The dark factory pattern—autonomous production systems with no human in the loop—is well-documented for application code, but applying it to infrastructure is significantly harder. Using Pulumi as the substrate, this post maps out how to build a lights-out infrastructure pipeline using the Automation API, CrossGuard policy enforcement, ESC for short-lived credentials, and Pulumi Cloud Deployments as a governed runner. The core architectural insight is the mandatory isolation between code generation and validation: a separate evaluator runs plain-English holdout scenarios against ephemeral deployments, and the generator never sees the test criteria. A four-phase rollout is outlined—from improving agent context with AGENTS.md today, to spec-driven PRs with holdout scenarios, to removing humans from the merge loop only after measurable quality gates hold over 20+ PRs, and finally full lights-out operation. Key risks covered include validator approval of bad changes, agents acquiring destructive permissions, and runaway costs, with concrete mitigations for each.
Table of contents
What a dark factory actually isThe wall between generator and validatorWhy infrastructure is the harder versionThe interesting workA four-phase rolloutWhat could go wrongWhere to startSort: