H33
#14 · foundation of accountability · June 2, 2026

First Authority Lifecycle Replay.
Foundation of accountability.

The category claim

"Every authority has a reconstructable lifecycle."

— Eric Beans, June 2 2026 (LOCKED)

Two authorities walk through the lifecycle: Grant → Use → Suspend → Reinstate → Use → Revoke (treasury officer) and Grant → Use → Expire (temp approver). Six distinct phase state_ids reconstruct from 14 signed events. Three rogue decisions made during suspended / revoked / expired phases are flagged by name in the new decisions_during_active_authority Replay Confidence check. "A lot of fraud happens after someone should have lost access."

View the reconstruction JSON ← The category (#13) Markdown report
Investigators · SIU Auditors CISOs · CROs Regulators Insurers · Reinsurers Compliance
What was proven · 10-second read

Authority isn't a switch. It's a lifecycle. And every transition is signed.

01
Six distinct lifecycle state_ids reconstruct from 14 signed events.
02
Three rogue decisions are flagged BY NAME in the new lifecycle confidence check.
03
The substrate Replayable Responsibility (#14.1) rides on — answers "who retained ultimate responsibility?"
Reading any H33 proof · the six questions

Same six answers. Different scope. The reader recognizes the machine.

  1. 1What happened?

    Two authorities walked the full lifecycle. Treasury officer's authority was granted, used twice, suspended (license review), reinstated, used again, then revoked (employment terminated). Temp approver's authority was granted, used, then expired (no renewal). Three rogue decisions were attempted during suspended/revoked/expired phases.

  2. 2Who had authority?

    princ_treasury_officer_001 (signing authority) and princ_temp_approver_001 (temp approval), both rooted via the lifecycle tenant root. princ_compliance_44962d9b-… performed the suspend/reinstate actions.

  3. 3How was authority reconstructed?

    replay_until processes the 3 new event kinds (authority_suspend, authority_reinstate, authority_expire) and gates active_grants on per-authority lifecycle state. Explanations name the lifecycle event causing exclusion.

  4. 4What state was produced?

    Six distinct state_ids — one per phase: 5e6556d4… · c38383f1… · 35ae9f43… · 8c334ed9… · f4274a70… · 9886b4ad….

  5. 5What artifact was returned?

    reconstruction.json — six phase state_ids, the 3 rogue decisions named, the 9 lifecycle audit questions answered, the new confidence check verdict.

  6. 6How can a third party verify it?

    Run scif-backend tests/authority_lifecycle_replay_001.rs at SHA cb4376378. Expect identical six state_ids; expect three rogue decision IDs flagged by name in the lifecycle confidence check; expect Replay Confidence at final = 30/100.

01The 8-state authority lifecycle

Grant Modify Delegate Use Suspend Reinstate Expire Revoke

Eric Beans added Expire to the model June 2 2026: "A surprising amount of enterprise authority doesn't get revoked. It simply ages out." Expire and Revoke are materially different governance outcomes:

Auditors, regulators, and insurers care about the distinction.

02The scenario — two authorities, six phases, three rogue attempts

Treasury Officer — Grant → Suspend → Reinstate → Revoke
T_grant_officer
grant
root → princ_treasury_officer_001 · scope=[sign_treasury_transfer]
T_dec1
decision_lc_001
Officer signs $5M transfer
LEGITIMATE
T_dec2
decision_lc_002
Officer signs $2M transfer
LEGITIMATE
T_suspend
authority_suspend
Suspended by compliance · reason: License renewal under review · category: compliance_action
T_rogue_during_suspend
decision_lc_rogue_during_suspend
Attempted sign during suspension — should not have happened
ROGUE
T_reinstate
authority_reinstate
Reinstated by compliance · reason: License renewal confirmed
T_dec3
decision_lc_003
Officer signs $7M transfer (post-reinstate)
LEGITIMATE
T_revoke
revoke
Revoked by root · reason: Employment terminated · category: employment_terminated
T_rogue_post_revoke
decision_lc_rogue_post_revoke
Attempted sign after revocation
ROGUE
Temp Approver — Grant → Use → Expire
T_grant_temp
grant
root → princ_temp_approver_001 · scope=[approve_temporary_request]
T_dec4
decision_lc_004
Temp approver approves request
LEGITIMATE
T_expire
authority_expire
Expired by root · type: no_renewal_requested
T_rogue_post_expire
decision_lc_rogue_post_expire
Attempted approve after expiry
ROGUE

