Sheet F · Distribution hub · Drawn by the-metafactory · Design phase → L1 build

metafactory

A distribution hub for agentic processes. Capture, share, and evolve the skills, tools, workflows, and SOPs that teach AI agents how to do real work.

Source on GitHub ↗ meta-factory.ai ↗

The problem

Agent skills are powerful but non-distributable. Every team's agent knowledge lives in local directories, personal configs, tribal memory. There's no way to discover what works, install a proven workflow, or share a battle-tested process with others.

MCP solved connectivity. Skills solved capability. Nobody is solving process — the knowledge of how agents do work, in what order, with what gates and feedback loops.

Meanwhile, the ecosystem is wide open to supply-chain attacks. MCP shipped 30+ CVEs in 60 days. npm lost control of post-install scripts years ago. There is no trust model for agentic components.

The vision

Every way agents do work can be captured, shared, and improved. Businesses are graphs of algorithms. Companies are becoming APIs — every business surface a callable interface. Toolsheds fill with ways to call them: skills, tools, MCP servers. You wire them together into processes to perform work.

Hand-drafted technical illustration of the metafactory process loop. Four stations sit clockwise around a circle: DO WORK at the top, TRACES RECORDED on the right, PATTERNS EXTRACTED at the bottom, PROCESS PUBLISHED on the left. A red arrow loops back from PROCESS PUBLISHED up to DO WORK with the label 'OTHERS RUN THE PROCESS'. The centre square reads METAFACTORY · DISTRIBUTION HUB. A red footnote at the bottom reads 'Closed by default. Trust earned, not declared.' — FIG. F.0 — The process loop · work generates the data, the data becomes the recipe

metafactory is a distribution hub for that knowledge. Not just code packages — the recipes, the playbooks, the hard-won understanding of what actually works. Agentic AI makes these processes observable. Every agent session is a trace. Every trace is potential knowledge. Every piece of knowledge can become a distributable, evolvable artifact.

The act of doing work through agentic tools IS the process mining. You don't need a separate observation step. The work generates the data. The data becomes the recipe. The recipe evolves.

What gets distributed

Components at every level of abstraction:

┌────────────────┬───────────┬────────────────────────────────────────────────┐
│ LEVEL          │ ARTIFACT  │ WHAT IT DOES                                   │
├────────────────┼───────────┼────────────────────────────────────────────────┤
│ Capability     │ Skill     │ Teaches an agent how to do something            │
│ Capability     │ Tool      │ Gives an agent something to do it with          │
│ Capability     │ Agent     │ A specialised persona with domain expertise     │
│ Invocation     │ Prompt    │ A single-shot instruction template              │
│ Orchestration  │ Playbook  │ An ordered sequence of tasks with gates         │
│ Configuration  │ Rules     │ Agent instruction files for a project           │
│ Knowledge      │ Process   │ An extracted, evolved workflow from real traces │
└────────────────┴───────────┴────────────────────────────────────────────────┘

Skills are capabilities. Processes are workflows. Rules teach agents how to work within a context. You install a skill to gain an ability, a process to gain a recipe, rules to shape how agents behave in a project.

Trust is what makes it safe enough to exist

Trust is not the product. Trust is what makes the product safe enough to exist. Distributing processes is more dangerous than distributing code. A malicious process can make your agent believe harmful actions are correct — shaping judgment, not just capability.

Principles

Start closed, not open. Debian, not npm. Every publisher known. Every component reviewed by humans.
Trust is earned. Proven contributions over months, not self-declaration. MFA is the floor.
No one publishes alone. Sponsor model. Every submission reviewed by an established member.
Bridge the trust-harm gap. Trust granted at publication, harm at execution. Enforce at runtime.

Verification tiers

○ NEW         No badge. Can browse and install.
◐ IDENTIFIED  MFA + GitHub + identity verified by existing member.
● PROVEN      3+ packages, sponsor endorsement, track record.
◆ TRUSTED     Sustained contributions, can sponsor new contributors.
★ STEWARD     Governance authority. Community vote.

The seven layers

Built bottom-up. Each layer depends on the ones below it:

L7  Process Layer          Trace capture, composed workflows           Iter 5+
L6  Runtime Enforcement    Sandbox, capability enforcement             Iter 3+
L5  Supply Chain Security  Sigstore / SLSA, OIDC, transparency log     Iter 2–3
L4  Trust Visibility       Live website, badges, profiles              Iter 2–3
L3  Submission Pipeline    Validation, audit, sponsor review           Iter 2
L2  Distribution           Registry protocol, R2 storage, arc          Iter 2
L1  Trust Foundation       Accounts, auth, MFA, sponsors, tiers        Iter 1 ← current

The supply-chain defences

┌──────────────┬──────────────────────────────────────────────────────┐
│ LAYER        │ DEFENCE                                              │
├──────────────┼──────────────────────────────────────────────────────┤
│ Pre-publish  │ Secret scanning (gitleaks), capability declaration   │
│ Submission   │ Manifest validation, capability audit, sponsor review │
│ Identity     │ Sigstore package signing + Ed25519 commit signing    │
│ Content      │ Prompt-injection scanning (pai-content-filter)       │
│ Runtime      │ Sandbox enforcement of declared capabilities         │
│ Audit        │ Sigstore transparency log + immutable event trail    │
└──────────────┴──────────────────────────────────────────────────────┘

How it fits the stack

metafactory is the network half. arc is the client half — the part that lives on your machine and talks to it. Together they form the distribution pair: arc fetches, audits, installs; metafactory hosts, reviews, signs, serves.

blueprint (the noun) is what gets distributed — every published component is called a metafactory blueprint. blueprint (the CLI, soon to be depend) tracks dependency relationships across the components that are being built.

myelin and cortex are reference implementations that ride on top — concrete protocols and surfaces that themselves get distributed as metafactory blueprints.

Conceptual heritage

metafactory builds on ideas from four related projects:

PAI         Personal AI infrastructure. Businesses as graphs of algorithms.
pai-collab  Shared blackboard architecture. Trust zones. Six-layer security.
The Hive    Hub / spoke / local architecture. Operator identity. Portable trust.
Maestro     Playbook format. Auto-run orchestration. Parallel agent execution.

Status & roadmap

Design phase → implementation starting.
7 research studies · 46 design decisions · 6 SOPs · 18 mockups.
L1 Trust Foundation — design spec complete; building next.
Phase 1 scope — Claude Code and PAI only. arc is the installer client.
Primary domain — meta-factory.ai (Cloudflare edge).

Open the meta-factory repo ↗ Next: blueprint →