Dragons
Agent trust infrastructure

Governed autonomy
emits receipts.

Dragons gives every agent a cryptographic identity, a signed lease for every action, a signed receipt anyone can replay, and a heartbeat that catches a stalled agent before you do.

Request early access See a receipt
Every activation answers four questions that a Slack thread cannot:
who was the dragon, was it authorized,
what did it do, is it still alive.
Dragons · Activation Receipt specimen replay: pass
Identity
agent_id
manifest_hash
version reconciler@v4
Authorization
dock tnt_8f21 · payments
lease_id
scope read:payments · write:ledger
Evidence
ledger_entry
receipts 1,412 this session
replay pass · third-party verifiable
Liveness
organism_state running
last_heartbeat 2.4 s ago
MTBOI 72h 14m (rolling 30d)
liveness cursor · emitting · 2.4s
manifest_hash per dragon organism state signed, hash-chained · replayable

Today your audit trail is
a Slack thread and a cron job.

It holds until someone asks you to prove it. A compliance ask. A due-diligence review. A 3 a.m. page for an agent that ran six hours past lease expiry. That is not an observability gap. It is a trust gap.

Your current stack
Cron + Slack + Notion
Agent identity: "trust the code review." No fingerprint. No version proof.
Authorization: "authorized because the PR merged." Not a record.
Evidence chain: a Slack thread. Reconstruct the incident from memory.
Liveness: cron fires an alert. After the incident. After the agent sat stalled for an hour.
Compliance ask: "Here is our Notion runbook." That is not an evidence pack.
Dragons closes the loop
Identity. Authorization.
Evidence. Liveness.
manifest_hash -- a cryptographic fingerprint of the agent's code, config, and declared capabilities.
Signed lease -- time-bounded, scope-restricted, operator-keyed. Expires: the agent stops.
WorkLedger -- every governed action lands in a hash-chained receipt chain. Replay it without trusting Dragons.
Organism states -- running, degraded, autohealing, quarantined. A stalled agent degrades and autoheals before a page reaches you.
Evidence pack -- signed bundle, third-party verifiable.

Four outcomes.
One control plane.

Cron + Slack + Notion handle zero of these by construction. Dragons closes all four -- cryptographically, continuously, without operator intervention.

01 -- Identity

No anonymous processes.

Every agent is a versioned, named entity. Its manifest_hash is a cryptographic fingerprint of its code, config, and declared capabilities. No two agents share an identity.

manifest_hash -- sha256(code + config + caps)
instance_id -- UUIDv7, hex-encoded
version -- reconciler@v4, rollback auditable
02 -- Authorization

A signed grant, not a handshake.

An agent runs only inside a signed lease: a time-bounded, scope-restricted authorization record. No lease: the agent does not run. Expired lease: Dragons degrades it automatically.

lease_id -- lease_a07c · 600s TTL
scope -- read:payments · write:ledger
expiry -- auto-degrade at TTL
03 -- Evidence

Reconstruct an incident in minutes.

Every governed action produces a signed, hash-chained receipt: a tamper-evident record linking goal to action to outcome. The WorkLedger holds the full chain. Any third party can replay it.

WorkLedger -- hash-chained action receipts
replay -- third-party verifiable
export -- compliance-ready evidence pack
04 -- Liveness

Stalls heal before they page you.

Every agent emits a compulsory heartbeat. Dragons tracks organism state: running, degraded, autohealing, quarantined. Miss the degrade threshold and Dragons heals or escalates.

heartbeat -- compulsory · degrade at 30m
states -- running / degraded / autohealing / quarantined
MTBOI -- rolling 30d operator intervention metric

Receipts, not vibes.

Every activation produces a cryptographically signed receipt. Not a log entry -- a replayable proof object: goal, action, outcome, evidence. Hash-chained, signed, verifiable without trusting Dragons.

Dragons · Activation Receipt specimen replay: pass
Identity
agent_id ag_019e5e66dca079278437f7524903d41
manifest_hash d39a7f0c1be84a02f9c3b571a30e8c47
version reconciler@v4
Authorization
dock tnt_8f21 · payments
lease_id lease_a07c · 600s
scope read:payments · write:ledger
authorized_by operator_key_0029
Evidence
ledger_entry wl_019e5f11abc0cc2d000000000012
chain_root 0x7c3f1a...b92d4e
receipts 1,412 this session specimen
replay pass · third-party verifiable
Liveness
organism_state running
last_heartbeat 2.4 s ago
degrade_at 30m · autoheal_at 1h
MTBOI 72h 14m (rolling 30d) specimen
liveness cursor · emitting · 2.4s
Identity fields
manifest_hash is the cryptographic anchor

The manifest_hash is a SHA-256 fingerprint of the agent's code, config, and declared capabilities. It is the proof that the agent that docked is the agent that was authorized.

