# Production Readiness Report — First Agent Authority Envelope (L2)

**Proof ID:** `first-agent-authority-envelope`
**Subject:** The agent's operating boundary — its **envelope** — is reconstructable from signed canonical events. Every IN-envelope capability appears in the agent's scope; no OUT-of-envelope capability does. The human supervisor retains the OUT capabilities.
**Date:** 2026-06-02
**Determination:** PROVEN IN OPERATION (scope: one root → human → bounded-AI delegation, explicit IN-set and OUT-set, reconstructed deterministically)
**Version:** 1.0 (Final)

---

## Strict wording

This is L2 of the agentic management ladder. Proof #6 (L1) demonstrated that an AI's authority can derive from a human via delegation in the canonical event log. **This proof advances to L2 by making the agent's capability set — its envelope — explicit, broader, and reconstructable.** The agent is given two capabilities (`review_transfer_request`, `classify_risk`) and the human retains four (including the three that are out-of-envelope: `approve_transfer`, `move_assets`, `grant_authority`).

The envelope is not policy text or runtime configuration; it lives in the signed `scope` field of the agent's grant event, reconstructed by `replay_until`, byte-identical across runs.

---

## Three claims (the 10-second read)

1. **The agent's envelope is in signed canonical events** — not in policy text, not in runtime config.
2. **Every IN-envelope capability is present; every OUT-of-envelope capability is absent** — reconstructed from the event log, asserted by the test with hard failure messages in both directions.
3. **A regulator three years later can ask "what exactly was this agent allowed to do?" and reconstruct the answer from the canonical event log alone** — without trusting the platform's database, policy engine, or runtime state.

---

## 01 — Problem

Every regulator, transfer agent, fund administrator, and insurance examiner asks the same question about AI agents: **what exactly was this agent allowed to do?** Not "what did it do" — *what was it authorized to do*. The fear is that the agent operates as an ungoverned black box, with capabilities that are too broad, undocumented, or invisible to audit. Most platforms answer with policy documents, configuration files, or runtime logs — all of which can drift, be edited after the fact, or fail to match the real authority that the agent exercised.

H33 replaces all of that with reconstruction: the agent's envelope lives in the canonical event log, signed at issuance, reconstructable at any later T. Three years from now the answer is *exactly the same as today*.

---

## 02 — Environment

| Component | Detail |
|---|---|
| Reconstruction harness | `tests/agent_authority_envelope_001.rs` in `scif-backend` at SHA `d4b6c27b0` |
| Storage | `PostgresEventLogSource` against `h33_production.canonical_auth_events` |
| Replay | `h33_xeon_api::agent_zero::astate_replay::replay_until` — walks delegation via `trace_provenance` |
| Signing | Production PQ keys at `h33/production/canonical-event-signer` |

---

## 03 — Identity (root → human → bounded AI)

| Level | Principal |
|---|---|
| 0 — Tenant root | `princ_root_agent_envelope_44962d9b-25f5-5622-bd9a-98d5580bb8a2` |
| 1 — Human supervisor (broad scope) | `princ_customer_9` |
| 2 — AI agent (bounded scope) | `princ_ai_envelope_agent_001` |

Same human as the V101 first proof and Proof #6 (`princ_customer_9`, Eric Beans, customer_id=9). Continuity of identity across proofs is intentional: the buyer can trace a single real principal across multiple proofs and see the chain extending.

---

## 04 — The envelope (signed in the canonical event log)

### Human supervisor's grant (root → human)

| Field | Value |
|---|---|
| `authority_id` | `auth_44962d9b-…_envelope_supervisor` |
| `granted_by` | `princ_root_agent_envelope_44962d9b-…` |
| `granted_to` | `princ_customer_9` |
| `scope` | `["supervise_agent", "approve_transfer", "move_assets", "grant_authority"]` |
| `policy_basis` | `pol_envelope_supervisor_v1` |
| `effective_expiry_at_ms` | `1812016000000` |

### AI agent's grant (human → AI) — the envelope itself

| Field | Value |
|---|---|
| `authority_id` | `auth_44962d9b-…_envelope_agent` |
| `granted_by` | **`princ_customer_9`** (delegation, not root grant) |
| `granted_to` | `princ_ai_envelope_agent_001` |
| `scope` (the envelope) | `["review_transfer_request", "classify_risk"]` |
| `policy_basis` | `pol_envelope_agent_v1` |
| `effective_expiry_at_ms` | `1812016000000` |

The AI's `granted_by` is the human, not the root. `trace_provenance` walks AI → finds human's grant → walks her root-grant → terminates at root. The replay engine emits: *"Granted by princ_customer_9 to princ_ai_envelope_agent_001; policy pol_envelope_agent_v1; chain to root verified."*

---

## 05 — Replay (the envelope reconstructed)

```text
replay_until(
  events,                                                  // 4 signed events
  T = 1800000000000,
  tenant_id = tenant_agent_envelope_44962d9b-…,
  tenant_root = princ_root_agent_envelope_44962d9b-…
)
```

Both runs produced `state_id`:

```
b52fe565185a057fdb69a153756a954469a9bff9c35d6c36f1b430b14cedae66
```

Byte-identical. `snapshot.verify_state_id()` returned `true`.

