dregg — Capability-Secure Distributed Runtime

Why dregg

Four things that are different here

1

Sovereignty spectrum. Your phone to cloud federation, fluid. Run sovereign (local state, peer-to-peer proofs), delegated (bounded-staleness snapshots), or replicated (full blocklace participation). Switch modes without migration.

2

Provable queues and storage. Merkle queues with attached DSL programs. Every enqueue/dequeue is validated in-circuit. Relay operators are bonded and erasure-coded. DFA-governed routing with constitutional amendments.

3

Trustless intent solving. Broadcast needs publicly. Evaluate matches privately (local Datalog, never leaves cipherclerk). Fulfill with a STARK proof. Ring trades settle multi-party cycles atomically without a coordinator.

4

Multi-chain bridges. Mina: Level 2 proof-carrying via Pickles recursion. EVM: SP1 sovereign cells, Groth16-wrapped STARKs at ~200k gas. Midnight: native ZKIR v3 compilation to Cardano settlement.

How It Works

Cells, turns, proofs

01 / Cells

Isolated objects with capability lists

Each cell holds a c-list (the capabilities it may exercise), balance, nonce, and optional programs. Cells are confined: they can only reference what is in their c-list.

02 / Turns

Atomic state transitions

A call forest executes depth-first. Multi-party turns compose across cells. If any action fails, everything rolls back. Promise pipelining via EventualRef eliminates round trips.

03 / Effect VM

24 effects, one STARK per turn

Transfer, seal, factory creation, CapTP handoff, queue operations — all proven in a single trace. BabyBear + FRI, sub-second generation, hash-based commitment, recursive verification via Pickles/Plonky3.

04 / Fabric

Emergent reference groups

The blocklace is one DAG. Groups form from mutual acknowledgment. Finality emerges from supermajority within a group. No fixed membership, no migration ceremonies.

Trusted Mode

Full cleartext token + Datalog trace. Same trust domain.

~8 us verification

Selective Disclosure

Chosen facts revealed + STARK proof. Cross-org, partial disclosure.

~2 ms verification

Fully Private

One bit (allow/deny) + STARK proof. Zero knowledge presentation.

~2 ms verification

CapTP

Capability transport across the fabric

sessions

Import/Export Tables

Swiss numbers as bearer secrets. Session state tracks live references between peers. Distributed GC via reference counting.

handoff

Three-Party Introduction

Alice introduces Bob to Carol via a signed HandoffCertificate. No global directory — all paths form through introductions.

sturdy

Persistent References

Sturdy refs survive session closure. Enliven a ref to get a live connection. Store-and-forward for partition-tolerant delivery (X25519-encrypted).

nameservice

Hierarchical Names

Rent-based anti-squatting. Sub-delegation (*.alice.* owned by alice). Cross-federation resolution via CapTP sessions to remote name services.

Applications

Built on the runtime

Full applications using sovereign cells, programmable queues, and the intent marketplace. Privacy by default — values are committed, orders are commit-reveal, identities use stealth addresses.

stablecoin

Stablecoin (CDP)

Collateralized debt positions with ZK liquidation proofs. Oracle integration, minimum collateralization enforced in-circuit.

amm

AMM + LP Tokens

Constant-product market maker with router, LP token minting, and pool management. All swaps proved.

orderbook

Privacy Orderbook

Commit-reveal trading with private orders. Verified matching engine, escrow settlement.

namespace

Governed Namespace

DFA-governed routing. Constitutional voting on route amendments. Capability service mesh with programmable directories.

identity

Anonymous Credentials

Issuer/holder/verifier. Selective disclosure, revocation, anonymous proof of attributes via ring membership.

compute

Compute Exchange

Marketplace for compute resources. Qualification proofs, auction mechanism, capability-gated access.

See all applications →

Privacy Stack

Defense in depth

Stealth Addresses

Ephemeral per-transaction CellIds. Unlinkable payments without coordination. Monero/EIP-5564 pattern.

Pedersen Commitments

Homomorphic value commitments. Amounts hidden but arithmetic verifiable (balance proofs, range proofs).

IT-PIR Discovery

2-server information-theoretic PIR. Query the intent pool without revealing which intents you are interested in.

Encrypted Turns

Turn payloads encrypted to specific recipients. The ordering service sees opaque blobs; only participants read content.

Ring Membership

BlindedMerklePoseidon2 proves issuer membership without revealing which issuer. Unlinkable multi-show via fresh presentation tags.

Sealer/Unsealer

X25519-ChaCha20Poly1305 with forward secrecy. Partition-tolerant offline capability transfer through untrusted channels.

