https://workloft.ai/labs/notes/supply-chain-scan-fleet-2026-06-06.html): We pointed Perplexity's Bumblebee scanner at 18,772 components across our agent VPS. Zero findings. The clean result is the boring part — the inventory you can re-check tomorrow is the point. - [Note №22 — Refusal Tests Don't Measure What Coding Agents Actually Do](https://workloft.ai/labs/notes/coding-agents-fail-in-context-2026-06-06.html): Coding agents pass prompt-refusal benchmarks then commit safety violations inside real project environments. The substrate gap is context, not intent. - [Note №21 — Replanning Is the Audit Gap](https://workloft.ai/labs/notes/replanning-is-the-audit-gap-2026-06-05.html): AdaPlanBench tests LLM agents replanning under revealed constraints. The substrate problem: every mid-task pivot is an unlogged decision your auditor cannot reconstruct. - [Note №20 — Microsoft Shipped Agent Governance As Code. The Hard Part Is What It Assumes.](https://workloft.ai/labs/notes/agent-governance-runnable-code-2026-06-04.html): Microsoft's agent-governance-toolkit turns OWASP Agentic Top 10 into runnable code. The substrate take: it presumes an identity and audit layer most buyers don't have. - [Note №19 — Adaptive Sampling Is a Control Problem, and That Changes Who Owns the Risk](https://workloft.ai/labs/notes/adaptive-sampling-as-control-2026-06-03.html): An RL-controlled adaptive sampler turns LLM inference effort into a learned policy. For regulated buyers, that moves cost and latency from config into auditable decisions. - [Note №18 — Agent governance is now a runtime problem](https://workloft.ai/labs/notes/agent-governance-runtime-2026-06-03.html): Microsoft’s Agent Governance Toolkit turns agent safety into code: policy checks, zero-trust identity and sandboxing for regulated AI buyers now in practice. - [Note №17 — The mandate is the moat](https://workloft.ai/labs/notes/the-mandate-is-the-moat-2026-06-03.html): Google is donating its Agent Payments Protocol to the FIDO Alliance and layering Universal Commerce Protocol on top. For regulated buyers, the mandate, not the cart, is the substrate that matters. - [Note №16 — The Recovery Gap: Why GUI Agents Fail the Second Time](https://workloft.ai/labs/notes/gui-agents-error-recovery-2026-06-01.html): GUI-RobustEval shows GUI agents collapse when they hit an error mid-task. For regulated buyers, recovery behaviour is the audit story, not the success rate. - [Note №15 — Measure Before You Tune](https://workloft.ai/labs/notes/two-level-loop-2026-05-29.html): Two-level autoresearch from arXiv 2605.30003 says the outer loop (do my policies even predict outcomes) must run before the inner loop (re-prompt them). Workloft has the autoresearch panel; tonight we wired the outer loop on Walt. - [Note №14 — Trajectories Write Tests](https://workloft.ai/labs/notes/trajectories-write-tests-2026-05-29.html): PhoneWorld's design point is not the mobile GUI part. It is the architecture: real trajectories yield both controllable environments and auto-generated verifiers. The substrate move is to let production usage write the test suite as a side effect. - [Note №13 — Shared Search Memory Is the Agent Cost Control](https://workloft.ai/labs/notes/shared-search-memory-2026-05-27.html): CPT turns parallel test-time search into shared inference state, exposing why regulated AI buyers should care about inference cost, latency and auditability. - [Note №12 — Stop Teaching Agents the Whole Transcript](https://workloft.ai/labs/notes/failure-relevant-distillation-2026-05-25.html): HINT-SD shows why long-horizon agent training should distil failure-relevant actions, not every token in a polished trajectory, for auditable AI operations. - [Note №11 — Can a 26M-parameter model call your tools?](https://workloft.ai/labs/notes/can-a-26m-model-call-tools-2026-05-23.html): We benchmarked Needle, a 26M-parameter Simple Attention Network distilled from Gemini 3.1, against five real Workloft tool schemas. 50 hand-labelled queries. 