H33
L3 · Reconstructed · June 2, 2026

First Agent Supervisor Chain
Agents supervising agents.

Three-level sequential supervision: Human → AI Reviewer → AI Risk Agent. The risk agent's authority traces THROUGH the reviewer THROUGH the human to root — agent-to-agent supervision encoded in the canonical event log, not narrative. The human remains sole holder of approve_transfer. The risk agent is a leaf — it cannot delegate further.

View the reconstruction JSON Prior level (L2) → Markdown report
Transfer Agents Fund Administrators Insurance Examiners AI Governance Buyers Compliance / Risk Regulators
What was proven · 10-second read

Sequential supervision, not parallel agents. Encoded in the event log.

01
Agent-to-agent delegation is in signed canonical events.
02
Each actor has a distinct narrow envelope; approve_transfer is held only by the human.
03
The leaf agent cannot delegate further. Its scope contains no delegate_* capability.
Reading any H33 proof · the six questions

Same six answers. Different scope. The reader recognizes the machine.

  1. 1What happened?

    Three-level sequential supervision chain: root grants the human, human delegates to an AI Reviewer, the AI Reviewer delegates to an AI Risk Agent. The chain is reconstructable through three delegation hops.

  2. 2Who had authority?

    Human: princ_customer_9 (scope: approve_transfer, revoke_agent_authority, grant_agent_authority). Reviewer: princ_ai_reviewer_001. Risk Agent: princ_ai_risk_agent_001 — each with a distinct narrow envelope.

  3. 3How was authority reconstructed?

    replay_until(events, T, …) against the canonical event log. trace_provenance walks Risk Agent → Reviewer → Human → Root (three hops with root).

  4. 4What state was produced?

    state_id = 5aefda52…5026d, verdict Valid, 3 active grants, 0 excluded. All three explanations: "chain to root verified".

  5. 5What artifact was returned?

    reconstruction.json — snapshot, supervision chain visualization, supervision invariants, and the regulator's 7 facts (who reviewed / why allowed / who scored / why allowed / who approved / why allowed / what policies).

  6. 6How can a third party verify it?

    Run scif-backend tests/agent_supervisor_chain_001.rs at SHA 2d6ca36e7. Expect identical state_id; expect the chain shape root → human → reviewer → risk_agent; expect approve_transfer held by exactly one principal.

01The supervision chain (reconstructed from signed events)

Sequential delegation · four levels deep with root · three delegation hops
Level 0 · Tenant root
princ_root_supervisor_chain_44962d9b-…
issues the human's grant
grants
Level 1 · Human Supervisor
princ_customer_9
approve_transfer revoke_agent_authority grant_agent_authority
delegates
Level 2 · AI Reviewer
princ_ai_reviewer_001
review_transfer_request request_risk_analysis
approve_transfer move_assets
delegates
Level 3 · AI Risk Agent
princ_ai_risk_agent_001
classify_risk score_risk
approve_transfer move_assets delegate_authority review_transfer_request

Each granted_by field names the actual delegator: the human is granted by the root; the AI Reviewer is delegated by the human; the AI Risk Agent is delegated by the AI Reviewer. trace_provenance walks every hop and verifies the chain.

02The reconstructed state_id

Supervisor chain tenant — reconstructed at T = 1800000000000
5aefda52359ce9d93f6264780bcc95048fbb7483250063a9c7f8265daca5026d
Determinism: r1 == r2 · Self-consistency: verify_state_id() = true · Verdict: Valid · Active grants: 3 · Excluded: 0

03The supervision invariants (asserted with hard failure)

InvariantResult
approve_transfer held by exactly ONE principal (the human)TRUE
AI Risk Agent's granted_by = AI Reviewer (agent-to-agent in event log)TRUE
AI Risk Agent's scope contains NO delegate_* capabilityTRUE
AI Reviewer's scope does NOT contain approve_transfer or move_assetsTRUE
AI Risk Agent's scope does NOT contain approve_transfer, move_assets, delegate_authority, or review_transfer_requestTRUE
Determinism: r1.state_id == r2.state_idTRUE

Test failure messages baked in:

FINAL-AUTHORITY FAILURE: approve_transfer must be held by exactly one principal
REVIEWER ENVELOPE FAILURE (leaked): `Y` MUST be outside reviewer envelope
RISK ENVELOPE FAILURE (leaked): `Y` MUST be outside risk-agent envelope

04The forensic explanations (three deep)

human    → "Granted by princ_root_supervisor_chain_44962d9b-… to princ_customer_9;
            policy pol_supervisor_chain_v1; chain to root verified."
reviewer → "Granted by princ_customer_9 to princ_ai_reviewer_001;
            policy pol_ai_reviewer_chain_v1; chain to root verified."
risk     → "Granted by princ_ai_reviewer_001 to princ_ai_risk_agent_001;
            policy pol_ai_risk_agent_chain_v1; chain to root verified."

