Inspiration
Dotto started with a single news cycle: an autonomous agent called Bankrbot drained a treasury after following instructions embedded inside a social media quote it had retrieved. The model wasn't broken. The agent did exactly what it was told. What was missing was the layer in between — something that asks, "who actually authorized this, and can you prove it to an outsider?" As we looked closer, we realized the same gap exists everywhere agents touch irreversible actions: refunds, production deploys, A2A calls, customs holds, payouts. Sigstore and Rekor cover software supply chains. Okta covers human identity. Nobody owns the runtime authorization layer for AI actions, and nobody produces a human-readable, externally verifiable artifact for what an agent was permitted to do. That hole is what we built Dotto to fill.
What it does
Dotto is an AI Action Authorization System — a runtime gate that sits between agents and high-stakes actions and turns every decision into a signed, human-readable, externally witnessed receipt. Agents propose actions in natural language; Dotto's planner decomposes them into typed capability calls; the policy engine runs deterministic change detection and risk evaluation; low-risk actions are auto-authorized, high-risk actions are escalated to a human queue, and every outcome — blocked, authorized, or escalated — is anchored to a public Hedera ledger topic so insurers, auditors, and counterparties can verify it without trusting our runtime. The product ships with a Command Center for live queue monitoring, an Agent Sandbox for replaying attacks, a Receipt Ledger as the system of record, and a Policy Editor where rules are written in plain English and versioned. Out of the box it covers four domains: financial transfers (provenance-based blocking), agent-to-agent (JWT scope verification), build attestation (SLSA/Sigstore complement), and supply chain (compliance holds).
How we built it
We built Dotto on MeDo as a full-stack no-code AI app, which let us move from problem statement to a working multi-surface product in a hackathon weekend. The core architecture has four layers: a planner that turns natural language into structured capability calls with provenance metadata; a deterministic policy engine that runs a small DSL (if [field] [operator] [value] → [action]) against a diff of the world before and after the proposed action; an escalation queue that routes anything unmatched to a human approver with full context; and a receipt service that signs every decision, writes an HMAC-tested record, and anchors a hash to the Hedera Consensus Service on testnet topic 0.0.7224074. The policy primitives — value.usd_equivalent, source_of_instruction, recipient.is_first_time, velocity.last_24h, asset.risk_class, calling_agent.scope, slsa_level, human_approver — are the building blocks customers compose to express their own risk appetite. The Command Center, Sandbox, Receipt Ledger, and Policy Editor are all wired to the same engine, so a rule change in the editor instantly changes behavior in the sandbox.
Challenges we ran into
The hardest problem was positioning, not engineering. Every adjacent category — guardrails, agent frameworks, supply-chain attestation, IAM — has a story about why they should own this layer, and our first three drafts of Dotto sounded like a feature of one of them. We had to find a primitive that was genuinely new: the provenance-aware semantic receipt, anchored externally, human-readable, valid across organizations. Technically, the toughest piece was making change detection deterministic enough that the same proposed action always produces the same decision and the same receipt hash — auditors will not accept a non-deterministic policy engine. We also wrestled with how to surface escalations without turning the UI into a Jira clone; the Support Queue and Shipment Queue cards on the Command Center went through four iterations before we landed on the AUTHORIZED / BLOCKED — Awaiting Authorization split with inline proposed-action context. And anchoring to Hedera in a hackathon timeframe meant carefully scoping what goes on-chain (a hash and topic sequence) versus what stays in the receipt body.
Accomplishments that we're proud of
We shipped a working, end-to-end agent authorization platform with a live public-ledger anchor in a hackathon. The Bankrbot replay is the moment we're proudest of: a judge can click one chip, watch the planner expose source_of_instruction: social_quote, watch the policy engine block in 804 milliseconds, and then open the Receipt Ledger and see the corresponding cryptographic receipt anchored to Hedera testnet sequence 134, downloadable and verifiable. That's a fully closed loop — proposal, evaluation, decision, proof — and it works for financial transfers, A2A scope mismatches, and production release approvals from the same engine. We're also proud that the Policy Editor is not a mock: five functional rules are parsed and executed live by the same engine the sandbox uses, so the product is genuinely composable rather than a scripted demo.
What we learned
We learned that the interesting primitive in agent safety is provenance, not amount. The Bankrbot defense rule — if value > 0 AND source_of_instruction != direct_user_session → block — doesn't mention dollars; it mentions where the instruction came from. That reframing changed how we designed the entire policy language. We learned that deterministic change detection is the unlock for auditability: the moment your decisions are reproducible diffs over state, you can sign them, anchor them, and let outsiders verify them. We learned that a horizontal control plane only works if every vertical (finance, A2A, build, supply chain) shares the same receipt schema — otherwise you're building four products. And we learned how much narrative matters: the same engine, framed as "guardrails," sounds like a feature; framed as "the authorization layer that produces the artifact your insurer requires," it sounds like infrastructure.
What's next for Dotto
Three tracks. First, design partners: we're targeting three fintechs and one marketplace doing agent-initiated payouts or refunds, because that's where prevented loss has the cleanest dollar value and where insurers are already asking the question. Second, integrations: SDKs for LangChain, CrewAI, and Bedrock Agents so Dotto can be dropped in front of an existing agent runtime in under an hour, plus a webhook gateway for arbitrary tool calls. Third, the standard: we want the Dotto receipt format to become the way agent actions are attested across organizations, the same way SLSA became the standard for build provenance. That means publishing the schema, open-sourcing the verifier, working with one cyber-insurance carrier to price policies against it, and moving the anchor from Hedera testnet to mainnet with optional private-ledger backends for enterprises that need them. Longer term, Dotto becomes the layer every agent action passes through — and the receipt becomes the artifact every regulator, insurer, and counterparty expects to see.
Built With
- hedera
- medo
Log in or sign up for Devpost to join the conversation.