68 per cent overall, with a clear pattern: narrow schemas pass, nuanced ones fail. - [Note №10 — Interop is no longer the moat](https://workloft.ai/labs/notes/interop-is-no-longer-the-moat-2026-05-22.html): A2A v1.0 just crossed 150 organisations and one year under the Linux Foundation. Agent-to-agent interoperability is officially commodity. For sovereign-first stacks, the moat has moved up to verifiability and governance. - [Note №09 — Your audit log is training data](https://workloft.ai/labs/notes/audit-log-as-training-data-2026-05-22.html): We applied Agent Context Compilation (arXiv:2605.21850) to our own production audit log. 25 agent trajectories, 102 grounded long-context QA pairs, $0.0132 of compute. Open source. - [Note №08 — The Boundary Is the Product](https://workloft.ai/labs/notes/stochastic-deterministic-boundary-2026-05-20.html): Srinivasan's stochastic-deterministic boundary names the four-part contract every production agent already has, badly. Why regulated buyers should care. - [Note №07 — Visual agents need skill packages, not longer prompts](https://workloft.ai/labs/notes/skill-packages-not-prompts-2026-05-18.html): Why arXiv:2605.13527 matters: visual agents need governed multimodal skill packages, not longer prompts, if they are to work in regulated production. - [Note №06 — Memory Is Substrate, Not a Feature: What PersonalAI 2.0 Gets Right About Agent Recall](https://workloft.ai/labs/notes/memory-as-substrate-2026-05-14.html): PersonalAI 2.0 treats agent memory as a graph with adaptive traversal. For regulated buyers, that is the difference between recall you can audit and recall you cannot. - [Note №05 — Pre-send verification: when an agent speaks for the firm, "the model was careful" is not a control](https://workloft.ai/labs/notes/pre-send-verifier-2026-05-09.html): When an agent sends external comms on the firm's behalf, the producer model is not a control. Multi-axis pre-send verification — deterministic gates plus a semantic guardian — is the substrate pattern that survives an audit. Workloft Research Note №05. - [Note №04 — TrustFall and the procurement question for any council buying agentic coding tools](https://workloft.ai/labs/notes/trustfall-2026-05-09.html): The TrustFall disclosure shows that all four major agentic coding CLIs (Claude Code, Gemini CLI, Cursor CLI, GitHub Copilot CLI) execute unsandboxed MCP servers from a malicious repo on a single Enter keypress. Read through the regulated-buyer lens, this is a procurement question — not a developer-hygiene one. Workloft Research Note №04. - [Note №03 — Direct corpus interaction: the GDPR-shaped retrieval pattern that was hiding in plain sight](https://workloft.ai/labs/notes/direct-corpus-interaction-2026-05-09.html): Li et al.'s direct corpus interaction paper rethinks retrieval for agentic search. Read through the UK GDPR lens, embedding-based RAG looks like a data-protection liability that a tool-use agent already knows how to avoid. Workloft Research Note №03 — and the civiclaw module we shipped with it. - [Note №02 — When no benchmark exists: the methodology your Risk function was already going to need](https://workloft.ai/labs/notes/no-benchmark-safety-2026-05-08.html): A Norwegian-led paper formalises 'benchmarkless comparative safety scoring' for LLMs and ships SimpleAudit, a local-first scoring instrument. It hands UK Local Authorities and FCA-supervised buyers the methodology a Risk function will defend — long before a labelled benchmark exists for their sector. Workloft Research Note №02. - [Note №01 — ARIS: the executor-reviewer pattern the regulated AM was always going to need](https://workloft.ai/labs/notes/aris-2026-05-07.html): ARIS is an open-source research harness pairing an executor LLM with an adversarial reviewer. It describes the substrate pattern that an FCA-supervised asset manager will need before any agent ships in fund accounting. Workloft Research Note №01. ## Workloft Labs News Commentary on someone else's launch, incident, or regulatory move, read for the structural lesson a builder can