Know what your AI agents did, who authorized it, and whether it should have happened. Register agents, track every action, and prove compliance — before the auditor asks.
Vendor-neutral YAML manifest spec. One manifest defines capabilities, trust, policy, and SBOM — exports to 23+ deployment targets.
DNS for AI agents. A federated mesh where any node can publish and discover agents without a central registry. Cryptographically verified.
The trust & economics plane. Identity, evidence, policy enforcement, and release authority at scale. Verify before you deploy.
The Trust Substrate for the Agentic Internet
AGENT WORLD
CONTRACTPLANE TRUST PRIMITIVES
GOVERNANCE MECHANISMS
INTEGRATION SURFACE
INFRASTRUCTURE
did:web:discover.duadp.org:agents:code-reviewercedar-policies.contractplane.defaultBluefly platform agentsOracle / DUADP discovery meshrelease/v0.1.xFrom unknown agent to production-ready governed system.
Build an OSSA-validated agent with DID identity using our Agent Builder — or bring your own. ContractPlane verifies who made it, who owns it, and what it can do.
Dragonfly, our automated testing engine, runs behavioral and security checks against your agent. Every result is signed and added to an immutable evidence chain.
Cedar, the formally verified policy framework, evaluates the evidence against your rules. A trust score is computed. Human reviewers clear the final gate when required.
The release gate opens only when your custom thresholds are met. No shortcuts, no overrides. Export to Docker, Kubernetes, or any of 13+ supported targets.
Zero-trust enforcement at the transport layer. <100ms via WebAssembly. 13 policy sets, 181 verified statements.
Every agent action traced. Security events logged. Cost tracked. Correlation IDs on every span.
Every agent has a Global Agent Identifier (GAID). Cryptographic proof of origin. Ed25519 / ECDSA signatures.
Scoped tool permissions. Explicit action allowlists. Autonomy modes: supervised / semi-auto / full-auto.
CycloneDX / SPDX SBOM pointers in every manifest. OSCAL control mapping for FedRAMP alignment.
Network-wide agent invalidation. Gossip-propagated revocations reach all federation nodes within seconds.
Every registration, approval, and promotion creates a JWS-signed, append-only record. Non-repudiable audit artifacts.
Risk score (0–100) per actor computed from behavioral tests, policy outcomes, and incident history.
Promotion is blocked until all required evidence workflows pass. No shortcut paths. Gate state is machine-readable.
Agents operate under time-bounded leases with scoped delegation. Expired or revoked leases terminate execution immediately.
High-risk transitions require named reviewer approval. Approvals are cryptographically bound to the evidence at review time.
Control families mapped to NIST SP 800-53. OSCAL artifacts generated per registration. FedRAMP alignment documented.
Control where models run, where data resides, which operators access what, and what evidence is produced — without rebuilding your stack.
Define where data may reside per jurisdiction. US-only, EU-only, air-gapped, or customer-hosted — enforced at the policy layer, not just the deployment layer.
Route workloads to approved models based on data classification. PII stays on sovereign infrastructure. Public-safe text uses cost-efficient providers.
Define which operators — human or machine — may access which data classes, models, and tools. Cedar policy enforcement on every call.
Move from SaaS to dedicated VPC to on-prem without rewriting. Same control plane, same policies, same agent definitions across all topologies.
Every inference, retrieval, and document flow produces signed evidence. Export compliance artifacts for FedRAMP, EU AI Act, HIPAA, or your own governance framework.
OCR, layout extraction, and clause analysis run where policy allows. Contracts and compliance packets never leave approved boundaries.
No proprietary lock-in. ContractPlane runs on battle-tested open platforms trusted by governments and enterprises worldwide.
Source control, CI/CD, agent pipeline orchestration, and release gates — all running on GitLab.com with native integration into ContractPlane's trust workflow.
Enterprise content management, structured data authority, and contextual memory via Drupal CMS 2.0 — the most trusted open-source CMS in government and enterprise.
Amazon's formally verified authorization language. Policy-as-code with mathematical proof of correctness. Zero ambiguity in who can do what.
Formal input to NIST Docket NIST-2025-0035 in March 2026 — outlining a three-layer architecture: OSSA identity, DUADP discovery, Cedar execution policy.
Thomas Scola · March 2026 · openstandardagents.org ↗Foundational paperThe case for a vendor-neutral specification layer: why fragmented runtimes, proprietary registries, and ephemeral credentials can't scale to the agentic internet.
Thomas Scola · openstandardagents.org ↗Protocol paperThe technical specification for decentralized, federated agent discovery — DID-backed trust anchors, gossip-propagated registries, and cryptographic verification at every hop.
Thomas Scola · openstandardagents.org ↗Web standardsHow DNS TXT records, well-known URIs, and W3C DIDs form a trust root for agents — the same primitives that made the web trustworthy, applied to autonomous systems.
Thomas Scola · openstandardagents.org ↗Introducing OSSAA vendor-neutral YAML manifest spec for autonomous systems. One manifest defines capabilities, trust, policy, and SBOM — with an honest look at what it means to build open.
Thomas Scola · openstandardagents.org ↗High-risk AI systems must demonstrate traceability, human oversight, and documented risk controls. ContractPlane.ai produces the evidence artifacts compliance requires.
Effective August 2026 · EU Product Liability Directive Dec 2026ContractPlane.ai is in private preview.
Register your first agent today.