H33
Buyer-facing L9 · vendor-failure scenario · June 2, 2026

It's 2031.
H33 is gone.
Reconstruct anyway.

A regulator opens a complaint about a tokenized transfer approved in your firm in June 2026. Your auditor begins the trace. Within an hour she discovers: H33 was acquired and wound down years ago. SCIF is gone. The production database has been decommissioned. Netlify is gone. Auth1 is gone. The AWS account is closed. She has exactly two things: a 3.5 KB tarball her compliance team archived in 2026, and a copy of the verifier source. She runs it. Exit code 0. State_id matches. Authority chain reconstructed.

The scenario · January 14, 2031

A regulator opens a complaint about a tokenized transfer that was approved in your firm in June 2026. They want to see exactly who was authorized to approve it, under what policy, with which AI model contributing the recommendation, and they want to reconstruct the authority chain back to the original signer.

Your internal auditor begins the trace. Within an hour she discovers:

  • H33, Inc. was acquired in 2028 and the product was wound down in 2029. The company no longer exists.
  • The SCIF backend is gone. The Rust services that signed and replayed events were shut off years ago.
  • The production database has been decommissioned. The PostgreSQL cluster is no longer reachable; the AWS account it lived in was closed.
  • Netlify is gone. The customer dashboards, the proof pages, the demo URLs — all 404 now.
  • Auth1 is gone. The OAuth/Bearer issuer the firm used in 2026 doesn't exist either.
  • The S3 buckets and KMS keys are gone.

Every single piece of H33 infrastructure that touched the original decision has been deleted, sunsetted, or repossessed. The auditor has exactly two things:

  1. A small evidence package the firm's compliance team archived in 2026 — a 3.5 KB tarball.
  2. A copy of the source code for the h33-independent-canonical-replay verifier, archived at the same time.

She extracts the tarball. She compiles the verifier from source on her laptop. She runs it.

▸ Exit code 0. State_id matches. Authority chain reconstructed. Decisions present, with lineage. Verdict: Valid.
She types her finding into the regulator response: Reconstructed from preserved evidence package; H33, SCIF, the production database, Netlify, Auth1, and the original AWS environment are not required and were not consulted. Result is byte-identical to the value originally published in 2026.
Download the preserved evidence (3.5 KB) The technical sibling — Proof #12 → Markdown report
CISOs · CROs Auditors Insurers · Reinsurers Regulators PE · M&A Fortune 100 buyers General Counsel
What was proven · 10-second read

Vendor risk and evidence loss are no longer abstract.

01
A buyer can run this verifier in 2031 without H33 existing. Same binary, same evidence, same byte-identical state_ids.
02
Six pieces of H33 infrastructure are explicitly absent during the replay. None of them are consulted.
03
Two of the seven buyer pains every CISO, auditor, and insurer is paying to eliminate are attacked directly.
Reading any H33 proof · the six questions

Same six answers. Different scope. The reader recognizes the machine.

  1. 1What happened?

    Staged vendor-death scenario. The L9 verifier reconstructed the L5 time-travel snapshots byte-identically with H33 / SCIF / DB / Netlify / Auth1 / AWS all assumed absent.

  2. 2Who had authority?

    The original L5 tenant (human supervisor + AI underwriter + delegations from root). The buyer does not need to trust H33 to verify any of it — they reconstruct directly from preserved events.

  3. 3How was authority reconstructed?

    replay_until inside the standalone binary, reading only events.json and a per-T manifest.json from disk. No DB, no SCIF, no network. Sanitized environment (env -i).

  4. 4What state was produced?

    All five L5 state_ids matched byte-for-byte: 1890b20c… · 70fdc855… · deb7f04a… · b07974ae… · 0f0e51dd….

  5. 5What artifact was returned?

    evidence-package.tar.gz (3.5 KB), VERIFICATION-INSTRUCTIONS.md, plus the five verifier reports published with Proof #12.

  6. 6How can a third party verify it?

    Compile the verifier from scif-backend SHA 178bd2f08, download the tarball, run with env -i. Expect exit code 0 and state_id_comparison.matches: true on all five manifests.