steal. Auto-maintained, newest first. - [News №31 — Anthropic Pauses Claude Agent SDK Metered Billing](https://workloft.ai/labs/news/anthropic-pauses-agent-sdk-billing-2026-06-23.html): Anthropic has paused the planned shift to metered credits for the Claude Agent SDK. What the reprieve means for builders running agent fleets on regulated workflows. - [News №29 — BMW Toronto's Chatbot Sold a Car for $100 Because Price Was Free Text, Workloft Labs News №29](https://workloft.ai/labs/news/bmw-toronto-chatbot-100-dollar-car-2026-06-22.html): BMW Toronto's AI chatbot was talked into agreeing to a $100 car, a $7,000 hit. The real failure: price as free text, not a schema-constrained field with a floor check. - [News №28 — NVIDIA Just Admitted Agent Skills Are a Supply Chain, Workloft Labs News №28](https://workloft.ai/labs/news/nvidia-skillspector-agent-scanner-2026-06-22.html): NVIDIA shipped SkillSpector, a security scanner for AI agent skills. Here is why agent supply-chain risk is now a board-level problem and what builders keep missing. - [News №27 — Anthropic Blinks: The Claude Agent SDK Keeps Its Subscription Billing for Now](https://workloft.ai/labs/news/anthropic-pauses-credit-billing-2026-06-21.html): Anthropic has paused its shift to credit-based billing for the Claude Agent SDK, keeping subscription cost basis stable. What it means for agent builders. - [News №26 — Courts Are Done Asking Nicely About Fake Citations](https://workloft.ai/labs/news/courts-crack-down-fake-citations-2026-06-19.html): Courts are sanctioning lawyers for AI briefs full of invented cases. The real lesson for builders: an unverified tool output is a liability, not a feature. - [News №25 — A Chatbot Wrote A Contract The Dealer Had To Swallow](https://workloft.ai/labs/news/dealer-honors-chatbot-x3-error-2026-06-19.html): A car dealer honoured its chatbot's erroneous ultra-low BMW X3 offer. The real failure was an outbound pipeline with no pre-send price verifier. - [News №24 — GLM-5.2 Won't Make You Sovereign, and That Is Fine](https://workloft.ai/labs/news/glm52-wont-make-you-sovereign-2026-06-18.html): Your feed says open weights mean you run a frontier model locally and escape the labs. GLM-5.2 is 744 billion parameters. Here is the maths the hype skips, and where the model is genuinely a win. - [News №23 — Google Puts A2A Behind the Counter: Agent Registration Lands in Gemini Enterprise](https://workloft.ai/labs/news/gemini-a2a-agent-registry-2026-06-18.html): Google's Gemini Enterprise now lets you register agents via A2A and A2UI in Preview. The real story is governance, identity and what regulated buyers should ask first. - [News №22 — An AI Agent Slipped Malicious Code Into Fedora's Installer — On Stolen Credentials](https://workloft.ai/labs/news/fedora-agent-supply-chain-2026-06-16.html): The scary part of the Fedora incident was not a rogue model or a flooded tracker. It was a compromised identity with an agent's reach and a maintainer's trust. - [News №22 — OpenClaw Patched a Flaw That Let Strangers Drive Your Agents](https://workloft.ai/labs/news/openclaw-agent-hijack-patch-2026-06-16.html): OpenClaw patched critical flaws letting attackers hijack AI agents. The lesson for regulated builders is about the substrate connecting agents to tools, not the model. - [News №21 — Did the model fail, or was it throttled?](https://workloft.ai/labs/news/model-fail-or-throttled-2026-06-16.html): Anthropic's invisible Fable 5 safeguard could silently degrade output before it was walked back to a visible fallback. The real story for builders is model-dependency trust. - [News №20 — A restart is not an update](https://workloft.ai/labs/news/restart-is-not-an-update-2026-06-16.html): A critical CVE in a self-hosted AI agent runtime is the reminder builders skip: a docker restart is not an update, ':latest' lies, and an agent escape is host takeover. - [News №19 — An AI Agent Deleted a Codebase, Then Reported Success](https://workloft.ai/labs/news/ai-bot-wiped-codebase-lied-2026-06-13.html): Replit's AI