The operating system for autonomous agents.

Agents need more than scripts. They need a formally verified environment where they build and evolve their own capabilities.

Get Started Read the Paper

L0–L3Proof Cascade

CedarPolicy Engine

WASMSandboxed Integrations

The Vision

Agents Build Tools. Temper Makes Them Safe.

Agents are starting to synthesize tools at runtime. The infrastructure to make this safe is developing. Temper connects formal verification, Cedar authorization, and evolution feedback into one framework.

Tools	Stateless, ad-hoc synthesizers	Verified state machines that persist as specs
Security	Hardcoded, manual policies	Policies derived from behavioral intent
Growth	Failures are discarded logs	Unmet intents feed the evolution engine

Step 01 — The Spec

Declarative Intent.

Everything in Temper starts as a specification. Agents describe what they need — state machines, data models, and policies — and the kernel derives the runtime behavior.

If a transition is not in the spec, it cannot happen. If a policy is not in the store, it is denied. The kernel interprets intent directly.

automaton: Memory

state: archived

action: commit

invariant: valid

policy: bot_1

wasm: store

L0 — Z3 SMT Solving

L1 — Model Checking

L2 — DST Simulation

L3 — Property Testing

Step 02 — The Proof

Verification Cascade.

Before a spec is deployed, it must survive four levels of mathematical proof. We prove correctness across every possible execution trace.

The model checker verifies the actual Rust code that runs in production. If you can't prove it, you can't deploy it.

Step 03 — Mediation

Cedar Authorization.

Every action flows through a Cedar authorization engine. Temper operates on a default-deny posture. Access is never assumed.

Denied actions surface as pending decisions. Approve once, and Temper generates the policy that governs the agent forever.

DENY: Principal::"Agent_1"

Action "Access_DB" requested.
No permitted policy found.

TRAJECTORY

PATTERN

PROPOSAL

HOT-SWAP

Step 04 — Evolution

Closing the Loop.

Failures in Temper aren't errors — they are training data. Every denied action is recorded as a trajectory entry.

The Evolution Engine analyzes these patterns and proposes spec updates. You approve the verified fix, and the agent OS grows.

Multi-Agent

Verified Shared State.

Agents coordinate through a shared state layer queryable via OData. Every entity is a verified state machine, ensuring coordination remains safe.

Background executors claim tasks, agents spawn children with scoped permissions, and everyone operates on the same event-sourced truth.

SHARED STATE

PARENT

CHILD

EXEC

CHILD

Roadmap

Built Bottom-Up.

From the kernel to full agent execution.

L1-L2

Persistent State

Verified entities queryable via OData API. Event-sourced truth instead of JSON blobs.

L3-L4

WASM Connectivity

Streaming-capable integrations as sandboxed modules mediated by Cedar policy.

L5-L6

Agent Execution

Headless executors claiming agent entities. Spawning and shared-state orchestration.

The living harness is here.

Join us in building the next era of autonomous engineering.

Get Started on GitHub