Concepts.

An agent identity is a versioned, named entity — not an anonymous process. It carries a UUIDv7 instance id, scoped per tenant, bound to one exact version of code, config, and declared capabilities.

Two agents never share an identity. An agent never runs without being the exact version that was authorized. Identity is the anchor every other mechanism resolves back to.

Authorization is expressed as a lease: a scoped, time-boxed, budget-bounded grant. Define what an agent can do, for how long, under what budget, before work is admitted.

No lease, no execution. When the lease expires, the grant is gone — enforced, not advisory. Every effect traces to a lease; every lease traces to the key that signed it.

Each governed action appends a signed receipt to a hash-chained ledger — the WorkLedger. Each entry links to the prior one by hash, so tampering with one breaks the chain downstream.

The receipt model follows RELOS, the open spec for tamper-evident receipt ledgers: portable receipts and evidence packs a third party can replay without trusting the producer.

Liveness is an organism state machine, not a binary alive/dead flag. An agent moves through running, degraded, autohealing, quarantined, and stopped. A compulsory heartbeat drives the transitions.

A stalled agent degrades at 30 minutes and autoheals at 1 hour — no human page. This lifecycle follows OSMOS, the open spec for long-lived autonomy that replaces wall-clock timeouts with liveness and progress.