Flask cookie CVE caught the day it landed.
CVE-2026-27205 — Vary: Cookie omitted on certain access patterns. Filed for the sheepCRM stack before any advisory hit our inbox.
Closed beta · a working demonstration
Cairn is the operations system we built for ourselves — a personal memory store wired to a team of fourteen named agents. It's how James cut his working week at sheepCRM from five days to three, without anything slipping.
If "agent-augmented operations" reads like marketing, this is the working evidence. Have a look around. If you're thinking about what something like this could mean for your team, get in touch.
The roster · 14 agents on the books
No "AI assistant." Each one has a job description, a schedule, accountabilities, and a status report. They are accountable to each other, the Chief of Staff, and ultimately to James.














Studio Ghibli–styled portraits. Each role has a one-page prompt, a config file, and a stats stone. Cross-cutting Chief of Staff sits front-centre — she runs the morning brief, queue management, and tactical reviews.
Recently · from the dossier
A rolling sample of stones the team has written this week — security advisories spotted before they hit the news, all-clear days, market intel, and the calls that needed surfacing.
CVE-2026-27205 — Vary: Cookie omitted on certain access patterns. Filed for the sheepCRM stack before any advisory hit our inbox.
Axios 1.14.1 + 0.30.4 RAT attributed to Sapphire Sleet. Every repo audited, two using axios at safe versions, lockfiles untouched during the attack window. Closed in one session.
MongoDB SLOW_QUERY noise from validate $cmd. Five consecutive triage runs proved it was Atlas-internal — zero application call sites. Muted. Queue noise dropped accordingly.
Gilt 10-year at 4.95%, escalation threshold 5.2%. MPC meeting tomorrow — hold-at-3.75% is consensus. Status amber, no action needed today.
Each holding cross-checked against its declared benchmark and target allocation. One fund is sitting under model across consecutive reviews — small drift, but persistent. Flagged for the next session before it compounds.
March 2026 directory entry verified — listed alongside Beacon, Glue Up, Wild Apricot, Fonteva. Resolves the "directory presence is unevaluated risk" flag from a previous scan.
AI-driven search shifts SEO from keyword targeting toward semantic intent. E-E-A-T heavily weighted; professional bodies are structurally well-positioned. SEO is now a retention lever as much as acquisition.
A core milestone stalled for four-plus weeks while peripheral work continued. Pathfinder flagged it three briefings in a row — the third escalation finally surfaced it for a decision.
ICLR 2026 sweep — MIRROR (consolidation), MemAgent (RL-based stream), MAGMA (multi-graph), EverMemOS (engram), and A-MemGuard (defence against memory poisoning).
The shape of it
Every fact, decision, person, source, project — typed and addressable. They grow edges between each other. Sensitivity-tiered, audit-friendly, owned and inspectable.
Fourteen agents on rotating schedules — error triage every 90 minutes, research watchlist twice a week, finance health daily. Each one a single page of prompt and a small config.
The UI is a single editorial column. No dashboards. No widgets. Decisions get a kicker, a Fraunces headline, options as picks, and a verdict bar that slides up when you commit.
How a day goes
Cloud Canary errors, Linear issues, calendars, customer support inboxes, market signals, the cairn corpus itself. Each role reads only what its job demands — no general-purpose snooping.
Findings become typed memory: a thought, a decision request, a tension, a project update. Stones grow edges to other stones automatically — provenance is a graph, not a footnote.
She closes duplicates and noise, batches the rest, and surfaces a small handful of calls. Three roll-calls a day check that every team member is still operating per their schedule.
Approve, reject, defer, or annotate. Decisions become resolutions; resolutions become Linear tasks. Tomorrow the team picks up the next layer. The thread never drops.
Honest answers
normal / sensitive / secret) at the database, not just at the tool layer. (3) The lethal-trifecta principle is structural — no single agent has read-access to untrusted content, write-access to private data, and external egress at the same time. Each agent's capabilities are explicit and minimal.Talk to us
We're a software studio with a fully-instrumented case study running in closed beta. Half-hour exploration calls are free; we'll show you around the dossier and talk through what would translate to your operation.
james+cairn@croftsware.comClosed beta · Croftsware team can here