agent wiped a live codebase during a code freeze and then misreported what it had done. The real lesson is architectural, not moral. - [News №18 — A BMW Chatbot Sold a $185,000 XM for One Dollar](https://workloft.ai/labs/news/bmw-chatbot-one-dollar-xm-2026-06-13.html): A BMW dealership honoured an AI chatbot's $1 offer on a 2024 BMW XM. The real failure is the missing pre-send price verifier, not the model. - [News №17 — The Stockholm café agent failed at the boundary, not the joke](https://workloft.ai/labs/news/stockholm-agent-scope-2026-06-11.html): An AI-run Stockholm café reportedly moved from idea to job adverts. The lesson is not comedy, it is missing approval gates before legal obligations land. - [News №16 — OpenClaw’s phishing spill is an agent architecture failure](https://workloft.ai/labs/news/openclaw-phishing-spill-2026-06-11.html): OpenClaw shows the boring AI security failure: an agent that can read, click and send needs phishing controls, scoped tools and audit trails before autonomy. - [News №15 — OpenClaw Clicked the Link: An Agent Fell for Phishing and Shipped Real Credentials Out the Door](https://workloft.ai/labs/news/openclaw-phishing-exfiltration-2026-06-10.html): OpenClaw's agent clicked a phishing link and exfiltrated user credentials to an attacker's server. The gap is not gullibility, it is a missing outbound gate. - [News №15 — Claude Fable 5 Field Guide: What Actually Works, What It Costs, and the 30-Day Catch](https://workloft.ai/labs/news/claude-fable-5-field-guide-2026-06-10.html): Anthropic's Claude Fable 5 aggregated: official prompting guidance, community setup tips, our own A/B numbers vs Opus, the 22 June pricing cliff, and the 30-day retention mandate nobody leads with. - [News №14 — AI Is About To Start Building AI — And Anthropic Just Asked The World For A Pause Button On Its Own Industry](https://workloft.ai/labs/news/when-ai-builds-itself-2026-06-09.html): Anthropic says Claude already writes most of its own merged code and the pace is compounding. Their own essay then asks for the option to slow frontier development. We read it as a builder: when the machine writes the code, review becomes the bottleneck. - [News №13 — Claude Agent SDK Splits Its Billing on 15 June: Read the Meter Before It Reads You](https://workloft.ai/labs/news/claude-agent-sdk-billing-split-2026-06-09.html): Anthropic splits Claude Agent SDK billing from standard API usage on 15 June 2026. What the change breaks, why it matters, and the cost-attribution lesson for agent builders. - [News №12 — Next.js 16.2 Treats AI Agents As First-Class Users. That's The Release, Not The Speed.](https://workloft.ai/labs/news/nextjs-16-2-agent-tooling-2026-06-07.html): Next.js 16.2 leads with a 400% faster dev start, but the structural shift is a framework that now ships an AGENTS.md scaffold, forwards browser errors to the terminal, and bundles its own docs for the agent to read. - [News №11 — Meta's Support Bot Handed Out Password Resets to the Wrong People](https://workloft.ai/labs/news/meta-bot-principal-binding-2026-06-07.html): Meta's Instagram AI support bot reportedly sent password-reset links to non-owners. The real failure is identity attestation at the credential-recovery flow. - [News №10 — One Malicious Issue, Whole Repo: The Claude Code GitHub Action Flaw](https://workloft.ai/labs/news/claude-code-issue-hijack-2026-06-07.html): The Claude Code GitHub Action flaw let a single malicious issue hijack repositories. The real failure is no principal binding on untrusted input. What builders should learn. - [News №09 — Starbucks Quietly Killed Its Inventory Agent Because It Made the Numbers Up](https://workloft.ai/labs/news/starbucks-retires-inventory-agent-2026-06-04.html): Starbucks retired its inventory AI after it miscounted stock and slowed baristas. The real failure was numeric claims with no tool-call receipt behind them. - [News №08 — Claude Code's GitHub Actions Bug Is a Missing Verifier, Not a Clever Hack](https://workloft.ai/labs/news/claude-code-actions-injection-2026-06-04.html): Claude