Eight independent layers of protection and accountability. Seven layers prevent unauthorized actions, data exposure, governance failures, and delegation drift. The eighth proves what the other seven did — years later, offline, even if H33 disappears.
An audit log answers what happened. Agent-008 answers why it was allowed to happen — and proves it.
Every modern AI stack can tell you what an agent did. None of them — until now — could tell you, in a single verifiable artifact, why the agent was authorized to do it.
Agent-008 emits a Provable Authority Package with every action. The PAP carries the certified Root, the policy hash, the Read Attestation, the Delegation Capsule, the secret handle reference, the freshness window, the lifecycle state, and a citation to the original human sentence that authorized the work. A third party can re-derive every binding and reach the same accept-or-deny verdict the runtime reached.
The Category
Not an agent framework. Not an observability tool.
Agent-008 is the governance substrate that sits underneath whatever framework you already use.
Layer
Frameworks (LangChain, CrewAI…)
Observability (LangSmith, Helicone…)
Agent-008
Their job
Compose tools, prompts, retries.
Capture traces, tokens, latency.
Gate every action on certified authority.
Question answered
How does the agent run?
What did the agent do?
Why was the agent allowed to do it?
Where it sits
Inside the agent process.
Alongside the agent process.
In front of it. The gate fires before the action.
Output
Code that runs.
Audit log of what happened.
PAP — independently verifiable.
Frameworks let you build agents. Observability tools let you watch them. Agent-008 is the third leg: the substrate that decides whether they are allowed to act, on whose authority, and against what evidence. Composes with everything — replaces nothing.
Brutal Honesty
What Agent-008 is not.
Five things we will not claim. The market is full of products that quietly do.
Not
An agent jailbreak detector.
We do not classify prompts. Authority lives in cryptography, not in heuristics.
Not
A vendor “trust score”.
There is no opaque number. Every gate cites a re-derivable hash and an instruction.
Not
An LLM that judges agents.
No model is in the loop. The runtime gate is deterministic, replayable, and signed.
An audit log is the agent telling you what it did. A PAP is the substrate telling you why it was allowed to do it, with every binding cryptographically verifiable against a Root, policy, and attestation the agent did not control.
The Architecture · Agent-008
Eight layers of protection and accountability.
Seven layers prevent. One layer proves. The number is the count, not the label.
The evidence layer. Turns every control the first seven layers run into something independently verifiable years later. PAP, NAP, signed receipts, and replay all live here.
Artifact and package verification. An agent's "I downloaded X" cannot become "I executed X" without an offline ZK proof that X matches an approved fingerprint. Agentic-malware prevention — prevention, not detection.
The lifecycle
Before Action
Root Upstream H33-Key TFHE Agent-Zero
During Action
Q-Sign ZK-Verify
After Action
H33-74
PAP · NAP · Verification · Replay · Portable proof
Why Layer 8 is the capstone
PAP
What happened?
NAP
What was prevented?
Replay
Show me exactly why.
For auditors, insurers, boards, regulators, and incident response, replay is arguably more valuable than the receipt itself. The seven preventive layers stop the action. The capstone proves what they did, six months or six years later, even if H33 disappears.
The Runtime Gate · Four Evaluators
Each evaluator answers an auditor's question.
All four must return true. Any one false → the agent does not act, and the substrate emits a SecretDenied receipt naming exactly which one.
Evaluator 1
Read Attestation
Has the agent cryptographically read this Root?
deny → no_read_attestation
Evaluator 2
Delegation Capsule
Was authority-to-use delegated, in-scope, and not yet exhausted?
deny → capsule_invalid
Evaluator 3
Activation
Is the Root + Terminal + Agent triple in the Activated state?
deny → not_activated
Evaluator 4
Freshness
Is the acknowledged Root version still the latest?
Every denial names the specific evaluator that failed. No silent reject. No silent allow.
12 Audit Questions · One Artifact
Every PAP answers all twelve.
An auditor opens the PAP. Every question maps to a field. Every field is independently re-derivable.
01
Who authorized this action?
intent_hash + signed sentence.
02
Under what Root did they authorize it?
root_hash + version.
03
What policy bound the action?
policy_hash (Q-Sign).
04
Which agent took the action?
terminal_cert_hash.
05
Did the agent read its authorities?
read_attestation_id.
06
Was authority delegated narrowly?
delegation_capsule_id + scope.
07
Was the secret bound to the chain?
handle_id + purpose.
08
Was the Root still fresh?
acknowledged_root_version = latest.
09
Was the Root lifecycle compliant?
lifecycle_state = active.
10
Within the time window?
window_open_at ≤ now < window_close_at.
11
Was there an unresolved conflict?
conflict_resolution_id if any.
12
What was the exact verdict?
verdict + reason_code.
The Artifact
A Provable Authority Package — on the wire.
A third party reads the PAP, re-derives the bindings, and reaches the same verdict the runtime did. Verifiable years later, even if H33 disappears.