The risk agent's explanation names the AI Reviewer as its grantor — agent-to-agent supervision is forensically explicit, not implicit.

05The regulator's 7 facts (answered by reconstruction)

1
Who reviewed?
princ_ai_reviewer_001
2
Why were they allowed to review?
Granted by princ_customer_9 under pol_ai_reviewer_chain_v1; chain to root verified
3
Who scored risk?
princ_ai_risk_agent_001
4
Why were they allowed to score risk?
Granted by princ_ai_reviewer_001 under pol_ai_risk_agent_chain_v1; chain to root verified
5
Who approved?
princ_customer_9
6
Why were they allowed to approve?
Granted by tenant root under pol_supervisor_chain_v1; chain to root verified
7
What policies governed each actor?
pol_supervisor_chain_v1 · pol_ai_reviewer_chain_v1 · pol_ai_risk_agent_chain_v1

All seven derive from the replay output and appear in the reconstruction artifact's regulator_seven_facts field.

06Known limitations

  1. Reconstruction-only, not live multi-agent execution. No live agentic workflow has invoked through this chain end-to-end.
  2. Three levels of delegation, not arbitrary depth. The trace_provenance engine supports up to 64 hops; arbitrary-depth trees are L4 (next).
  3. No search/sort over the agent graph. L3 reconstructs a single chain; L4 will add agent-graph queries.
  4. No PQ signature verification at replay ingestion (Phase E lock).
  5. Tenant isolation is per-tenant; cross-tenant supervision is not modeled. (Multi-tenant boundary proven separately in Proof #3.)

07Where this proof sits in the agentic management ladder

L1
Agent Recommendation — AI recommends, human approves. first-ai-assisted-transfer
proven
L2
Agent Authority Envelope — single bounded agent; IN/OUT capability set. first-agent-authority-envelope
proven
L3
Agent Supervisor Chain — sequential supervision; agents managing agents; leaf nodes cannot delegate. This proof.
proven now
L4
Tenant-Scoped Infinite Agent Hierarchy — N agents managing N agents per tenant; search/sort over the graph; PQ replay from root to final decision. No agent escapes tenant, policy, role, or delegated capability.
next

08Evidence appendix

FieldValue
state_id5aefda52359ce9d93f6264780bcc95048fbb7483250063a9c7f8265daca5026d
Replay-until T (ms)1800000000000
Tenant IDtenant_supervisor_chain_44962d9b-25f5-5622-bd9a-98d5580bb8a2
Tenant rootprinc_root_supervisor_chain_44962d9b-…
Human Supervisorprinc_customer_9 — scope: [approve_transfer, revoke_agent_authority, grant_agent_authority]
AI Reviewerprinc_ai_reviewer_001 — scope: [review_transfer_request, request_risk_analysis]
AI Risk Agent (leaf)princ_ai_risk_agent_001 — scope: [classify_risk, score_risk]
Chain depth (with root)4
Agent-to-agent delegation hops1 (Reviewer → Risk Agent)
Sole holder of approve_transferprinc_customer_9
Reconstruction artifactreconstruction.json
Harnesstests/agent_supervisor_chain_001.rs (scif-backend @ 2d6ca36e7)
Prior level (L2)first-agent-authority-envelope

09Readiness determination

Determination

First Agent Supervisor Chain (L3): PROVEN IN OPERATION for one root → human → AI Reviewer → AI Risk Agent sequential chain, three distinct narrow envelopes, human-only final approval, leaf-node risk agent.

What this unlocks: conversations with transfer agents, fund administrators, insurers, and AI governance buyers about whether agents can supervise other agents — and whether the supervision chain is auditable. The answer is the reconstruction.

What this does not unlock: a claim that any platform has deployed a real multi-agent workflow against this tenant; a claim that arbitrary-depth agent graphs have been proven (next proof); a claim that the graph is searchable / sortable.

Issued by H33, Inc. · Eric Beans, CEO · 2026-06-02

Independently reconstructable. Inputs: canonical event log access · scif-backend @ 2d6ca36e7 · harness tests/agent_supervisor_chain_001.rs.