Demonstration Material A walkthrough of the real use of Aurora on synthetic data.
Aurora Layer 02 · Specify
Layer 02 · Documentation-as-Code
See it Work · sample run · synthetic data

Specify.
Weeks of specification now automated and repeatable.

Every snippet, decision record, and number on this page comes from an actual run of the Aurora L02 Documentation-as-Code automation against the L01 blueprint produced for synthetic Keystone Analytics. Layer 02 turns that dossier into a binding, machine-verifiable contract. Every AI behavior gets a guardrail — what it can do, what it must refuse, who confirms before it acts. Every acceptance criterion becomes a test authored from the spec, before code is written. The charter locks. From here, every commit is verifiable against this specific document, this specific hash.

Days
To signed charter
17
AI safety decisions
97
Tests authored from spec
26
Ambiguities resolved
90-second cinematic — keyboard: Space pause/play · ← → step · R restart · F fullscreen
Source: Keystone-2026Q2 Charter v1 · locked 2026-05-23 · hash sha256:dcb07909…
The Specification Problem

Specs fail not from missing words —
from missing commitments.

Most AI specs are drafted to read well at sign-off and litigate badly afterward. Aurora's specification layer turns every commitment into something a machine can check and a builder can be refused for violating.

"The AI should be safe" — without a definition of safe.

The word "safe" appears 14 times in most AI specs. The word "safe" maps to zero enforceable checks. Aurora replaces "safe" with a list of forbidden patterns the build layer runs as a grep.

Acceptance criteria written after the code.

Tests get reverse-engineered to match what got built. The traceability matrix shows green because it's been engineered to. Aurora authors tests from the spec, before a line of code lands.

Ambiguity gets deferred — then quietly resolved.

The fuzzy clauses ("appropriate human oversight," "reasonable confidence") become whatever the builder decided at 2am. Aurora forces every ambiguity to a named decision-maker before charter lock.

The spec doesn't survive the first change.

Change orders accumulate in Slack and never propagate to the artifact. The signed document gradually stops describing the system. Aurora locks the charter and routes every change through an explicit, dated amendment.

AI Decision Records

Safe AI isn't a value statement.
It's a registry of decisions a machine can enforce.

Seventeen decisions in the Keystone charter. Each one names: the choice, the alternatives considered, the rationale, and the patterns the build layer is structurally prevented from using. Below are four representative records from the run.

ADR-008AI · Interpretability

Driver attribution must be interpretable

Where AI explains "why is this account at risk," the explanation must decompose into named drivers a human can verify. Black-box reasoning is forbidden on any path that influences a customer-impact decision.

→ Allowed: rule-based scoring · analytical attribution · sklearn-equivalent
→ Forbidden in build: import torch · tensorflow · transformers · keras
ADR-016AI · Human-in-the-Loop

External actions require human confirmation

The AI playbook composes. A named human ratifies before any customer-facing action fires — email, calendar invite, in-app message, escalation, contract change. Every action carries a confirmation record.

→ Allowed: AI proposes payload + drafts message + stages dispatch
→ Forbidden in build: external API calls without HumanConfirmation parameter
ADR-015AI · Memo Discipline

AI memo cannot invent numbers

Every paragraph in the board memo traces to a numerical source or a documented assumption. The narrative is generated from the template, not from a free-form prompt. No paragraph escapes without a citation.

→ Allowed: Jinja2 template + structured data + StrictUndefined
→ Forbidden in build: bare-LLM output strings emitted into memo template
ADR-017AI · Validation Gate

The validation gate cannot be bypassed

A signal known to be unreliable (broken data lineage, missing inputs) is suppressed before it reaches a CSM. The gate's behavior is dependency-injected and testable, not buried as a substring check.

→ Allowed: dependency-injected mapping_health_checker · 7 reason codes
→ Forbidden in build: free-text substring match on a known-fragile field

The full Keystone Charter carries seventeen records. Eight on AI behavior. Six on data lineage and disclosure. Three on operational discipline. Each is loaded by the build layer as a structural check before commits land.

What It Produces

A spec that's readable by an executive
and enforceable by a build agent.

Below: representative slices from the Keystone Charter showing the same requirement at four layers of resolution — executive prose, structured spec, decision record, and machine-checkable test.

Executive prose · §1
This engagement delivers Keystone an integrated AI customer-health-decisioning system within four weeks that demonstrates measurable progress toward a 2 percentage-point churn-reduction target. Wave 1 consists of a foundation layer — repaired scoring model + single canonical health definition — and a decisioning loop — driver attribution + playbook dispatch + board memo synthesis — built and verified against the same locked specification.
Structured spec · §4 R1 acceptance criterion
R1: statement: "Salesforce account-id mapping repaired" testable_assertion: "100% of revenue-bearing accounts return non-null for all 5 weighted KCHS inputs after post-repair refresh" evidence_required: [ snowflake_query_result, dbt_run_telemetry_log, signed_backfill_report ] criticality: blocking value_link: ws-005 · arr_at_risk [500K, 2M] wave: 1
AI Decision Record · ADR-016
# Human-in-the-loop on external actions decision: "Customer-facing actions require ratification" alternatives_considered: - "Auto-fire with audit log" · rejected - "Async approval queue" · rejected (latency) rationale: "Cost of a wrong message > cost of a confirmation cycle" l03_phase3_forbidden_patterns: - external_api_call(.*) without HumanConfirmation - .send_email\(.*\) without confirmation_id - .fire\(.*\) without ratified_by l03_phase7_integration_citation_required: true
Machine-checkable test (auto-generated)
# Authored from spec — before any code is written def test_R1_post_repair_no_nulls_across_all_accounts(): refresh = run_dbt("customer_health_v2") assert refresh.exit_code == 0 rows = query(""" SELECT account_id, COUNT_IF(input_X IS NULL) AS null_count FROM marts.customer_health_v2 WHERE revenue_bearing = TRUE GROUP BY 1 """) for r in rows: assert r.null_count == 0, \ f"R1 violation: {r.account_id}"
How It Works

Five steps. Each one a gate.

01

Charter draft

Read the L01 Blueprint + signoffs. Populate the Aurora Charter schema's six sections — executive statement, background, scope, acceptance criteria, wave plan, AI decision registry. Every section pulls from named L01 evidence.

02

AI Decision extraction

Every architectural choice implied by the charter (chose X over Y) gets externalized as a discrete decision record with full enforcement clauses — forbidden patterns, allowed patterns, integration citation requirements. The build layer can't deviate without surfacing the deviation.

03

Ambiguity catalog

Every place L01 surfaced "we don't know" becomes an explicit entry with a named decision-maker. Blocking ambiguities get resolved on the record before charter lock. Non-blocking ambiguities are deferred with rationale.

04

Hash + sign

The charter's canonical hash is computed and written to a signature file. The charter is now immutable. The build layer's first action is to verify this hash. Drift detected = the build halts before code lands.

05

Hand off

The locked charter + decision records + acceptance tests + ambiguity log move to L03 as a phase-exit contract. The build agent reads all of this. Every commit is verifiable against this specific document, this specific hash.

Next

L03 takes the locked charter
and ships the working system.

See how an AI builder honors seventeen guardrails and an independent verifier catches what the builder missed.

See L03 Build → Discuss a Custom Engagement →