Authorization fields
Leases are time-bounded and scoped

The lease defines what the agent is allowed to do, for how long, in which tenant. No lease: the agent never runs. Expired lease: the control plane degrades it without a human page.

Evidence fields
The WorkLedger is hash-chained and replayable

Every governed action produces a signed receipt, hash-chained to the prior one. Any third party can replay goal to action to evidence to outcome without private trust.

Liveness fields
Organism states -- not binary alive/dead

Dragons tracks running, degraded, autohealing, quarantined. The MTBOI (mean time between operator interventions, rolling 30 days) is the metric that proves the fleet runs itself.

Specific to the point
of being trustworthy.

Dragons does not schedule pipelines -- Temporal does. It does not trace model calls -- LangSmith does. It does not monitor infra -- Datadog does. Dragons proves identity, authorization, evidence, and liveness. The gap nobody else closes.

Requirement
Dragons
The right tool
Cryptographic agent identitymanifest_hash per agent
manifest_hash + signed instance_id
nobody else. This is the gap.
Signed authorization recordwhat was it allowed to do, when
Signed lease: scope, TTL, tenant
nobody else. This is the gap.
Tamper-evident evidence chaingoal to action to outcome
Signed receipts · hash-chained · replay
nobody else. This is the gap.
Organism-state livenessdegrade / autoheal / quarantine
Organism states · autoheal at 1h
nobody else. This is the gap.
Pipeline schedulingworkflow execution, retries
not us. Dragons governs; it does not schedule.
Temporal
Model call tracingLLM chain traces, token usage
not us. Dragons records actions; it does not trace models.
LangSmith
Infrastructure monitoringCPU, memory, latency
not us. Dragons tracks organism state; it does not monitor infra.
Datadog

A 30-day shadow trial
alongside your existing stack.

Dragons does not replace your watchdog. It runs beside it. At day 30 it reports what your watchdog missed: liveness gaps, stale agents, authorization holes, broken evidence chains. Numbers, not claims.

Day 1

Dragons connects.

Dragons docks alongside your fleet. Identity receipts, lease tracking, heartbeat states -- all recording from minute one. Your existing watchdog keeps running. Zero cutover.

0 changes to your existing stack specimen
Day 15

First divergence.

The WorkLedger catches events your watchdog missed: agents past lease expiry, heartbeat gaps cron never surfaced, authorization records with no matching evidence.

17 divergence events in two weeks specimen
Day 30

The report.

A signed evidence pack: every event your watchdog missed, every authorization gap, every liveness incident, the MTBOI delta. Receipts, not claims.

1 signed evidence pack specimen

Early access.
We're onboarding pilot teams.

Dragons runs in production today, governing our own agent fleet. We're not a self-serve product yet -- the right next step is a conversation, not a form. Three concrete criteria decide whether a shadow trial is the right fit.

01 -- Fleet size

10 or more agents in production.

Or a credible plan to be there within 90 days. Below that floor, cron and Slack are still the right answer.

02 -- Operational pain

You've been paged at 3 a.m.

For a stalled agent, a runaway agent, or one that ran six hours past its lease. Governance gaps that already cost a human a night of sleep.

03 -- Current tooling

No formal governance layer today.

Cron, Slack, Notion, a hand-rolled watchdog -- correct fit. If you already run a signed-receipt control plane, we're probably not the upgrade.

One human reads every message. We reply when there's a credible fit -- usually within a few business days. Or email us directly -- the human path is always open.
Early access · 30-day shadow trial

Your agents are running right now.
Can you prove what they did?

Dragons runs alongside your existing fleet for 30 days. At day 30, it reports what it caught that your watchdog missed. Numbers, not claims. Receipts, not vibes.

Request early access Email the team See a receipt
Dragons is live · signed receipt chain · organism-state liveness
Your audit trail is a Slack thread and a cron job -- until someone asks you to prove it.
Dragons closes that gap. Identity, authorization, evidence, liveness.