Strategic reference
SDF helps engineering leaders get the leverage of AI-assisted delivery without losing review confidence. Start with readiness, prove the approach on a bounded governed PR, then turn it into a repeatable operating model for the team.
Governance is the wedge, not the ceiling.
Current proof is controlled and engineering-focused. Future layers are direction, not production governance claims.
Operating thesis
The first bottleneck is not whether AI can produce more work. The first bottleneck is whether teams can trust, review, and govern that work.
Agents can produce the work. SDF makes the work reviewable: what was asked, what changed, what was checked, what was blocked, and what the reviewer is being asked to trust.
Software Dark Factory starts with governed AI-assisted engineering — where the risks are most visible: code quality, security, reliability, reviewability, and accountability. Every repo and team is different, so SDF begins with readiness and evidence rather than a generic process pasted over your stack.
Governance stays universal. Evidence density scales with risk. A low-risk copy change should still keep the review gate, acceptance criteria, risk notes, and verification truth, but it should not carry the same evidence burden as provider, deployment, security, customer-routing, approval, or production-boundary work.
The first governed PR is not theatre or the end state. Where suitable, it can be real useful work the team already has lined up, chosen because it is useful enough to matter and bounded enough to govern safely. From there, SDF helps teams turn the approach into repeatable delivery habits: clearer scopes, better review evidence, visible verification status, and AI usage signals the team can discuss.
Governance also makes the cost of agentic work more visible: not just tokens, but review effort, evidence burden, rework risk, and operational risk.
Every governed change leaves evidence behind. Reviewed lessons can be promoted through Bootstrap into receiver-safe front-door guidance, so the operating model improves from real delivery work rather than theory.
Once the governance layer exists, better quality, stronger delivery discipline, and clearer AI usage visibility follow.
The long-term aim is an adapted operating model that does not only produce evidence, but also keeps each work item aligned with the product mission, quality bar, constraints, and non-negotiables.
Proven now
These are not hosted, production, or customer enforcement claims.
A controlled Campfire-style proof shows SDF can attach governed evidence to cloud-agent work, check whether the PR reviewer surface exposes it, catch incomplete or wrongly targeted PR publication, and remediate PR descriptions from governed evidence with explicit permission.
A controlled Rails rehearsal can complete a real governed work item with evidence-backed PR anatomy.
A controlled TypeScript rehearsal can complete a governed work item while preserving the runtime boundary: the app remains TypeScript/Node, while the current SDF tooling runs separately.
The Rails walkthrough shows the public 01-08 SDF PR anatomy in a production-shaped PR body.
Local tool-log token deltas can be captured where available, while review effort, evidence burden, rework risk, and operational risk remain part of the economic picture. Cost remains unavailable/not billing-grade and measured savings are not claimed.
Receiver-safe governed front door capabilities can record dependency ownership decisions: existing stack first, new dependency only when justified, and no claim of vulnerability scanning, licence audit, SBOM generation, or dependency safety certification.
Real GTM product changes proved the fixed-governance, variable-evidence rule: human review, PR evidence, acceptance criteria, risk notes, verification, and non-claims stay constant while playbook depth and evidence density scale with risk.
Future direction
Each layer builds on the one before. Start with governed, reviewable work — then compound the same discipline further.
Foundational SDLC discipline
Good SDLC has always treated dependencies as ownership. In agentic engineering, that discipline matters more because agents can add packages faster than teams can reason about the long-term cost.
SDF makes dependency changes explicit, reviewable, and evidenced before they become hidden upgrade debt. Dependency governance is a scoped control that can be installed through governed front door setup.
Dependency governance records the ownership decision. It does not certify dependency safety or replace vulnerability scanners, licence audits, or SBOM tooling.
Repo North Star
Producing evidence is only the starting point. The future SDF model includes a repo-level North Star that keeps governed work items oriented around the product mission, users, business outcome, engineering principles, quality bar, constraints, non-goals, and decision rules.
Each governed work item can then be reviewed not only for whether it passed checks, but whether it moves the repo in the right direction.
This is future direction, not a fully productized current claim.
SDF vs spec-first approaches
Spec-first approaches are useful when the work is bounded and enough context can be captured upfront.
Priorities shift, constraints emerge, feedback changes the shape of the work, and the team learns as it builds.
Software Dark Factory is designed for that reality: a North Star, small governed work items, playbooks, continuous evidence capture, feedback loops, and reviewable PRs.
Boundaries
Current proof is controlled and engineering-focused: real governed work items with evidence-backed PR anatomy. It includes a controlled Campfire-style proof that SDF can check and remediate PR reviewer surfaces from governed evidence with explicit permission. It also includes GTM dogfooding evidence that governance can stay constant while evidence depth scales with risk. This page does not claim production governance, hosted enforcement, automatic merge, automatic code repair, guaranteed correctness, or billing-grade cost measurement. Product learning is reviewed and packaged into receiver-safe guidance; it is not autonomous policy mutation. Start with the free readiness snapshot and every subsequent step will be scoped to what the evidence in front of us actually supports.
