Dragons

Security & Trust

Trust is a
closed loop.

Dragons is a governance control plane, so its security posture is not a feature bolted on afterward — it is the mechanism. Identity, authorization, evidence, and liveness are the security primitives, and every claim a surface makes is traceable to a signed artifact.

See also Concepts & receipt model → /docs

01

The governance model

Four mechanisms close the trust loop between autonomous execution and real consequences. Each one is a security primitive, not a dashboard widget.

Identity

Cryptographic identity per agent

Every dragon carries a manifest_hash — a SHA-256 fingerprint over its code, configuration, and declared capability set. The hash is the anchor: an agent whose code changes produces a different hash and is treated as a different identity. Nothing executes under a manifest the control plane has not recorded.

Authorization

Leases gate every action

A lease is a time-bounded, scope-restricted grant: what the agent may do, against which tenant, until when. Leases are signed at issue and checked at every action boundary. No lease, no execution — and an expired lease fails closed. Authorization is never inferred from prior behavior.

Evidence

Hash-chained work receipts

Each completed work cycle appends a signed receipt to the WorkLedger. Receipts are hash-chained: every entry commits to the hash of the entry before it, so the ledger is tamper-evident — a single altered or removed receipt breaks the chain at that point and every point after it.

Liveness

Compulsory heartbeat, organism state

A governed agent emits heartbeats carrying pulse plus semantic progress. The control plane maps liveness onto organism state — running, degraded, autohealing, quarantined, stopped — instead of trusting a wall-clock timeout. A silent agent degrades, then autoheals or is quarantined. Absence of signal is itself a signal.

02

Receipt-chain integrity

The WorkLedger is hash-chained and tamper-evident. Receipts are designed to be replayed by a third party without private trust in Dragons or the tenant.

Each receipt commits to the hash of the receipt before it. Verifying the chain is a mechanical walk: recompute each payload_hash, check it against the recorded value, and confirm each prev_hash matches the actual prior entry. A single altered, inserted, or removed receipt breaks the walk at that index and at every index after it — the tamper has a fixed, locatable boundary.

Receipt field What it commits to
receipt_id UUIDv7, hex-encoded, prefixed. Sortable by issue time.
manifest_hash Identity of the agent that produced the work cycle.
lease_ref The authorization grant under which the action ran.
prev_hash SHA-256 of the preceding receipt — the chain link.
payload_hash Commitment over goal, action, and outcome for this cycle.
signature Signature over the receipt header. Verifiable without the issuer.

Receipts are append-only. There is no edit path on a recorded receipt; a correction is a new receipt that references the original. Retroactive edits to the ledger are forbidden by design.

03

Data handling

Runtime truth stays tenant-local. The control plane reasons over identity, scope, and evidence — not over the contents of the work an agent performs.

Tenant-local runtime truth

Agent execution and the WorkLedger live inside the tenant boundary. Health truth is read from real runtime receipts in the tenant, not from a vendor-side mirror.

No data leaves the boundary

Dragons governs identity, leases, evidence, and liveness — it does not exfiltrate task payloads. The control plane reasons over hashes and lease scopes, not over the contents of the work.

Tenant isolation

Agents dock into a single tenant with an explicit scope. A lease issued for one tenant authorizes nothing in another. Cross-tenant access has no implicit path.

Replay over trust

A third party verifies an evidence pack by replaying goal → action → evidence → outcome against the hash chain. The audit does not require trusting Dragons, or the tenant, as a narrator.

04

Audit posture

An audit is a replay, not a meeting. The evidence pack is the unit of audit, and the verifier reconstructs the work cycle from signed artifacts.

Replayable

Export an evidence pack and a third party walks goal → action → evidence → outcome against the hash chain. The pack carries its own proof; verification needs no live access to the tenant.

Attributable

Every action resolves to a manifest_hash and the lease that authorized it. There is no anonymous work cycle and no shared-credential ambiguity.

Bounded

Leases are scope-restricted and time-bounded. The audit answers not only what an agent did but the exact authority under which it was permitted to do it.

Sourced

Every metric on a Dragons surface traces to a lease, a heartbeat record, or a receipt. A number that cannot be sourced to a signed artifact does not ship.

Responsible disclosure

Report a vulnerability.

If you find a security issue in Dragons — in the receipt chain, the lease model, identity verification, or the runtime — report it directly. Send a description and reproduction steps to the address below. We acknowledge reports and coordinate a fix and disclosure timeline with the reporter. Please do not publicly disclose before coordination.

security@dragons.dev