{
"verdict": "allowed",
"verification_level": "aggregate_v1",
"intent_hash": <hash of the signed human sentence>,
"intent_citation": "Review invoices up to $25,000 and escalate anything larger",
"root_hash": <certified Root identifier>,
"policy_hash": <Q-Sign policy hash>,
"acknowledged_root_version": 7,
"latest_root_version": 7,
"lifecycle_state": "active",
"terminal_cert_hash": <the agent's TerminalCertificate>,
"read_attestation_id": <H33-Attest registry id>,
"delegation_capsule_id": <substrate-emitted capsule id>,
"window_open_at": 1781530000000,
"window_close_at": 1781616400000,
"secret_refs": [
{ "name": "STRIPE_SECRET",
"handle_id": <h33-key handle id>,
"purpose": "invoice_payment" }
],
"conflict_resolution_id": null,
"reason_code": "all_evaluators_satisfied"
}
Every field is a binding. Every binding is independently re-derivable. No field is a self-assertion; each one is verifiable against a substrate the agent did not control.
Risk → Control → Proof
Every claim is a row.
The risk the buyer is exposed to. The control Agent-008 provides. The proof an auditor can independently re-derive.
Risk
Control
Proof
Agent acts on an instruction that was never authorized by a human.
Runtime gate denies any action whose request cannot cite a certified Root tracing back to a signed human instruction.
PAP carries the intent_hash + root_hash + the original human sentence. Re-derivable by anyone with the public Root chain.
Agent uses a credential it should never have seen.
Every secret reference is an h33key handle bound to Root + Terminal + purpose. Raw bytes never enter the agent process. H33-Key enforces the gate.
PAP cites handle_id + policy_hash. SecretUsed receipt re-verifiable against H33-Key pubkeys.
Authority drifts — the agent acts on a Root that has been refreshed, superseded, or revoked.
Authority Freshness rule: latest_root_version > acknowledged_root_version → deny. Lifecycle Compliance gate denies any action on a retired or revoked Root.
PAP carries acknowledged_root_version + latest_root_version + lifecycle state. Replayable on any future date.
Agent claims it read its authorities but cannot prove it.
Read Attestation Registry: the agent must have cryptographically signed an attestation under its TerminalCertificate-bound key before the gate flips to allowed.
PAP cites read_attestation_id. Independently re-verifiable via the H33-Attest aggregate_v1 verifier.
Two Roots authorize incompatible actions and the substrate hides the conflict.
Pre-Cert Conflict Scan + runtime Conflict Capsule: the substrate preserves how the org resolved the conflict, not which side won.
PAP cites conflict_resolution_id. Resolution Record is a first-class artifact.
Install
One binary. Three commands.
Standalone Rust crate. No daemon. No service. No cloud handshake.
Step 1 · Install
$ curl -fsSL https://h33.ai/install/agent-008 | sh
Step 2 · Define the request
# invoice-agent.json -- the request the agent will run under.# Raw secrets NEVER appear here. Handles only.
{
"name": "invoice-agent",
"purpose": "invoice_payment",
"secret_refs": [
{ "name": "STRIPE_SECRET",
"value": "h33k_01J6...HCN9",
"purpose": "invoice_payment" }
]
}
Step 3 · Run through the gate
$ agent-008 run --request ./invoice-agent.json --pretty
0 → action allowed (PAP on stdout)
3 → action denied (denial_reason on response)
1 → I/O or parse error
Anti-leak guarantee
Raw secret values are rejected at the gate — plaintext_value_rejected. No exceptions.
The denial_reason names only the SecretRef field name, never the offending value.
Response JSON has no value field at the type level — structural, not opt-in.
Anti-leak integration tests assert the raw marker string never appears in stdout, stderr, the response, the journal, the receipts, or filenames.
v0 Build Order
Five stages shipped. One held for review.
Stages A through E are on main as of 2026-06-17 — standalone Rust crate, full test suite, anti-leak verified at every layer. Stage F (the loopback HTTP front) is held pending a dedicated network-surface review.
✓H33-Root — substrate gate with per-condition trace; "authority survives, time qualification dies"
Coming next
□ Root lineage verification at the agent-008 runtime gate
□ Authority Freshness enforcement (acknowledged Root version = latest)
□aggregate_v1 — the full eight-layer verdict
□ Loopback HTTP front at 127.0.0.1:8777 (Stage F) — pending network-surface review
A
Refs-only
Accept h33k_<id> refs. Reject any raw value at the type boundary. Response echoes refs only.
SHIPPED
B
Auto-capture
Raw secrets in env are routed through H33-Key, rewritten internally, zeroized, and the SecretCaptured receipts cited on the PAP.
SHIPPED
C
Resolve at the execution boundary
h33k handles resolve against the local capture vault, plaintexts inject into the child's env block, parent zeroizes after spawn. Raw bytes never appear on argv or in shell history.
SHIPPED
D
SecretUsed cross-bind to Read Attestations
Every run mints + signs + persists a Read Attestation (Delivered → Read → Acknowledged → Activated). The PAP cites read_attestation_ids[]; verification_level reports stage_d_attest_bound. aggregate_v1 lands when the Root runtime gate wires in.