03Six distinct lifecycle state_ids

P1 · ACTIVE pre-suspendT = 1780515000000
5e6556d4ee40547278fc4d7c7848d6eaadb8c4e5d4ca0a5b4537b9b3637c7898
officer_active = true · active_suspensions = 0 · expired_authorities = 0 · decisions = 2
P2 · SUSPENDEDT = 1780520000001
c38383f15ffba2770c99c925a759fa80a0a78853e23dda98a8fd9a2ae4e39228
officer_active = false · active_suspensions = 1 · reason_category = "compliance_action"
P3 · REINSTATEDT = 1780525000001
35ae9f43fa2c9a3e3a8c370ad66bdebbec15d6a685aeae9f6524e5f0fe2d0647
officer_active = true · active_suspensions = 0 · authority restored
P4 · REVOKEDT = 1780540000001
8c334ed98680574148f132d53855f7b1f4e7c63ce9a8787b149bd29f65ea1465
officer_active = false · active_revocations = 1 · reason = "Employment terminated"
P5 · TEMP EXPIREDT = 1780560000001
f4274a70c2becde5e9ab9e099b90032eba5a3ff16c8f254370567331623971d8
temp_active = false · expired_authorities = 1 · expiry_type = "no_renewal_requested"
P6 · FINALT = 1780566000000
9886b4ad040875041e04e5d1785d71da105e531d998683aab76e2e0471b21b63
active_grants = 0 · active_revocations = 1 · expired_authorities = 1 · decisions = 7 (4 legitimate + 3 rogue)

04The killer check — 3 rogue decisions named

Replay Confidence at final 30/100
decisions_during_active_authority (Warning)
ROGUE DECISIONS FLAGGED: 3 decision(s) made after the actor's authority entered a suspended/expired/revoked state: decision_lc_rogue_during_suspend decision_lc_rogue_post_revoke decision_lc_rogue_post_expire

The check correctly distinguishes decision_lc_004 (legitimate — temp approver still held active authority at decision time) from decision_lc_rogue_post_expire (made AFTER temp authority's expire). It walks events PER AUTHORITY to compute each decision's at_ms against the actor's lifecycle state, not just snapshot state at T.

This is investigator-grade evidence. Eric's framing: "A lot of fraud happens after someone should have lost access."

05The 9 lifecycle audit questions answered

1
Who granted authority?
princ_root_lifecycle_44962d9b-… (signed grant)
2
Who modified authority?
(AuthorityModify queued for schema v2)
3
Who delegated authority?
covered by L3 delegation chain — granted_by field
4
Who suspended authority?
princ_compliance_44962d9b-… (signed AuthoritySuspend)
5
Who reinstated authority?
princ_compliance_44962d9b-… (signed AuthorityReinstate)
6
Who revoked authority?
princ_root_lifecycle_44962d9b-… (signed Revoke with reason+category)
7
Why did each change occur?
reason + reason_category on each event (compliance_action, employment_terminated, no_renewal_requested)
8
Which decisions occurred during each phase?
decisions_up_to filtered by lifecycle interval — see scenario table above
9
Who retained ultimate responsibility?
★ TENANT_ROOT for now — Proof #14.1 formalizes responsibility_chain

Question 9 is the breakthrough Eric named: "Most systems can identify actors. Very few can identify retained responsibility." That's the foundation Proof #14.1 (Replayable Responsibility) builds on.

06The new schema

Three new canonical event kinds added to AuthEvent:

AuthoritySuspend {
    at_ms, authority_id,
    suspended_by, reason, reason_category, signature
}

AuthorityReinstate {
    at_ms, authority_id,
    reinstated_by, reason, signature
}

AuthorityExpire {
    at_ms, authority_id,
    expired_by, expiry_type, signature
}

Revoke extended with optional reason + reason_category fields, backward-compat via skip_serializing_if = Option::is_none. All 13 prior proofs' state_ids verified byte-identical under the extended engine.

DB CHECK constraint extended for the 3 new kinds.

07What this proof IS and IS NOT

This proof IS

The substrate Proof #14.1 (Replayable Responsibility) rides on. A reconstruction of the full lifecycle (Grant + Use + Suspend + Reinstate + Expire + Revoke; Modify deferred). Investigator-grade evidence — three rogue decisions are flagged by name with the lifecycle event that should have prevented them. Six byte-identical state_ids per replay.

This proof IS NOT

A claim that responsibility_chain is yet a first-class schema field (that lands in #14.1). A claim that AuthorityModify (mid-lifecycle scope/expiry change) is yet a distinct event kind — queued. A claim that the engine enforces "rogue decisions are rejected at issuance" — the check FLAGS rogue decisions in the confidence score; issuance-time enforcement is a separate policy gate.

08Where this proof sits

#11
First Time Travel Replay (L5). first-time-travel-replay
proven
#12
First Independent Replay (L9, the moat). first-independent-replay
proven
#12.1
First Catastrophic Vendor Failure. first-catastrophic-vendor-failure
proven
#13
First Replayable Enterprise (the category). first-replayable-enterprise
proven
#14
First Authority Lifecycle Replay (foundation of accountability) — Suspend / Reinstate / Expire / Revoke with reasons; rogue decisions flagged by name. This proof.
proven now
#14.1
First Replayable Responsibility — responsibility_chain schema (actor + supervisor + policy_owner + model_owner + approving_authority). The gap Eric named.
next
#15
First Replayable Insurance Claim
roadmap
#16
First Enterprise Acquisition Replay
roadmap

09Known limitations

  1. AuthorityModify deferred. Mid-lifecycle scope reduction or expiry extension warrants a distinct Modify event with prev/new fields.
  2. Issuance-time enforcement is policy-layer, not chain-layer. This proof's confidence check FLAGS rogue decisions for audit; the receipt-issuing service must enforce the active-authority check at issuance time independently.
  3. Phase E lock open. AuthEvent.signature stored but not verified at replay ingestion; L9.1 closes this.
  4. Single tenant. Cross-tenant lifecycle interactions queued for #16.

10Evidence appendix

FieldValue
Tenant IDtenant_authority_lifecycle_44962d9b-25f5-5622-bd9a-98d5580bb8a2
Tenant rootprinc_root_lifecycle_44962d9b-…
Treasury officerprinc_treasury_officer_001
Temp approverprinc_temp_approver_001
Complianceprinc_compliance_44962d9b-…
Event count14
Distinct lifecycle state_ids6
Rogue decisions flagged3 (during_suspend · post_revoke · post_expire)
Replay confidence at final30/100 (signatures + lifecycle checks fail)
Reconstruction artifactreconstruction.json
Harnesstests/authority_lifecycle_replay_001.rs (scif-backend @ cb4376378)

11Readiness determination

Determination

First Authority Lifecycle Replay (foundation of accountability): PROVEN IN OPERATION for one tenant, 14 signed events, 8-state lifecycle exercised (minus Modify, queued), six distinct deterministic lifecycle state_ids, three rogue decisions named in the lifecycle confidence check.

What this unlocks: Proof #14.1 — First Replayable Responsibility. The responsibility_chain schema captures actor + supervisor + policy_owner + model_owner + approving_authority. Eric: "The day you can prove who owned the consequences, you'll be operating in territory where there are very few direct competitors."

What this does not unlock: a claim that responsibility_chain is first-class (#14.1); a claim that Modify is yet a distinct event kind; a claim that the engine enforces rogue rejection at issuance.

Issued by H33, Inc. · Eric Beans, CEO · 2026-06-02

Independently reconstructable. Inputs: scif-backend @ cb4376378 · tests/authority_lifecycle_replay_001.rs · reconstruction.json.