Manifesto · v0 draft · 2026-04-19

Why we built mureo

AI agents are now competent enough to touch ad budgets. They are not yet trustworthy enough. mureo is the framework for closing that gap — a way for agents to operate Google Ads, Meta Ads, Search Console, and GA4 grounded in your business strategy and bounded by explicit security rules.

1. The state of AI in ad operations

Two patterns have settled into the market in the last eighteen months.

The first is what we call the paste loop: a marketer copies a CSV out of Google Ads, drops it into ChatGPT or Claude, asks for a recommendation, and then manually executes whatever sounds plausible. The agent has no view of the account, no record of what ran last week, and no ability to undo what it suggests. It is a consultant with amnesia who never sees the books.

The second pattern is the untargeted autopilot: AutoGPT-class systems and a wave of LLM-wrapper startups that promise to "run your ads for you." They do not fail because the LLM is weak. They fail because nothing in the system encodes what your business is, what tradeoff you are willing to accept, or what an irreversible mistake looks like in your account. When the agent confidently disables a high-CPA campaign that was actually driving brand-search uplift, the autopilot has no way to know it was wrong.

Neither pattern is ready to manage budgets that pay rent.

2. Why generic AI agents fail at ad ops

The failure mode is consistent across both extremes, and it has four components.

No strategy context. Every account looks like a CTR optimization problem to an agent that has never been told the business. A direct-to-consumer skincare brand and a B2B SaaS targeting CFOs both have "Google Ads accounts." Their definitions of a good campaign do not overlap. Without a representation of persona, USP, brand voice, and goals, an agent will optimize for whatever metric is loudest in the data — usually CTR or CPA — and quietly erode whatever was actually working.

No security boundaries. Ad APIs let you change budgets, pause campaigns, mutate keywords, and exfiltrate audience data. A single prompt-injection in a fetched document can, structurally, instruct an agent to do any of those things. Most current AI tooling around ad accounts treats the API as a general-purpose instrument — there is nothing between the LLM's output and the wire. That is a credential-loss class of vulnerability waiting to happen.

No rollback. When an agent does take an action that turns out to be wrong, the cost is asymmetric: spending five minutes to set a bid can take a week of organic recovery to undo. Generic agents do not record the inverse of their actions and cannot replay a state. The marketer is left to reconstruct what changed by reading Google Ads change history, which is, charitably, not a forensics tool.

No learning loop. Each conversation starts from scratch. Insights from last quarter's experiment do not propagate to this quarter's analysis. The agent that warned you against broad-match expansion in March will happily recommend it again in July, because nothing in the system carries memory of why it was a bad idea last time.

3. The thesis

Ad operations does not need another product. It needs a framework — a set of conventions, schemas, and runtime guards that an AI agent can plug into and operate within.

Three properties make a framework — as opposed to a product — the right shape:

• Composability with whatever agent you already use. Claude Code, Cursor, Codex, Gemini, future agents we have not yet heard of. The infrastructure must outlive any single LLM.
• Inspectability of every action. The marketer (or agency) must be able to read what the framework will do before it does it, and what it did after.
• Local-first execution. Credentials, state, and decision history live on the operator's machine, not in a vendor cloud. There is no telemetry pipeline waiting to be subpoenaed or breached.

mureo is that framework. It is open source under Apache 2.0, MCP-based, and built specifically for agents to consume — not for humans to click through a dashboard.

4. Three pillars

4.1 Strategy-driven

Every account in mureo is paired with a STRATEGY.md — a plain-text artifact that encodes persona, unique selling proposition, brand voice, business goals, and the operating mode (autonomous, supervised, advisory). When mureo's analysis tools run, they consult STRATEGY.md first and only then look at the metrics. The same CPA spike produces different recommended actions depending on what the strategy says about brand defense, volume targets, or current promotional cycles.

This sounds obvious until you realize that no popular ad-tech tool has a first-class field for "what is your USP." Strategy is treated as taste, not data. mureo treats it as schema.

What this does not do: it does not write your strategy for you. STRATEGY.md requires honest input. An empty file gives empty advice.

4.2 Security-first

mureo treats every action against an ad account as potentially-adversarial input. Four mechanisms enforce that posture:

• Credential guard. API keys and refresh tokens never enter the LLM context. They live in the operator's local environment and are read only by the framework's own transport layer.
• Allow-list rollback gating. Every mutation is paired with its inverse before it is sent. Actions that cannot be inverted within the allow-list are blocked, not warned.
• GAQL validation. Queries to Google Ads are schema-validated against the published API surface before execution. An agent that hallucinates a field will get a typed error, not a successful no-op.
• Anomaly detection on the action stream itself. mureo monitors not just the account's metrics but the rate and shape of the agent's own actions. A burst of pause operations outside the configured rate limit halts the run.

What this does not do: it does not make the LLM incorruptible. It assumes the LLM will eventually be tricked, and builds the surrounding system to contain the blast radius.

4.3 Learnable

mureo ships with a diagnostic knowledge base — a structured store of decision patterns, evidence requirements, and known anti-patterns. When the framework encounters a familiar shape (an unexplained CPA jump, a search-term exclusion candidate, a creative fatigue signal), it reaches into the knowledge base for the standard diagnostic path rather than re-deriving one from first principles.

New patterns enter the knowledge base via the /learn workflow: a marketer or agent codifies what was learned from a specific incident, and that codification is reusable across all future analyses. Over time, the framework gets sharper at the operator's specific account class.

The diagnostic knowledge base is also evidence-gated. A recommendation that cannot point to a sample size, a baseline, and a confidence threshold gets flagged for monitoring, not action.

What this does not do: it does not replace human judgement on novel situations. The knowledge base is good at recognizing patterns it has seen before. Anything genuinely new still needs a human in the loop.

5. What mureo is, and is not

mureo is:

• An open-source framework (Apache 2.0) — code is auditable, fork and self-host friendly, no vendor capture
• MCP-based — works with any agent that speaks the Model Context Protocol
• Local-first — credentials, state, and decisions never leave your machine without an explicit egress
• Cross-platform on the API surface — Google Ads, Meta Ads, Search Console, and GA4 today; structured to add more
• Built for agents — every interaction is designed for an LLM to consume, not a human dashboard

mureo is not:

• A "marketing co-pilot" — co-pilots only suggest. mureo can act within the rollback boundary
• A dashboard or BI tool — there is no SaaS UI; the surface is your agent
• An autopilot — the framework refuses to act outside its allow-list even when instructed to
• "AI-powered" anything — the LLM is a component, not a value proposition
• A managed service — at least not yet. See section 6

6. The road ahead

mureo is open source first. The framework will stay free, auditable, and locally executable. There will never be a paid tier of OSS features held back from the repository.

A managed offering — for teams who do not want to operate the framework themselves — is on the roadmap, but it is gated on observable demand from the OSS audience. We are not running a waitlist for it. The signal we listen to is GitHub adoption, contribution, and the questions readers send us about running mureo at scale.

If that signal materializes, the managed product will live at mureo.ai. If it does not, the OSS framework is the product, and that is also a successful outcome.

7. Call to action

If you operate ad accounts and you have ever wished you could trust an AI agent to do part of your job — without writing the safety rails yourself — read the docs, install the framework, and try a single workflow against a low-stakes account.

• Start here — installation and first run
• github.com/logly/mureo — source, issues, contribution
• Blog — methodology, anti-patterns, case studies

If you build agent infrastructure and you think the four failure modes in section 2 are solvable in a different way, we want to read your critique. Open an issue. We have opinions, but we hold them against evidence.