Dragons
Product

The control plane for
autonomous agents.

Dragons gives every agent a cryptographic identity, a signed lease for every action, a hash-chained receipt anyone can replay, and a heartbeat that catches a stalled agent before you do. Four mechanisms. One trust loop.

The four mechanisms

What the control plane does.

Four questions every governed agent must answer: who is it, what may it do, what did it do, and is it still alive. Dragons closes all four with cryptographic primitives and continuous enforcement. No human babysitting.

01
Identity

No anonymous processes.

Every agent is a versioned, named entity. Its manifest_hash is a SHA-256 fingerprint of the agent's code, config, and declared capabilities. Not the PR hash -- the agent hash. No two agents share an identity. No agent runs without having been that exact version.

The manifest_hash is the cryptographic anchor: the proof that the agent that docked is the agent that was authorized. Version rollback is auditable. Every identity traces to a dock binding a tenant to an authorized scope.

manifest_hash
instance_idUUIDv7, hex, no dashes
versionreconciler@v4 / @v7 -- rollback auditable
docktenant + authorized scope
02
Authorization

A signed grant, not a handshake.

An agent runs only inside a signed lease: a time-bounded, scope-restricted authorization record. No lease, no execution. Expired lease: Dragons degrades the agent automatically. Every action traces to a lease. Every lease traces to an operator key.

Scope is explicit -- read:payments, write:ledger -- per tenant, per TTL. Expiry is enforced, not advisory. When the TTL hits zero, the control plane degrades the agent. No human page required.

lease_id
scoperead:payments · write:ledger
authorized_byoperator_key_0029
expiryauto-degrade at TTL, no silent stall
03
Evidence

Reconstruct an incident in minutes.

Every governed action produces a signed, hash-chained receipt linking goal to action to outcome. The WorkLedger holds the full chain. Each entry links to the prior one via hash -- tamper with one and the chain breaks downstream.

Export a compliance-ready evidence pack for any session, any agent, any time window. Any third party can replay it without private trust. The auditor replays; they do not believe you.

WorkLedger
signed receiptgoal → action → outcome → evidence
replaythird-party verifiable, no private trust
exportcompliance-ready evidence pack
04
Liveness

Stalls heal before they page you.

Every agent emits a compulsory heartbeat. Dragons tracks organism state -- running, degraded, autohealing, quarantined -- not binary alive/dead. A stalled agent degrades at 30 minutes, autoheals at 60. No human page. No 3 AM restart.

MTBOI (mean time between operator interventions, rolling 30 days) is the metric that proves the fleet runs itself. The control plane moves agents through states; the operator intervenes only when quarantine escalates.

heartbeatcompulsory · degrade at 30m
organism statesrunning / degraded / autohealing / quarantined
autohealfail-and-redispatch at 1h, no human page
MTBOIrolling 30d operator intervention metric
running Heartbeat current. Lease valid. No action required.
degraded Heartbeat missed at 30m. Control plane watching. Not yet failed.
autohealing Stall confirmed at 1h. Control plane redispatching. No human page.
quarantined Autoheal failed. Agent isolated. Escalated to operator.
stopped Explicit operator stop or lease expiry. Terminal.
How it works

The proof loop.

Every activation follows the same four-step loop. The output is a signed receipt any third party can verify without trusting Dragons.

1
Goal

Operator defines the objective. Explicit scope, recorded before execution begins.

2
Action

Agent executes inside a signed lease. Every governed action appends a receipt to the WorkLedger, hash-chained to the prior entry.

3
Receipt

Signed record of identity, authorization, evidence, and liveness state. Tamper-evident. Exportable. Compliance-ready.

4
Replay

Third party replays the chain: goal to action to evidence to outcome. No private trust required.

Dragons · Activation Receipt replay: pass
Proof Loop
goal "reconcile payments for tnt_8f21"
action read:payments · write:ledger · 47 ops
receipt
chain_root
replay pass · third-party verifiable
Identity + Liveness
manifest_hash
lease_id
organism_state running
last_heartbeat 2.4 s ago
liveness cursor · emitting · 2.4s
Verify this receipt.

Recompute the chain root in your browser. The math is open.

Sandboxed verifier · specimen receipt · the production verifier will replace this with a signed server replay
Dragons · Receipt Specimen rcp_019e5f80a1f3a4cc2d0000000000000a
Identity
manifest_hash
lease_id
tenant_id
Chain
parent_root
evidence[0]
evidence[1]
State
organism_state running
mtboi_seconds 86400
outcome accepted
Claim
chain_root (click verify to compute)
recomputes the chain root in your browser
Show the canonical JSON I am hashing 
(verify to populate)
Integration

Composes with your stack.

Dragons governs. It does not schedule, trace, or monitor. Each tool does one job; Dragons slots into the trust layer between your agents and the systems that run them.

Temporal
Pipeline scheduling

Temporal handles execution order, retries, and durable workflows. Dragons records which agent ran which step, under which lease, with which manifest_hash. Temporal schedules; Dragons proves who did it.

LangSmith
Model call tracing

LangSmith traces LLM chains, token usage, and latency. Dragons records the agent identity and authorization context around those calls. LangSmith traces the model; Dragons proves who called it.

Datadog
Infrastructure monitoring

Datadog monitors CPU, memory, and infra health. Dragons tracks organism state: the semantic lifecycle of the agent, not a PID. Datadog monitors the box; Dragons governs the agent.

Honest limits

What Dragons does not do.

Scope precision is the reason Dragons is trustworthy. It closes one gap -- the trust gap -- and nothing else.

Requirement
Dragons
Alternative
Cryptographic agent identity
manifest_hash + signed instance_id
Unfilled by existing tools
Signed authorization record
Signed lease: scope, TTL, tenant, authorized_by
No third-party equivalent
Tamper-evident evidence chain
Signed receipts, hash-chained, third-party replay
Not covered by tracers or loggers
Organism-state liveness
Organism states, autoheal at 1h, compulsory heartbeat
Infra monitors track PIDs, not agents
Pipeline scheduling
Not us. Dragons governs, not schedules.
Temporal
Model call tracing
Not us. Dragons records actions, not model calls.
LangSmith
Infrastructure monitoring
Not us. Dragons tracks organism state, not infra.
Datadog
Early access · 30-day shadow trial

Your agents are running right now.
Can you prove what they did?

Run Dragons side-by-side with your existing fleet for 30 days. At day 30, it reports what it caught that your current watchdog missed. Numbers, not claims.

Request early access Email the team Read the docs
Dragons is live · signed receipt chain · organism-state liveness
Your current audit trail is a Slack thread and a cron job. Dragons replaces it with cryptographic receipts. Identity, authorization, evidence, liveness.