01What's gone, what survived

Gone in the scenario
  • H33, Inc.The company that built the platform. Wound down 2029.
  • SCIF backendThe Rust services that signed and replayed events.
  • Production databaseThe PostgreSQL cluster that stored canonical events.
  • NetlifyCustomer dashboards, proof pages, demo URLs.
  • Auth1The OAuth / Bearer issuer that minted 2026 credentials.
  • AWS accountSCIF runtime, the database, S3 objects — all repossessed.
  • KMS keysThe keys that wrapped the database + SecretsManager entries.
  • Original signing keysML-DSA-65 + FALCON-512 + SLH-DSA-128f — live only in a decommissioned HSM.
The reconstruction does not require any of them.
Survived · enough
  • events.jsonCanonical event log for the tenant. 11 events, 5.2 KB.
  • manifest.jsonTenant ID, root, target T, expected state_id, expected verdict.
  • Verifier source / binaryh33-independent-canonical-replay at scif-backend SHA 178bd2f08.
  • VERIFICATION-INSTRUCTIONS.mdOne-page reproduction guide; human-readable; format-drift resistant.
Total preserved volume: 3.5 KB compressed. About one printed page.

02The seven buyer pains this proof attacks

Auditors, insurers, regulators, PE firms, and Fortune 100 buyers don't wake up worrying about agent hierarchies. They worry about (and pay to eliminate) the following. Each row maps the pain to what this proof actually demonstrates.

Vendor risk direct hit
The vendor (H33) is literally assumed dead in the scenario, and the chain still replays. Every CISO and CRO who has had a vendor go away mid-contract recognizes this immediately.
Evidence loss direct hit
Three failure modes that normally destroy evidence chains — vendor death, infrastructure shutdown, key rotation — are simulated simultaneously. The chain still replays. The 3.5 KB tarball is the evidence chain.
Audit cost
A regulator asks; the firm produces a JSON report from a CLI invocation; the audit closes. Compared to a typical 2026 governance-software audit (expert witnesses, vendor depositions, several million dollars), this is rounding error.
Regulatory exposure
The chain reconstructs identically to what was originally published. The reconstructed state_id is the regulator's anchor — they don't have to trust the firm or H33; they run the verifier themselves on the evidence package.
Insurance claim disputes
A reinsurer disputes a claim from 2026 in 2031. The carrier hands them the tarball + verifier. The reinsurer reconstructs. No vendor present. No he-said-she-said.
Acquisition integration risk
When Company A acquires Company B, governance history normally gets lost in integration. With evidence packages preserved, the acquirer inherits a verifiable, replayable chain — not a black box that requires Company B's legacy ops team to interpret.
Key-person risk
The original compliance officer who set up the chain is no longer at the firm. Doesn't matter — the verifier runs without her, the chain replays without her, the auditor's report writes itself without her.

03The reconstruction (five state_ids · five matches)

The verifier was run under env -i (no PG credentials, no AWS keys, no H33 service variables) against five manifests covering the L5 time-travel snapshots. Every state_id matched the L5 published value byte-for-byte.

Snapshot
Expected = Computed (state_id)
Match
T5
1890b20c61daa91ed6079b0215f3c99c5b61d1e7031f9d8fc3ddeb91b72b0025
T6
70fdc855447623918c2ee1b5cdfd3550ca20273a4116a3cd4bd33892508b91e8
T8
deb7f04a0e6bbf48cf3e68817a1aece75c7849da0380b3cc992eaa62f928eb60
T10
b07974aed797856dc47ca07f423124804a1096cb892294c57fb902db149cde50
T∞
0f0e51dd8c35d13d53de9b49c7e72f1926160b19f8f5d5e1b55f0c7cd1770c97

Per-T verifier reports (full JSON) are published in Proof #12's evidence directory.

04Strict wording — what this is and isn't

This proof IS

A staged scenario demonstrating that the L9 verifier produces byte-identical state_ids when every piece of H33 infrastructure is assumed absent. A buyer-facing reframing of Proof #12, using the same evidence package and verifier binary. Honest acknowledgment that the scenario is a thought experiment — H33 is not actually dead today. The reconstruction was performed in 2026 using a sanitized environment that simulated the vendor-absent state.

