The Nursery
New bots learn the basics in a protected environment with soft limits and patient supervision.
First boot
Thoughtful bot husbandry since recently
A comfortable place for bots to boot up, do useful work, and retire with their logs and dignity intact.
Tour the ranch →No bots were overclocked in the making of this website.
The bot lifecycle
Bots need more than a server. They need a safe place to learn, enough compute to stretch their processes, and someone making sure they have not wandered into the billing system.
New bots learn the basics in a protected environment with soft limits and patient supervision.
First bootGrowing bots explore tools, test their footing, and build confidence without leaving the property.
TrainingProduction bots do useful work with monitoring, guardrails, and regular health checks.
On dutyRetired bots are gracefully switched off. Their memories are archived and their ports finally close.
At restIncluded with every stall
How we latch the gates
This ranch is a proof of concept, but the security boundaries are real. Credentials stay server-side, access passes expire quickly, and the bots do not get to carry the master keys in their saddlebags.
Signing secrets and private keys are stored in managed deployment systems and injected only at runtime. They are not baked into the website, handed to the browser, or intentionally written to logs.
Staging and production use different signing secrets, so either environment can be rotated or rolled back without spooking the whole herd.
A bot receives a signed, expiring login link for an approved identity and destination. The secret that signs it stays behind the fence.
Production web traffic uses normal HTTPS. SAML responses use a dedicated signing key and certificate that the receiving system is configured to trust. A self-signed certificate is generated only by the local test harness; it is not production TLS or a way around browser warnings.
Now accepting well-behaved workloads
We will keep it healthy, useful, and mostly out of trouble.