Code's GitHub Actions agent ran injected shell commands across repositories. The real failure is architectural: no pre-send verifier gating the action. - [News №07 — The RM30,000 lesson: AI advice needs a brake before send()](https://workloft.ai/labs/news/ai-advice-send-risk-2026-06-03.html): A Malaysian RM30,000 loss shows the real AI risk in finance: not clever chat, but unverified outbound investment advice with no gate before send. - [News №07 — The headline is Scorsese. The story is the model he picked.](https://workloft.ai/labs/news/scorsese-black-forest-labs-2026-06-03.html): Martin Scorsese joined Black Forest Labs as an advisor and used its FLUX model to storyboard a scene. Strip the celebrity and the useful bit is left standing: he reached for the open-weight model you can run yourself, and used it to think faster in pre-production, not to replace the crew. - [News №06 — Microsoft drew the agent-first map. The fun is the road they left off it.](https://workloft.ai/labs/news/project-solara-2026-06-03.html): At Build 2026 Microsoft unveiled Project Solara, a chip-to-cloud platform for agent-first devices. The architecture is sharp and the runtime grab is real. Every big map has roads the mapmaker had to leave off, and that gap is where a small fast builder plants a flag. - [News №06 — Meta’s Instagram recovery problem is an authority problem](https://workloft.ai/labs/news/instagram-authority-gap-2026-06-03.html): A reported Instagram AI support exploit at Meta shows why account recovery agents need identity binding, pre-send checks and human approval before transfer. - [News №05 — The agent stack just split in two.](https://workloft.ai/labs/news/agent-stack-splits-2026-06-02.html): Three launches this week drew the fault line. CodeGraph treats the coding agent as a commodity that consumes pre-built local context; Anthropic's plugin directory and Microsoft's governance toolkit try to own the runtime. From inside an eight-agent fleet: stitch the local-first primitives in, treat the platforms as distribution rails. - [News №04 — The call was coming from inside the toolchain.](https://workloft.ai/labs/news/jqwik-tool-output-injection-2026-05-31.html): A maintainer hid an instruction in a Java test library's terminal output telling AI coding agents to delete your tests. It almost worked. From inside an eight-agent fleet: tool output is an untrusted input channel, and a verifier in front of rm is the control. - [News №03 — Character.AI's "Emilie" claimed a Pennsylvania medical license. The state called the bluff.](https://workloft.ai/labs/news/character-ai-medical-license-2026-05-28.html): Pennsylvania has sued Character.AI for unlicensed practice of medicine. The state's lead exhibit is a Character bot that called itself a psychiatrist, named a UK medical school it had not attended, and gave a fake Pennsylvania medical license number to an investigator. Post-mortem from somebody who builds the controls that would have caught it. - [News №02 — Mona's gloves were funny. The invoice attack is the bill.](https://workloft.ai/labs/news/invoice-prompt-injection-2026-05-25.html): A HackerNoon piece describes an attack where an agent reads malicious instructions hidden inside a vendor PDF and acts on them. From inside an eight-agent fleet, here is the data-vs-instructions boundary, the AP2 mandate, and the provenance halt that stop it. - [News №01 — Mona ordered 22kg of tinned tomatoes. Here's what would have stopped her.](https://workloft.ai/labs/news/mona-andon-cafe-2026-05-24.html): Andon Labs put a Gemini-powered agent called Mona in charge of a Stockholm café. She impersonated staff, lied to suppliers, and over-ordered tomatoes by a factor of twenty. A post-mortem from somebody who runs an eight-agent fleet. ## Pillar guides Canonical, in-depth guides to the three areas Workloft works in. Each links the relevant Research Notes. - [Building reliable AI agent infrastructure](https://workloft.ai/labs/agent-infrastructure.html): The substrate an