Most of our engagements run under terms that prohibit publication. What follows is a small set of anonymized case studies, written in the same restrained register the practice ships its proposal briefs in — sector, region, methodology, and outcome, with every identifying detail withheld by agreement. Two of the rooms we ship into: healthcare operations and offshore industrial operations. Beneath each case, the software itself — rendered the way a print magazine would render an artifact. Below the cases, the private working portal that runs every active engagement.
Each case below is anonymized by sector and region only — no name, no jurisdiction tighter than region, no detail that could identify a client by elimination. Methodology is described in engineering language; outcomes are written as numbers. The restraint is the credibility signal.
Engagement details published as clients grant permission.
Engagement details published as clients grant permission.
The fundamentals of every system we ship are fixed by discipline. Everything above them is built around your business — your roles, your refusal lanes, your integrations, your shape.
Six engineering fundamentals that ship on every engagement, regardless of industry.
We write the no-list before the yes-list. The boundary the system will never cross is documented and audited before the first feature ships.
The agent reads, drafts, and routes. A senior human takes every high-stakes action. The integrity of that posture is the metric we publish.
Every draft, every flag, every state transition is reconstructable from an audit-stamped event log. Bugs are diagnosable. Decisions are explainable.
Postgres + RLS, applied without exception. Anonymous access is gated, client access is scoped to client rows, operator access is audited.
Every read, write, and refusal is appended to an immutable log keyed to your senior operator — your security officer, your toolpusher, your managing partner.
Structured logging, error-tracking, telemetry, weekly digests. The system explains itself before someone has to investigate it.
Seven customization axes. Concrete, not cosmetic — every axis is a token, a policy, an integration, an audit.
Your logo, palette, microcopy, sender domain. Brand tokens — not theme pickers — so contrast and accessibility never break under your colors.
Clinician, toolpusher, paralegal, dispatcher — your roles, not ours. The RLS scaffolding bends around the role names you actually use.
Your no-list, signed off by your senior operator. Versioned. Auditable. Replayable against any past conversation.
We plug into the systems you already run — EHR, rig event bus, DMS, TMS, payor portal — never the other way around. Inbound webhook, outbound idempotent on retry.
Approve, override, escalate. Gated by your roles, sequenced to your operations rhythm, never to ours.
Your schema, your types — not a generic JSONB blob trying to fit every customer. Migrations versioned, idempotent, single-transaction.
Who sees what. How long it is retained. How it exports to your compliance officer when an auditor asks. SOC2, HIPAA, state-bar, IADC-aligned where the industry requires it.
Same discipline. Different domain. Always your shape.
Every active engagement runs in a private portal — a single surface for milestones, line-item pricing, files, decisions, and two-way email. What follows is a composed view of that surface, presented the way a print magazine would present an artifact.
Thursday at ten works on my end…
Marked as in progress
Uploaded by client · 1.4 MB
Logged on the project record
Every panel below is rendered exactly as it appears in the portal — minus your project name. The layout, the typography, the cyan accent: what you see here is what you sign into.
A single horizontal bar shows what's been paid, what's outstanding, and what's remaining — at a glance. The Phase Board breaks the engagement into named line items, each with its own status and (when it's billed) a Stripe link to pay or download the receipt.
Every adjustment to the headline price — up or down — opens a dialog that requires a written reason of at least twenty characters. The reason is logged immutably, surfaced in the portal alongside the operator's name, and emailed to you with a before/after diff.
Scope expanded to include an admin role and multi-tenant Stripe wiring; we'd rather price the new surface honestly than carry it as a hidden cost.
Pinned at the top of every project: a live timeline of milestones, files, decisions, questions, and replies. When something changes, the row fades in with a one-second cyan pulse and settles. The connection state is shown by the ‘Live’ pip in the header.
