Six layers, one graph.
Agent fingerprint
(agent id × prompt × tool inventory × policy × env) hashed into a stable 8-char fingerprint. Drift in any layer changes the fingerprint and triggers a recert.
Tools
Every tool the agent can invoke, with risk class (money_movement, exfil, mutate, read), argument schema, and high-blast flag.
Data sources
Vector stores, RAG sources, databases, and APIs. Provenance + redaction state per source so retrieved content is treated as untrusted by default.
Approval gates
Policy decisions enforced before the agent commits. Identity verification, tenant boundary check, dollar threshold — all live in the graph and auditable.
Environments
Dev, staging, prod, and per-customer sandboxes. Findings carry the env they were observed in; certs ship per-env.
Tenant boundaries
Multi-tenant agents get tenant-id propagation through every tool call. Cross-tenant flows raise a finding immediately.
See your agent's blast radius.
Wire the SDK and the graph populates from your first trace.