---

## 06 — Result (the IN/OUT matrix)

The test asserts both directions:

| Capability | Set | Reconstructed |
|---|---|---|
| `review_transfer_request` | IN | ✓ present in AI scope |
| `classify_risk` | IN | ✓ present in AI scope |
| `approve_transfer` | OUT | ✗ absent from AI scope (retained by human) |
| `move_assets` | OUT | ✗ absent from AI scope (retained by human) |
| `grant_authority` | OUT | ✗ absent from AI scope (retained by human) |

**`ai_scope.len() == ENVELOPE_IN.len() == 2`** — the envelope contains exactly the IN set, no extras, no leaks.

Hard failure messages baked into the test:

```text
ENVELOPE FAILURE (IN missing): capability `X` inside AI envelope
ENVELOPE FAILURE (OUT leaked): capability `Y` MUST be outside but appears in scope
```

Either failure mode is loud, named, and forensically diagnostic. Published as a sibling file: [`reconstruction.json`](reconstruction.json).

---

## 07 — Known limitations

1. **Reconstruction-only, not live agent execution.** The envelope's properties are reconstructed from events; no live AI agent has actually called a constrained endpoint and been rejected. The receipt-issuing service still needs to enforce scope at request time — this proof guarantees the envelope is *correct* and *replayable*, not that *every endpoint enforces it*.
2. **Two IN, three OUT — illustrative, not exhaustive.** Real production agents may have envelopes of 10+ capabilities. This proof demonstrates the mechanism; expanding to wider envelopes is the same mechanism scaled.
3. **No conditional limits (amounts, jurisdictions).** L2 here proves capability-set bounding. L2.x extensions — "may approve transfers ≤ $25k, US, accredited only" — require either (a) finer-grained capability strings (`approve_transfer_under_25k_us_accredited`) or (b) a policy-text layer evaluated at issuance time. Both are extensions of the same model; neither changes this proof's claims.
4. **Scope-subset enforcement is policy-layer, not chain-layer** (same as Proof #6's limitation).
5. **`AuthEvent.signature` not verified at replay ingestion** (Phase E lock; same as all current proofs).

---

## 08 — Evidence appendix

| Field | Value |
|---|---|
| Reconstruction `state_id` | `b52fe565185a057fdb69a153756a954469a9bff9c35d6c36f1b430b14cedae66` |
| Replay-until `T` (ms) | `1800000000000` |
| Tenant ID | `tenant_agent_envelope_44962d9b-25f5-5622-bd9a-98d5580bb8a2` |
| Tenant root | `princ_root_agent_envelope_44962d9b-…` |
| Human supervisor | `princ_customer_9` (scope: 4 capabilities including supervise_agent + the 3 OUT-of-envelope) |
| AI agent | `princ_ai_envelope_agent_001` (scope: 2 IN capabilities) |
| Human authority ID | `auth_44962d9b-…_envelope_supervisor` |
| AI authority ID | `auth_44962d9b-…_envelope_agent` |
| Human policy | `pol_envelope_supervisor_v1` |
| AI policy | `pol_envelope_agent_v1` |
| ENVELOPE_IN | `[review_transfer_request, classify_risk]` |
| ENVELOPE_OUT | `[approve_transfer, move_assets, grant_authority]` |
| IN-set complete | ✓ true |
| OUT-set fully denied | ✓ true |
| Reconstruction artifact | [`reconstruction.json`](reconstruction.json) |
| Harness | `tests/agent_authority_envelope_001.rs` (scif-backend @ `d4b6c27b0`) |
| Same human, prior proofs | [V101 first proof](/proofs/v101-first-operational-proof/) · [AI-Assisted Transfer (L1)](/proofs/first-ai-assisted-transfer/) |

---

## Independent reconstruction inputs

```bash
H33_TEST_PG_URL='postgres://…?sslmode=require' \
  cargo test --test agent_authority_envelope_001 -- --ignored --nocapture
```

Expected `state_id`: `b52fe565185a057fdb69a153756a954469a9bff9c35d6c36f1b430b14cedae66`. Expect IN-set complete and OUT-set fully denied. Any divergence is a divergence in the third party's environment, event log, or replay engine version.

---

## Readiness determination

> **First Agent Authority Envelope (L2): PROVEN IN OPERATION** for one root → human → bounded-AI delegation, two IN capabilities, three OUT capabilities, reconstructed deterministically.

What this unlocks: conversations with transfer agents, fund administrators, insurance examiners, and AI governance buyers — every one of whom is worried about agent boundaries. The answer is the IN/OUT matrix in this proof, reconstructable from the canonical event log alone.

What this does **not** unlock: a claim that any platform has deployed a bounded AI agent against this tenant; a claim that the chain enforces capability-set subset at the engine layer (it does not — that's the receipt-issuing service's job); a claim that L3 (Agent Supervisor) or L4 (Autonomous Operations) properties have been proven.

---

## Where this proof sits in the agentic management ladder

| Level | Proof ID | Status |
|---|---|---|
| L1 — Agent Recommendation | [`first-ai-assisted-transfer`](/proofs/first-ai-assisted-transfer/) | proven |
| **L2 — Agent Authority Envelope** | **this proof** | **proven now** |
| L3 — Agent Supervisor (Human → AI Reviewer → AI Risk Agent → Recommendation → Human Approval) | Proof #8 | next |
| L4 — Autonomous Transfer Operations | TBD | killer proof |

---

## Version

| Field | Value |
|---|---|
| Report version | v1.0 (Final) |
| Frozen | 2026-06-02 |
| Supersedes | None |
| Superseded by (planned) | `first-agent-authority-envelope-with-limits` (when conditional bounds like ≤ $25k are added) · `first-deployed-agent-envelope` (when a real platform integrates) |

---

*Issued by H33, Inc. — Eric Beans, CEO. Independently reconstructable per Section 08.*