M.I.N.I.O.N.S.
Agents that cross organizational boundaries.

L1 · Trust substrate

Everything above rests on four zero-trust primitives that every tenant runs locally: Identity (DIDs bound to SPIFFE workload certificates), Policy (Rego modules evaluated at admission), Audit Ledger (SHA-256 hash chain, tamper-evident across tenants), and Consensus (Raft quorum for cross-org decisions that must be durable and ordered).

No node trusts any other node's claims. Every assertion is cryptographically signed. Every cross-boundary action is written to a ledger whose root hash is gossiped to peers.

L2 · Coordination kernel

On top of trust sits a small coordination kernel. It is backed by Temporal, which means every cross-org workflow is deterministic and replayable.

• Planner — decomposes a goal into a DAG of sub-tasks annotated with capability requirements.
• Scheduler — picks nodes based on locality (data gravity), not just load.
• Allocator — enforces budget × SLA. A node that blows its token budget is cut off, not throttled.
• Arbiter — resolves conflicts between org policies. When Org β says “no PHI off-region” and Org α says “give me the chart,” the arbiter finds the intersection — evidence hashes, not raw records.
• Replayer — if any node crashes mid-workflow, the coordination kernel replays from the last checkpoint. The brain may be a different model on replay. The workflow does not care.

L3 · Federation fabric

This is the layer that makes MINIONS interesting. It is the only layer where nodes from different orgs talk to each other directly.

• Gossip mesh — libp2p with a DHT for node discovery. No central registry.
• Event bus — CRDT-replicated, so two orgs writing simultaneously converge without a leader.
• Capability grants — UCAN-style delegation tokens. “Org α grants Org β the right to read hypothesis H until T+24h, for workflow W.” Signed, scoped, expiring.
• Task market — tasks are published with their capability requirements. Nodes that can satisfy the caps bid. The arbiter assigns. Settlement writes to the ledger.

L4 · Organizational boundaries

The top layer is the whole point. Each org runs its own Lattice Runtime instance, with its own model configuration, its own budget caps, its own policy engine, its own audit root. A minion inside Org α knows it is in Org α and answers to Org α's policy first.

The fabric never asks an org to give up sovereignty. It asks them to expose a capability surface — the things they are willing to do on behalf of others, under what terms, with what evidence.

Capability tokens: the handshake

The handshake between two minions in different orgs is a capability token exchange. There is no session sharing, no credential passing, no shared database. Just a signed promise.

Read it top to bottom: Org α's root is granting Org β's triage minion read access to the hypothesis and write-only-as-hash access to the evidence slot, valid for 24 hours, proven by a chain back to a root capability. When Org β's minion writes, it writes a content hash, not the chart. Org α's ledger accepts the hash, not the record.

Nothing about this is novel on its own. UCAN, macaroons, and SPIFFE have been around for years. What is novel is wiring them into a managed agent runtime so that every agent action passes through a capability check before the model ever sees the tool call.

A scenario: three orgs, one hypothesis

Concrete is clearer than abstract. Here is one question that would take a month of lawyer-mediated data-sharing agreements in the current world, done in eight steps on MINIONS:

“Does the drug in our current Phase 2 trial have any known off-label use in markets where we do not hold patent rights?”

That question needs literature (Org α), chart review (Org β, because they have the cohort), and IP scanning (Org γ, because they have the patent database). None of them want to ship their raw data anywhere.

The important line in that log is the one on the right: no raw data crossed tenants. Org β's chart reader ran a local Ollama model on PHI that never left eu-west. Org γ's IP scan never exposed its patent database. What moved between orgs were capability tokens, content hashes, and signed attestations. The synthesizer in Org α got enough to write the report. The audit ledger got enough to prove, forever, who did what.

Why this is different from what exists today

Multi-agent frameworks are having a moment. Most of them stop where MINIONS starts.

• AutoGen, CrewAI, LangGraph — excellent single-tenant orchestration. Everyone runs in one process, under one identity, against one data store. Cross-org is out of scope.
• MCP servers — great for exposing a tool from one org to an agent in another. But the trust model is “you have the token.” There is no policy engine on the calling side, no capability scoping on the callee side, no federated audit.
• Agent2Agent protocols — in early draft. They define message shapes. MINIONS defines the four layers that have to exist for those messages to mean anything.

The gap is governance. The gap is auditability. The gap is sovereignty. And the gap is the whole reason a hospital, a lab, and a company cannot currently run one multi-agent workflow together without a data processing agreement and a six-month procurement cycle.

What this buys you

• Collaboration without merging. Three orgs answer one question in an afternoon. No shared cloud account. No DPAs for this specific query. The standing federation agreement already covers the capability envelope.
• Local data, global reasoning. PHI, IP, trade secrets, and personnel data stay on their home substrate. Only hashes, signatures, and model outputs cross. The brain gets enough to reason; the bytes stay put.
• Provable provenance. Every node action is signed. Every cross-org step is in a hash chain. Six months later, a regulator can walk the ledger and see exactly which minion read which capability at which timestamp.
• Crash recovery across tenants. If Org γ's synthesizer crashes mid-workflow, the replayer resumes from the last checkpoint — possibly on a different model, possibly in a different org. The workflow is a Temporal object. It does not care which minion finishes it.
• Refusal as a feature. Any node can refuse any task. Refusal writes to the ledger. This is not a bug; it is how policy gets enforced without a central broker that could be compromised.

What we are building

MINIONS is the research track on top of Lattice Runtime. The single-tenant runtime ships first — the brain, the session, the hands, the five governance gates. That is what you can star on GitHub today.

The federation fabric is what comes next. We are implementing it in layers, bottom up:

1. Trust substrate — DID + SPIFFE + Rego + SHA-256 ledger. Most of this already exists in the single-tenant runtime. The work is making the ledger root gossipable.
2. Coordination kernel — the Temporal coordination is there. The arbiter is new. Conflict resolution between org policies is the hard part and the interesting part.
3. Federation fabric — libp2p gossip, CRDT event bus, UCAN capability tokens, task market. This is the bulk of the new surface area.
4. Organizational topology primitives — hierarchies, committees, auctions, swarms. Once the fabric is there, topologies are a configuration.

The abstraction outlasts the provider. And the org.

Our last post ended on a claim: the abstraction outlasts the provider. That was about models.

MINIONS is the same claim, one layer up. The abstraction outlasts the org chart. When a research collaboration reorganizes, when a company gets acquired, when a partner leaves, the fabric does not care. Nodes come and go. Capability tokens expire. The ledger remembers. The next workflow uses whichever nodes are still healthy.

That is what we mean by independent nodes integrating across organizational network structures. It is a specification for agents that outlive the boundaries they were born inside.

Many brains. Many hands. Many orgs. One fabric.

Written by the Lattice Runtime team. View the full architecture →