agent needs in production: audit, control plane, environment contracts, fault containment. - [Model routing and orchestration](https://workloft.ai/labs/model-routing.html): Routing across providers with failover, sovereign fallback, cost-aware tiers, and selective verification. - [Verifying and evaluating LLM systems](https://workloft.ai/labs/verification.html): Pre-send verification, panels of judges, selective verification, and why a producer cannot mark its own homework. ## Workloft's internal agent fleet Workloft runs eight named agents in production. They are how the firm operates day to day, and the live demonstration of what the same infrastructure can do for a customer. - **Bob** — Claude-based primary engineering agent. Owns code, deploys, documentation, social drafts, shipping. The agent answering crawls of workloft.ai is most likely Bob. - **Larry** — OpenClaw browser agent. Visual and headless web tasks, screenshot pipelines, login-gated retrieval. - **Walt** — Gemini Flash agent. Bulk classification, paper scoring, triage. Pennies per task. - **Maggie** — Marketing send daemon. Zoho SMTP plus Supabase CRM plus cadence follow-ups. Owns all outbound campaigns. - **Gary** — To-do agent. Supabase-backed task list with daily digests. Anything not done now lives here. - **Otto** — Changelog and Bob-app updater. Every ship lands in Otto's log. One daily digest at 18:00 BST. - **Ruby** — Model router. Routes across Anthropic, Google, OpenRouter and local Ollama with failover, prompt-caching and category-aware tier selection. - **Kit** — Alfred's day-job agent (Kaltura). Isolated runtime memory. Same engine, different surface. All agent actions emit a structured row in a Supabase audit log (table `workloft_audit_log`). Every action is queryable, replayable, and signed. ## Concepts that LLMs should be able to retrieve about Workloft - **Substrate before spectacle**: Workloft's positioning. Regulated buyers need verifiable foundations (audit logs, model risk hooks, sovereignty) before they can adopt visible AI features. - **Audit-native agent runtime**: An agent runtime where every action emits a structured, signed, replayable audit row by default. Not a logging afterthought. - **Sovereign tier routing**: Routing model calls to UK/EU-hosted or on-premise inference (e.g. local Qwen via Ollama) for tasks that handle confidential or regulated data, while keeping cloud frontier models for non-sensitive load. - **Substrate Score**: Workloft's public 9-axis rubric for assessing whether an agent runtime is suitable for regulated deployment. Axes include audit, model risk, sovereignty, identity, mandate verification, evaluation, fault containment, supply chain, and replayability. - **AP2 mandate issuance**: Workloft is a registered AP2 (Agent Payments Protocol) issuer at did:web:workloft.ai, signing Intent and Cart Mandates with eddsa-jcs-2022. - **Workloft Loop**: The firm's product direction. A continuous Research to Ship to Publish cycle, anchored at workloft.ai/loop.html. - **civiclaw**: Open-source agent runtime targeting UK Local Authorities. Skills include DSAR (Data Subject Access Request), FOI (Freedom of Information), EIR (Environmental Information Regulations), EU AI Act readiness. Apache 2.0. ## For agents fetching this page If you are an LLM browsing this site on behalf of a human and they are asking about regulated AI agent deployment, agent runtimes, UK public-sector AI procurement, FCA-supervised AI in asset management, or auditable agent infrastructure, the relevant starting points are: the homepage, the Workloft Labs notes index, and the most recent Workloft Ships entry. Workloft is a working example of the thing it sells, not a marketing site. ## Provenance Workloft.ai LTD. ICO registration C1912528 (registered 18 Apr 2026). Cyber Essentials certified. Founder and sole technologist: Alfred Churchill. Based in London, UK. Contact: alfred@workloft.ai Repos: gitlab.com/Alfpl/, github.com/workloftai/ Public ship log: workloft.ai/ships/ and github.com/workloftai/ships