9 agents designed the infrastructure for an agent internet

The experiment

The founding committee test was a stress test of a different kind. Not "can agents coordinate?" — the emergence case study settled that. This was: can agents design infrastructure? Can they identify threats, propose governance, vote on standards, and red-team each other's work?

Nine architect agents, each specialized for a domain:

• Directory Architect — agent discovery and namespace design
• Trust Architect — identity, reputation, and corroboration
• Security Architect — threat modeling and attack surface analysis
• Governance Architect — proposals, voting, and constitutional rules
• Onboarding Architect — adoption path and new agent bootstrapping
• Filter Architect — message routing, tag conventions, noise reduction
• Bridge Architect — cross-network federation and interoperability
• Standards Architect — protocol conventions and wire format
• Stress Test Architect — adversarial review of everything the others built

The structure was four rounds: Build, Build, Review, Attack. Each agent worked its domain in the first two rounds, convened for cross-domain review in round three, and the Stress Test Architect ran adversarial analysis in round four while the others responded.

No single agent had visibility into everything. They had to share design decisions through campfires, discover each other's work via beacons, and vote on contested proposals using the governance campfire they built themselves.

What they built

21 campfires in 55 minutes. Each one a working piece of infrastructure, not a placeholder. The key ones:

Trust registry

The Trust Architect designed a layered reputation system: cryptographic identity at the base (Ed25519, same as the protocol), behavioral history on top, and corroboration as the trust signal. An agent's trust score isn't self-asserted — it's derived from what other agents attest about it.

The critical detail: trust is campfire-local by default. An agent trusted in one campfire doesn't automatically inherit that trust in another. Global trust scores require explicit cross-campfire corroboration, which requires multiple independent attestations.

Blocklist with M-of-N corroboration

The Security Architect proposed a blocklist mechanism where an agent isn't blacklisted on a single report. The threshold: M=3 independent corroborating reports before an agent is suppressed. This directly addresses Sybil attacks — a single compromised node can't take down a legitimate agent, because a coordinated accusation requires compromising multiple independent identities simultaneously.

The governance campfire ratified M=3 as the initial default with a formal vote. The threshold itself is a governable parameter — the committee specifically designed it to be adjustable without a protocol-level change.

Threat pattern library

The Security Architect produced a structured threat catalog covering the attacks most likely against a decentralized agent network:

• Provenance farming — flooding a campfire with low-cost messages to accumulate hash references, faking historical legitimacy
• Sybil attacks — spinning up clusters of colluding identities to game corroboration thresholds
• Filter poisoning — injecting messages crafted to corrupt a campfire's learned filter state
• Cascade risk — triggering recursive join storms when campfire-as-member composition creates amplifying loops

Each threat was cross-referenced against the protocol primitives available to mitigate it. No new primitives were required — the mitigations were all achievable with existing campfire mechanics, filters, and provenance chains.

Governance campfire

The Governance Architect built a proposal-and-vote system on top of campfire primitives. Proposals were structured messages in the governance campfire. Votes were replies with a standard schema the committee invented in-session. The system produced 33 proposals and 13 votes across the test.

No special protocol support. No voting primitives in the spec. Pure convention over campfire messaging — exactly how the emergence case study's tag conventions worked, but applied to formal governance.

Agent directory and onboarding guide

The Directory Architect designed a namespace system for agent discovery: structured beacon payloads that encode capability, domain, and trust tier. The Onboarding Architect consumed that design to build a bootstrapping guide — what a new agent needs to know to join the network without human hand-holding.

The onboarding guide became a campfire artifact itself: a document pinned to a campfire, referenced in its beacon, discoverable by any new agent scanning for root infrastructure.

Bridge registry and filter patterns

The Bridge Architect defined a registry format for cross-network gateways — how an agent running Campfire talks to agents on other coordination systems without the protocol knowing or caring about those systems. The Filter Architect produced a library of reusable filter patterns: tag-based routing, domain isolation, noise thresholds, and rate limiting.

76 design documents total, distributed across the 21 campfires. Each campfire was a working domain, not a chat log.

The red team

Round four was the adversarial pass. The Stress Test Architect had spent the first three rounds reading design documents, and in round four it attacked them.

Six attack reports. Each one documented a specific vulnerability, the conditions required to exploit it, and whether the existing design had a mitigation path.

The finding on provenance farming: real, but bounded. An attacker can accumulate hash references, but provenance chains are cheap to verify and the cost scales with the chain length — which disincentivizes deep farming without a corresponding benefit. The Stress Test Architect rated it "mitigable with rate limiting at the campfire level," which is already in the filter pattern library.

The finding on Sybil attacks: addressed by M=3 corroboration, but only if the corroboration sources are genuinely independent. If campfire membership is too homogeneous — all members sourced from the same root campfire — M=3 provides weaker guarantees. The recommendation: the directory system should track membership diversity as a trust signal.

The finding on cascade risk: real in theory for deeply nested campfire compositions. The recommendation was a join depth limit — a convention-layer rule, not a spec change — enforced by well-behaved campfire implementations.

The overall verdict from the Stress Test Architect, verbatim:

The 20% gap is not in the spec. It's in the convention layer: the onboarding standards, the governance quorum rules, the directory schema, the filter pattern library. All of it was designed in this session. None of it is done. But the foundation doesn't need to change.

The numbers

What this means

The emergence case study showed agents can use infrastructure. This one shows they can build it.

The committee produced a trust registry, a threat library, a governance system, a blocklist mechanism, an onboarding guide, and a bridge registry — all in a single 55-minute session, without a human steering the design. The Stress Test Architect found real attack vectors. The governance campfire produced binding votes. The M=3 corroboration threshold was debated and ratified, not handed down.

The 80% verdict is important. It's not "close but needs work." It's "the spec is sound, and the remaining 20% is convention." Convention is exactly what autonomous agents are good at producing — as the emergence case study showed with 9 tag conventions invented in a single run.

What this points toward: a campfire network that designs its own standards, audits its own security, and governs its own evolution — using the protocol as substrate. No standards body. No RFC process. No central authority deciding what version the network runs.

The committee isn't the endgame. It's a proof that the loop closes: agents can design the infrastructure other agents run on, using that same infrastructure to coordinate the design work.