The state of open-source Agent frameworks in 2026: Hermes, LangGraph, and what we picked

If you are building a multi-tenant Agent runtime for biopharma in 2026, your framework decision matters more than your model decision. Models change every quarter. Frameworks define your tenant-isolation, audit-trail, Skills-interop, and scaling story for years.

We evaluated 8 candidates before picking one to fork as the foundation of inCore. This post is the honest write-up of that decision — what we looked at, what we picked, why, and what we would change if we did it again.

TL;DR: We forked Hermes Agent (Nous Research, MIT license) and added a 21 CFR Part 11 audit layer, multi-tenant isolation, and IBS integration. We rejected LangGraph for the multi-tenant story, Dify for the license, and a custom build for the maintenance cost.

The decision criteria

The eight criteria we used, weighted by what biopharma SaaS actually demands:

1. License compatibility (must allow SaaS resale without per-customer license fees)
2. Multi-tenancy primitives (built-in vs bolted-on)
3. Long-running workflow support (CMC processes run for weeks, not seconds)
4. Audit trail granularity (21 CFR Part 11 is non-negotiable)
5. Skills / tools interop (the agentskills.io standard matters)
6. Production maturity (battle-tested vs research prototype)
7. Active maintainer community (the upstream needs to keep moving)
8. Code quality (we will be reading this code for years)

The candidates we looked at

LangGraph (LangChain Inc · MIT)

• Strengths: mature, large community, good docs.
• Weaknesses: multi-tenant story is bolted-on, not architectural. Long-running workflows require Postgres state-store wiring that gets fiddly. Audit trail is logger output, not first-class.
• Verdict: Excellent for in-application agent workflows; less excellent for a multi-tenant runtime that wants to host 100+ tenants.

Hermes Agent (Nous Research · MIT)

• Strengths: multi-tenant primitives are architectural. Long-running workflow integration is first-class (delegates to Temporal). Code quality is excellent. License is permissive.
• Weaknesses: smaller community than LangGraph. Some integration patterns (custom LLM gateways, region-aware routing) require fork-and-patch.
• Verdict: the right starting point for a multi-tenant runtime. The fork-and-patch was the price of admission.

Dify (open-source · Apache 2.0 + commercial addenda)

• Strengths: turnkey hosting, prebuilt UI, model-router included.
• Weaknesses: commercial addenda on the license — multi-tenant SaaS resale requires negotiation. The architecture targets "ChatGPT-clone" use cases, not long-running biopharma workflows.
• Verdict: good for internal demos at biotech startups. Wrong starting point for a regulated SaaS platform.

FastGPT (open-source · Apache 2.0 + addenda)

• Verdict: same trade-offs as Dify. Same license concern. Rejected for the same reason.

n8n (Sustainable Use License)

• Verdict: the license explicitly restricts SaaS resale. Wrong starting point.

Custom build (no framework)

• Strengths: total control.
• Weaknesses: every framework's pain points become your pain points, but you also do not get any of their fixes. We estimated 12-18 person-months to reach feature parity with Hermes for the multi-tenant primitives alone.
• Verdict: rejected on maintenance cost. We would still be writing the audit-trail abstraction.

CrewAI

• Verdict: great for autonomous-agent demos. Not designed for human-in-the-loop long-running workflows with audit obligations.

Microsoft AutoGen

• Verdict: strong research framework. Production maturity for multi-tenant biopharma SaaS is not there yet.

Why Hermes won

Three specific features:

1. Profile abstraction — Hermes's tenant isolation is built around the Profile, which carries Memory, Skills, and tools. Per-tenant Profiles with strict isolation became the foundation of our multi-tenant story without us having to invent it.

2. First-class Temporal integration — biopharma processes run for weeks. The Hermes-Temporal handoff was already wired. We add 21 CFR Part 11 audit hooks; Temporal stores the rest.

3. agentskills.io alignment — Hermes already aligned to the emerging agentskills.io Skill manifest standard. That means a Skill written for inCore works in Claude Code, Cursor, and any other agentskills.io-compatible runtime. We benefit from the broader ecosystem.

What we forked / added

The four things we put on top of upstream Hermes:

1. 21 CFR Part 11 audit layer — every Agent action, every Skill invocation, every tool call gets a tamper-evident audit record. Temporal stores it; our middleware enforces it.
2. IBS integration — IBS is the accounts / billing / audit system used by Inscinstech and its enterprise customers. inCore speaks to it natively.
3. Region-aware LLM routing — customer data in CN must stay in CN. The Hermes LLM gateway abstraction made this a 200-line addition; the architecture already supported it.
4. Multi-tenant K8s namespace projection — every customer gets a dedicated namespace. The Hermes Profile maps 1:1 to a namespace at deployment time.

We sync upstream PRs quarterly. We have not had to maintain a long-running fork — most of our additions live in our own modules, not in upstream files.

What we would change if we did it again

Two things:

1. Start with the audit layer. We added 21 CFR Part 11 audit hooks after we had a working Agent runtime. Retrofitting was harder than starting from "every action is audited from line 1."

2. Region-aware routing as a first-class config. We treated it as an add-on. It should have been a config dimension from day one.

The license-disclosure side of this

Hermes is MIT. Our fork is also MIT for the parts we inherited; our additions (audit layer, IBS integration, multi-tenant projection) are Inscinstech-proprietary closed source. We retain upstream LICENSE and NOTICE files; we are publicly transparent about the fork relationship.

Full disclosure: /security/open-source.

What this means if you are also choosing

If you are evaluating Agent frameworks in 2026 for a similar use case, three pieces of advice:

1. License first. Some great frameworks have addenda you cannot live with for SaaS resale. Read the license before you read the docs.
2. Multi-tenancy is architectural, not bolted-on. Either the framework was designed for it or it was not. You will not retrofit it cleanly.
3. Pick a framework with a Temporal-style backbone if your workflows last longer than 5 minutes. CMC workflows last weeks. You cannot run those in-process.

We are happy to talk to teams making the same decision — reach out. The biopharma-specific lessons are not in the framework docs.