Compliance-Native Orchestration

HIPAA-ready
AI agents,
orchestrated safely

Sandboxed agent orchestration for healthcare. Every action is policy-checked, cryptographically signed, and audit-logged. Deploy locally or to the cloud with one command.

Open Dashboard View on GitHub

Open sourceHIPAA-readyDocker-nativeEd25519 signed

healthoyster

✓ postgres healthy

✓ redis ready

✓ compliance agent started

✓ agent runner ready (3 agents)

→ task/analyze-patient submitted

✓ policy check passed

✓ audit log signed (Ed25519)

✓ task completed in 1.2s

Platform capabilities

Everything you need for compliant AI

Purpose-built for healthcare. Every layer enforces compliance so your agents can focus on care.

Sandboxed Agents

Each agent runs in its own Docker container with read-only filesystem, dropped capabilities, and memory limits.

Compliance Agent

Dedicated agent that documents all actions. SHA-256 hashed, Ed25519 signed, append-only audit logs.

Policy Engine

YAML-based policies define what each agent can access. Global floor with per-agent narrowing.

LangGraph Orchestration

Provable state-machine workflows. Every routing decision is auditable and deterministic.

A2A + MCP Protocols

Agent-to-Agent protocol for internal comms. Model Context Protocol for secure external tool calls.

OpenTelemetry

Distributed traces across the full request lifecycle. Debug locally, export to any backend in production.

Architecture

┌─────────────────────────────────┐

│ API Gateway │ ← single entry point

├─────────────────────────────────┤

│ LangGraph Orchestrator │

├──────────┬──────────┬───────────┤

│ Agent 1 │ Agent 2 │ Agent N │ ← sandboxed

├──────────┴──────────┴───────────┤

│ Compliance Agent │ ← audit + policy

└─────────────────────────────────┘

Security First

Defense in depth

All external traffic enters through a single API gateway. Agents have no host-exposed ports. The compliance agent operates with INSERT-only database access. Every state transition is cryptographically signed.

MCP calls from external tools require API key authentication plus optional HMAC-SHA256 signatures before reaching the orchestrator.

How it works

From deployment to audit

Deploy

Run docker compose up. The init container generates Ed25519 keys, runs migrations, and seeds default policies.

Discover

The agent runner auto-discovers all agent plugins, loads their LangGraph workflows, and registers them with the orchestrator.

Submit

Send a task through the API gateway. The orchestrator routes it to the right agent based on skill matching.

Execute

The agent processes the task inside its sandboxed container. No direct external access — everything goes through the orchestrator.

Audit

The compliance agent logs every action with SHA-256 hashes and Ed25519 signatures. Tamper-evident by design.

Verify

Query the audit trail anytime. Verify signature integrity, inspect policy decisions, and export compliance reports.

Ready to deploy?

Fork the repo, configure your agents, and run in minutes.