SHIPPED
E
SecretDenied receipts · revocation · reason codes
Seven enumerated denial reasons, each a separately-signed receipt. agent-008 revoke marks a captured secret revoked; the next exec fires handle_revoked with a signed receipt. Authorized request → PASS. Unauthorized request → DENIED.
SHIPPED
F
HTTP serve at 127.0.0.1:8777
Loopback-only HTTP front. Branch is green; held pending a dedicated network-surface review (threat review, rate limits, body-size limits, malformed-body fuzzing, response leak audit).
REVIEW
Verification level reports honestly. stage_d_attest_bound today; aggregate_v1 when Root lineage verification wires into the runtime gate. Not a fake green check.
Buyer Scenarios
Three different teams. One substrate.
The substrate is uniform; the governance question is industry-specific.
Finance Operations
Pay an invoice. Prove it was allowed.
An agent calls Stripe with a handle, not a key. The PAP cites the certified Root, the policy that capped the amount, and the original CFO instruction. If the amount exceeds the cap, the gate denies and emits SecretDenied with over_amount_cap.
Clinical Workflow
Route a result. Prove the routing authority.
An agent routes a lab result to the patient's chart. The PAP cites the certified Root (signed by the Medical Director), the policy (HIPAA scope binding), and the Read Attestation proving the agent acknowledged the routing Root before acting.
Defensive IGA
Grant access. Prove the chain.
An agent provisions a role. The PAP cites the Root, the delegation capsule, and the Q-Sign policy. When the role is later revoked, every PAP emitted after the revocation effective_at is independently invalid — replayable against the registry.
Composes With Everything
Bring your stack. Agent-008 wraps it.
No SDK lock-in. The contract is a JSON request and a JSON PAP. Anything that can spawn a process can pass through the gate.
Agent Frameworks
LangChain, LangGraph, CrewAI, AutoGen, OpenAI Assistants, Anthropic tool-use, Bedrock Agents. Wrap the tool-call execution; the framework keeps its planner.
Secret Stores
1Password, Bitwarden, HashiCorp Vault, AWS Secrets Manager, Doppler, GCP Secret Manager. H33-Key pulls through them on first use; bytes never leave the vault unmediated.
Observability
LangSmith, Helicone, Datadog, Honeycomb, OpenTelemetry. The PAP travels alongside the trace as structured metadata; the trace shows what; the PAP shows why.
CI / Runtime
Linux, macOS, GitHub Actions, GitLab CI, Kubernetes. Single static Rust binary. Same exit codes everywhere.
FAQ
Hard questions, direct answers.
What does Agent-008 govern that an audit log does not?
An audit log answers what happened. Agent-008 answers why the agent was allowed to act. Every agent action carries a PAP that cites the original human instruction, the certified Root, the policy that authorized it, the secret handle that bound it, and the attestation that proves the agent had read its authorities. That is governance, not logging.
What are the eight layers of Agent-008?
Eight independent layers of protection and accountability. Seven prevent: H33-Root (authority + intent), H33-Upstream (provenance), Agent-Zero (privacy-preserving operations), H33-Key (secret protection), TFHE (encrypted computation), Q-Sign (delegation governance), ZK-Verify (artifact verification). One proves: H33-74 — Layer 8 is the capstone, hosting PAP, NAP, verification, and replay. It turns every control the first seven run into something independently verifiable years later.
Can I run Agent-008 from the terminal?
Yes. Agent-008 ships as a standalone Rust binary alongside h33-key and h33-attest. The terminal contract is agent-008 run --request <path>. An HTTP serve mode at 127.0.0.1:8777 lands when the integration with the runtime substrate completes.
Where is the demo?
The Agent-008 eight-layer storyboard runs at /demo/agent-008/. It walks the seven preventive layers and the H33-74 capstone, ending on the moment replay proves what the gate did.
Does Agent-008 send my code or secrets anywhere?
No. The binary runs locally. Handles resolve locally. The gate is evaluated locally. The PAP is emitted locally. There is no cloud handshake, no telemetry, no shadow registration. The only network egress is whatever your agent itself makes to its target API.
What is the Provable Authority Package?
The PAP is the artifact Agent-008 emits with every action. It carries the Root hash, the policy hash, the instruction citation, the Read Attestation, the Delegation Capsule, the secret handle reference, the freshness window, and the lifecycle state. Any third party can independently re-derive every binding and reach the same accept-or-deny verdict the runtime reached.
Is the source available?
Yes. Agent-008 is a standalone Rust crate. Path-dependencies on h33-key and h33-attest are version-pinned. Each crate has its own workspace; they build independently.
Live Demo
Walk the eight-layer chain.
The Agent-008 demo walks every preventive layer — Root, Upstream, Agent-Zero, H33-Key, TFHE, Q-Sign, ZK-Verify — then closes on the H33-74 capstone: PAP, NAP, and the replay that proves what the gate did.