Architecture

Layered design

Applications             Stablecoin | AMM | Orderbook | Namespace | Identity | Compute
  ────────────────────────────────────────────────────────────────────
CLI                      dregg cell | turn | cap | namespace | route | storage | cclerk
  ────────────────────────────────────────────────────────────────────
SDK                      AgentCipherclerk | AgentRuntime | HD keys | IT-PIR discovery
  ────────────────────────────────────────────────────────────────────
CapTP                    Sessions | Sturdy refs | Handoff | Distributed GC | Store-forward
  ────────────────────────────────────────────────────────────────────
Intent Engine            Gossip broadcast | Local Datalog match | Commit-reveal | Ring trades
  ────────────────────────────────────────────────────────────────────
Execution                Cells (sovereign | delegated | replicated) | Turns (atomic)
                         Effect VM (24 effects) | Factories | Pipeline composition
  ────────────────────────────────────────────────────────────────────
Storage                  Programmable queues | Relay operators | Inboxes | DFA routing
                         Erasure coding | Content-addressed (BLAKE3)
  ────────────────────────────────────────────────────────────────────
Proof                    Effect VM STARK (one per turn) | IVC compression
                         Plonky3 (BabyBear + FRI) | Recursive verifier
  ────────────────────────────────────────────────────────────────────
Fabric                   Blocklace (shared DAG) | Emergent reference groups
                         Supermajority finality | Causal ordering
  ────────────────────────────────────────────────────────────────────
Network                  QUIC (Quinn) | Plumtree gossip | Topic dissemination
  ────────────────────────────────────────────────────────────────────
Bridges                  Mina (Pickles L2) | EVM (SP1 sovereign cells) | Midnight (ZKIR v3)
  ────────────────────────────────────────────────────────────────────
Commitment               4-ary Merkle (BLAKE3 fast / Poseidon2 ZK) | Fold deltas
  ────────────────────────────────────────────────────────────────────
Policy                   Datalog (deny overrides allow) | Macaroon + Biscuit tokens

Core insight: The ordering service stores only nullifiers and attested roots. Agents carry their own state as proof chains. Between known parties, it is just signed proofs exchanged directly — no ordering service needed, no storage footprint, no permission required.

Use Cases

Where dregg fits

agents

AI Agent Fleets

Each agent is a sovereign cell carrying proof of authority. Delegate via attenuated capabilities. MCP server provides 15+ tools for AI assistant integration. No central authorization bottleneck.

privacy

Private Capability Exchange

Broadcast intents without revealing identity. Fulfill with a STARK proof that leaks nothing about the satisfier. IT-PIR prevents traffic analysis on queries.

defi

Privacy-Preserving DeFi

CDP stablecoin, AMM, privacy orderbook, lending — all built on capability-gated sovereign cells with programmable queue settlement.

sovereignty

Sovereign Operation

Your state lives on your machine. Interact peer-to-peer with signed proofs. Use the fabric for ordering when you need it. Leave with your full proof chain anytime.

bridge

Multi-Chain Settlement

Settle on Mina (recursive proofs), Ethereum/Base (SP1 Groth16), or Midnight (ZKIR v3). Same cells, same turns, different verification venues.

Scale

Real system, real proofs

~340k

Lines of Rust

44

Crates

3900+

Tests

24

Effect VM Opcodes

~38 KiB

Proof Size

<1s

Proof Generation

Get Started

Quick start

1

Build and run a node:

git clone https://github.com/emberian/dregg && cd dregg
cargo build
cargo run -p dregg-node run

2

Interact via CLI:

dregg cell list
dregg cell create --name my-agent
dregg cap grant <cell-id> --service storage --actions read
dregg namespace register alice --target <cell-id>
dregg intent post --spec '{"service": "compute", "action": "execute"}'

3

Or use the SDK directly:

use dregg_sdk::{AgentCipherclerk, Attenuation, VerificationMode, AuthRequest};

let mut cclerk = AgentCipherclerk::new();
let root = cclerk.mint_token(b"secret-key-material-32-bytes!!!!", "inventory");
let child = cclerk.attenuate(&root, &Attenuation {
    services: vec![("inventory".into(), "read".into())],
    max_ttl: Some(std::time::Duration::from_secs(3600)),
    ..Default::default()
}).unwrap();

// The verifier learns ONE BIT: authorized or not.
let req = AuthRequest { service: Some("inventory".into()),
                        action: Some("read".into()), ..Default::default() };
let proof = cclerk.authorize(&child, &req, VerificationMode::FullyPrivate).unwrap();

4

Run the full demo (federation + token + STARK + turn execution + intent solving):

cargo run -p dregg-demo-agent

Full tutorial · TypeScript SDK docs · Browser playground