I built a multi-agent system without governance. Here's the 3-layer stack I wish I'd had.
Source: Dev.to
The problem
You’ve built a multi‑agent system. It works: the orchestrator dispatches tasks to specialist agents, they call external APIs, and you ship it.
Three weeks later you discover that your payment agent:
- processed a $4,200 refund at 1:47 am on a Saturday with no approval;
- allowed a customer’s data to be accessed by an agent that shouldn’t have had that scope; and
- left you with zero logs to figure out what triggered any of it.
This isn’t a hypothetical. It’s the default outcome when agents are shipped without the three infrastructure layers that keep them safe in production.
Layer 1 – Operate: Conduit
Conduit replaces ad‑hoc scripts with a visual pipeline studio:
- Connect your MCP servers once, then build pipelines on a canvas.
- Real‑time execution logs for every step (latency, token cost, inputs, outputs).
- API keys are stored in an AES‑256 encrypted vault and decrypted only in memory.
- Pipeline configuration is stored centrally, not scattered across machines.
Practical difference – when a workflow breaks, open Conduit’s trace view instead of manually correlating logs across services. Every step appears in execution order.
Layer 2 – Trust: Codios
Codios gives each agent an Ed25519 identity (did:key) and issues signed contracts that define exactly what a caller may do on a callee.
# Issue a contract (server‑side)
contract = codios.contracts.issue(
caller_did=order_agent.did,
callee_did=payment_agent.did,
scopes=["payment:charge:max_10000usd"], # refund deliberately excluded
ttl_seconds=3600,
)# Verify a contract (agent‑side, no network call)
contract = verify_contract(
token=request.headers.get("X-Codios-Contract"),
required_scope="payment:charge",
platform_public_key=CODIOS_PUBLIC_KEY,
)- The scope limit is cryptographically bound – the payment agent cannot process a refund using this contract, regardless of the request body.
- Enforcement happens at verification time, not via a database lookup.
- Additional protections are automatic: replay attacks, mis‑configured agents, and unauthorized calls are blocked.
Layer 3 – Govern: A2A
Even with visibility (Conduit) and trust (Codios), you need a layer that monitors agent actions and intervenes when something looks wrong. A2A adds four modules:
- Distributed tracing – wrap any agent loop (≈5 lines). Every LLM call, tool invocation, and handoff becomes a span with timing and I/O.
- YAML rules – evaluated before actions execute (≤5 ms). Example: block payments over $50 K, flag agents reading PII, deny external HTTP calls without the proper scope.
- Human approval workflow – the agent creates an approval request, parks, and resumes asynchronously once a reviewer approves or rejects.
- Message scanning – every message reaching an LLM is scanned locally.
Message scanning – every message reaching an LLM is scanned locally
( $500? → [A2A Approval] → Human review → ✓ )
├─ Fulfillment Agent reads shipping address
│ └─ [A2A Firewall] scans for injection → ✓ → LLM call
└─ A2A Observe captures full trace of everything aboveComparison of the three layers
| Layer | Tool | What It Stops |
|---|---|---|
| Build / Operate | Conduit | Invisible pipelines, scattered config, no execution visibility |
| Trust | Codios | Unauthorized agent calls, replay attacks, scope creep |
| Govern | A2A | Runaway actions, missing audit trail, prompt injection |
You don’t need all three on day 1, but running agents in production without any of them leaves you one incident away from having to explain to your CTO why an agent did something it shouldn’t—with no logs to back you up.
Free‑tier availability
All three are available on free tiers:
- Conduit –
- Codios –
- A2A –
Happy to answer questions about implementation in the comments.