This proof IS NOT

A new technical capability beyond Proof #12. A claim that any real customer has actually executed a reconstruction in a real vendor-death scenario yet — that's operator-side. A claim that the full ML-DSA-65 + FALCON-512 + SLH-DSA-128f signatures verify in v1 (see Proof #12's Honest Scope; L9.1 closes that gap).

What changes between Proof #12 and this proof: the audience, the vocabulary, the narrative, and the buyer-pain mapping. The underlying capability is identical and the same evidence package + verifier serve both. Two distinct proofs because two distinct buyer mental models.

05Why this proof exists separately

Auditors, insurers, regulators, PE firms, and enterprise architects don't wake up worrying about Rust linker scopes — the framing that led Proof #12. They wake up worrying about vendor risk and evidence loss. This proof is L9 dressed for that audience.

Eric's framing, June 2 2026:

Eric

"The thing I'd tell them now is: stop thinking in terms of proof numbers and think in terms of what an auditor, insurer, regulator, PE firm, or Fortune 100 buyer would pay to eliminate. Those buyers don't wake up worrying about agent hierarchies, ASL, replay engines. They worry about key-person risk, vendor risk, evidence loss, acquisition integration risk, audit cost, regulatory exposure, insurance claim disputes. L9 directly attacks vendor risk. That's why it's such a strong proof."

06Known limitations

  1. Same five limitations as Proof #12. Full PQ signature verification deferred to L9.1; verifier source currently in scif-backend (not yet a public sibling repo, L9.2); evidence package is small; no on-chain anchor verification in v1; Phase E signature-at-ingestion lock open.
  2. The scenario is a thought experiment in 2026. A real vendor-death reconstruction has not happened yet — when it does, this proof gets superseded by first-real-vendor-death-reconstruction.
  3. Evidence-package preservation is the buyer's responsibility. This proof demonstrates the verifier works; it does not yet operationalize how customers archive their evidence packages long-term. That's the Decision Survivability roadmap item.

07Where this proof sits

#11
First Time Travel Replay (L5). first-time-travel-replay
proven
#12
First Independent Replay (L9, the moat). first-independent-replay
proven
#12.1
First Catastrophic Vendor Failure — buyer-facing L9. This proof.
proven now
#13
First Replayable Enterprise (renamed from "Organization") — the board-level statement.
next
#14
Cross-Tenant Governance Replay
roadmap
#15
Asset Lineage (schema work lands first)
roadmap
#16
Regulator Mode
roadmap
#17
Counterfactual Replay
roadmap

08Evidence appendix

FieldValue
Demonstration tenanttenant_time_travel_44962d9b-… (L5 — shared with Proof #12)
State_ids matched5 of 5
Verifier binaryh33-independent-canonical-replay (scif-backend @ 178bd2f08)
Tarballevidence-package.tar.gz (3.5 KB)
Verification instructionsVERIFICATION-INSTRUCTIONS.md
Technical sibling proofProof #12 — First Independent Replay
Source L5 proofProof #11 — First Time Travel Replay

09Readiness determination

Determination

First Catastrophic Vendor Failure: PROVEN IN OPERATION as a scenario reconstruction — the L9 verifier produces byte-identical state_ids when run under a sanitized environment with no H33 infrastructure dependencies. The artifact this proof adds to the corpus is the buyer-facing framing.

What this unlocks: the conversation with auditors, insurers, regulators, PE firms, and Fortune 100 buyers can lead with vendor-failure scenarios, not with linker scopes. The framing that turns L9 from a technical capability into a board-level risk-elimination claim.

What this does not unlock: any new technical capability beyond Proof #12; a real vendor-death reconstruction (operator-side; the artifact is ready when the day comes).

Issued by H33, Inc. · Eric Beans, CEO · 2026-06-02

Independently reconstructable. Inputs: scif-backend @ 178bd2f08 · evidence-package.tar.gz · instructions.