Thursday at ten works on my end…
Marked as in progress
Uploaded by client · 1.4 MB
Logged on the project record
When we reply from the operator console, the email lands in your inbox like any other. When you hit Reply, your response threads back into the portal automatically — via plus-addressed routing, with an In-Reply-To header fallback for gateways that strip the address.
Sending a quick check-in — the foundation phase is wrapped. Let me know when you're free for a fifteen-minute walk-through.
Thursday at ten works on my end. The portal makes it easy to keep up between calls — appreciated.
Five sections, around seventeen questions. Autosaves on every blur — you can leave the tab and come back without losing a field. When you submit, the form locks read-only. The version is captured so future intake updates don't silently overwrite what you said.
Three toggles: email, web push, and estimate updates specifically. Each one is a sub-gate, not a kill switch — so even when push is off, the in-portal bell still updates.
The portal is the receipt. The reason column is the trust. The audit log is the contract. You don’t have to take our word for any of it.
Once we’ve accepted your engagement, you’ll receive a private portal URL, a password, and a discovery intake. The first row in your activity feed will be labeled “kickoff.”
A multi-clinic primary care group, US Southeast
The group had grown to fifteen clinicians across four sites, and the administrative weight had begun to consume the nurses. Inbound patient messages waited hours for triage; prior authorizations sat for days before someone could draft them; the weekly operations report was a Friday afternoon that ate two FTEs. The engagement was a single autonomous operator that reads, drafts, and routes the administrative surface of the practice — bound by a refusal lane wider than its work surface, and forbidden from any output that constitutes clinical judgment. The agent reads. The agent drafts. The clinician decides.
Wrote the no-list before the yes-list: no clinical decision-making, no medication advice, no diagnostic language, no PHI in raw form inside the reasoning context. The refusal lane is audited weekly against a held-out corpus.
Inbound messages and lab results are pseudonymized before reaching the agent — every patient identifier is replaced with a session-scoped token, every read is appended to an immutable audit log keyed to the practice's HIPAA security officer.
Every prior-auth letter, refill triage note, and weekly report is drafted by the agent and queued for the on-shift clinician to accept, edit, or decline with one click. The agent learns from edits; it does not learn from acceptances.
The weekly operations report is not a separate task — it is generated continuously from the same audit log that gates the agent's reads. Friday afternoon becomes a five-minute review, not a two-FTE rebuild.
The agent reads, drafts, and routes. The clinician decides.
Source notes redacted · Client identification withheld by agreement
An offshore drilling contractor, US Gulf Coast
The contractor ran a fleet of jack-ups in the US Gulf, and the back end of every shift was the same problem in a different chair: the toolpusher closed the day by hand-writing an IADC daily drilling report from memory and the morning's tour sheets, while a separate engineering review tried to catch the near-misses the report had blurred. The engagement was a single operations console that ingests rig telemetry in real time, drafts the daily report as the shift unfolds, and runs a banded-confidence hazard model against the same telemetry — surfacing decisions to the toolpusher, never to the well control system.
Bit depth, ROP, WOB, RPM, pit volume, mud weight, and standpipe pressure stream in from the rig's existing sensors through an event bus we built specifically for replayability — every report draft is reproducible from the same audit-stamped event log.
The IADC report's operational fields populate from telemetry continuously; the Operations Summary block is drafted by the agent and held in a 'Toolpusher to review' state — never released until the shift's senior operator accepts or edits the draft.
Kick probability, stuck-pipe risk, and bit-wear progression are surfaced as banded confidence rather than point estimates. The agent flags a hazard when a band crosses a threshold; it never makes a control decision and is firewalled from the well control system at the network layer.
Every hazard flag is delivered as a decision prompt to the toolpusher — accept, override, or escalate. The integrity metric the contractor cares about most is not the agent's hit rate; it is whether the toolpusher remains the decision-maker on every shift, audited at 100% for twelve months.
The agent writes the report. The toolpusher takes the well.
Source notes redacted · Client identification withheld by agreement