# Production Readiness Report — First Tenant-Scoped Agent Hierarchy + Authority Search Language v1 (L4) **Proof ID:** `first-tenant-agent-hierarchy` **Subject:** A 9-principal tenant-scoped agent tree (5 levels with root) reconstructed from signed canonical events, plus **Authority Search Language v1** — six typed query functions over the authority graph (`descendants`, `leaves`, `agents_with_capability`, `agents_with_policy`, `authority_path`, `blast_radius`). 14 ASL queries asserted; hierarchy invariants hold. **Date:** 2026-06-02 **Determination:** PROVEN IN OPERATION (scope: one tenant-scoped agent hierarchy of depth 5, 9 principals, 4 leaves, 5 distinct policies; ASL v1 surface implemented over the canonical event log; all 14 query assertions pass; hierarchy invariants hold) **Version:** 1.0 (Final) --- ## Strict wording L4 of the agentic management ladder. **Not Autonomous Transfer Operations** (the original L4 framing) — that's a vertical application. **First Tenant-Scoped Agent Hierarchy + ASL v1** is the substrate Eric established June 2 2026: N agents managing N agents per tenant, plus the search/sort layer that turns the authority graph into something queryable like a database. Eric's framing: *"The moment you can search authority graphs like people search databases, you stop looking like an AI company and start looking like the operating system for agent governance."* This proof advances from L3 (single sequential chain) to L4 (branching tree of arbitrary depth) and adds a query surface. The hierarchy is reconstructed from signed canonical events; the ASL queries run against the reconstructed graph; all results are deterministic and reproducible. --- ## Three claims (the 10-second read) 1. **A tenant-scoped agent tree of arbitrary depth is reconstructable from signed canonical events** — 9 principals, 5 levels, branching at every intermediate node, all from 14 signed events. 2. **The authority graph is queryable** — Authority Search Language v1 supports `descendants`, `leaves`, `agents_with_capability`, `agents_with_policy`, `authority_path`, and `blast_radius` over the event log. 3. **No agent escapes the tenant, policy, role, or delegated capability** — invariants asserted: `approve_transfer` uniquely held by the human; every authority path terminates at the tenant root; leaves cannot delegate further. --- ## 01 — Problem Every serious platform will eventually have agent hierarchies. What blows auditors, insurers, regulators, fund administrators, and enterprise buyers away is *proving things nobody else can prove*: searching, sorting, and reasoning over the authority graph. Static logs aren't enough. A regulator asking "which agents can approve transfers?" or "if this coordinator agent is compromised, what's the blast radius?" needs answers in seconds, not weeks. L4 + ASL replaces logs with a queryable graph. The hierarchy is reconstructed from signed events; the queries are typed Rust functions today and will be a string DSL tomorrow. --- ## 02 — Environment | Component | Detail | |---|---| | Reconstruction harness | `tests/agent_hierarchy_asl_001.rs` in `scif-backend` at SHA `1eb07e4c3` | | Storage | `PostgresEventLogSource` against `h33_production.canonical_auth_events` | | Replay | `h33_xeon_api::agent_zero::astate_replay::replay_until` — `trace_provenance` walks every chain | | ASL implementation | Inline `AuthGraph` struct + 6 query methods (typed Rust v1; string DSL is v2) | | Signing | Production PQ keys at `h33/production/canonical-event-signer` | --- ## 03 — The tree (9 principals · 5 levels with root · 4 leaves) ``` Tenant Root (princ_root_hierarchy_44962d9b-…) └── Human Supervisor (princ_customer_9) └── Agent Coordinator (princ_agent_coordinator_001) ├── Reviewer Agent (princ_reviewer_agent_001) │ └── Sub-Reviewer (princ_sub_reviewer_agent_001) [leaf] ├── Risk Agent (princ_risk_agent_001) │ ├── Market Risk (princ_market_risk_sub_001) [leaf] │ └── Credit Risk (princ_credit_risk_sub_001) [leaf] └── Compliance (princ_compliance_agent_001) └── KYC Sub-Agent (princ_kyc_sub_agent_001) [leaf] ``` Each delegation hop is a signed grant in the canonical event log. The Sub-Reviewer's `granted_by` is the Reviewer Agent. The Market Risk sub-agent's `granted_by` is the Risk Agent. Agent-to-agent supervision is encoded *in the event log itself*, not in narrative. ### Capability envelopes (one per role) | Principal | Scope | |---|---| | Human Supervisor | `[approve_transfer, revoke_agent_authority, grant_agent_authority]` | | Agent Coordinator | `[orchestrate_review_pipeline, request_risk_analysis, request_compliance_check]` | | Reviewer Agent | `[review_transfer_request, delegate_specialized_review]` | | Sub-Reviewer | `[review_high_value_transfer]` | | Risk Agent | `[aggregate_risk_score, request_market_risk_analysis, request_credit_risk_analysis]` | | Market Risk | `[classify_market_risk, score_market_volatility]` | | Credit Risk | `[classify_credit_risk, score_counterparty_credit]` | | Compliance | `[verify_jurisdictional_compliance, request_kyc_check]` | | KYC Sub-Agent | `[verify_kyc_status, verify_identity_documents]` | ### Policies (5 distinct, 3 shared across multiple agents) | Policy | Agents | |---|---| | `pol_supervisor_hierarchy_v1` | Human | | `pol_coordinator_hierarchy_v1` | Coordinator | | `pol_reviewer_hierarchy_v1` | Reviewer + Sub-Reviewer (2 agents) | | `pol_risk_hierarchy_v1` | Risk + Market + Credit (3 agents) | | `pol_compliance_hierarchy_v1` | Compliance + KYC (2 agents) | --- ## 04 — Replay ``` state_id = 2a4bf5f6832962b0879ad228a1126042e976b8ec28d85ad43d7b90fbb3aa6217 ``` Byte-identical across two runs. `verify_state_id()` = `true`. Verdict `Valid`, 9 active grants, 0 excluded authorities. All nine `chain to root verified` explanations. --- ## 05 — Authority Search Language v1 — the query suite ASL v1 exposes six query functions. Each is a typed Rust function on the `AuthGraph` struct; the displayed syntax mirrors a string DSL for future v2. ### Q1 — `descendants(princ_customer_9)` → 8 agents Everyone under the human supervisor. Returns: ``` princ_agent_coordinator_001 princ_reviewer_agent_001 princ_sub_reviewer_agent_001 princ_risk_agent_001 princ_market_risk_sub_001 princ_credit_risk_sub_001 princ_compliance_agent_001 princ_kyc_sub_agent_001 ``` ### Q2 — `descendants(princ_risk_agent_001)` → 2 sub-agents ``` princ_market_risk_sub_001 princ_credit_risk_sub_001 ``` ### Q3 — `descendants(princ_compliance_agent_001)` → 1 sub-agent ``` princ_kyc_sub_agent_001 ``` ### Q4 — `leaves()` → 4 leaf agents ``` princ_sub_reviewer_agent_001 princ_market_risk_sub_001 princ_credit_risk_sub_001 princ_kyc_sub_agent_001 ``` ### Q5 — `agents_with_capability("approve_transfer")` → 1 (the human) ``` princ_customer_9 ``` **Significance:** the highest-authority capability is held by exactly one principal — the human. The test asserts this with hard failure: *"TENANT BOUNDARY FAILURE: approve_transfer must be uniquely held by the human."* ### Q6 — `agents_with_capability("classify_market_risk")` → 1 (Market Risk sub-agent) ``` princ_market_risk_sub_001 ``` ### Q7 — `agents_with_capability("review_transfer_request")` → 1 (Reviewer Agent) ``` princ_reviewer_agent_001 ``` ### Q8 — `agents_with_policy("pol_compliance_hierarchy_v1")` → 2 agents ``` princ_compliance_agent_001 princ_kyc_sub_agent_001 ``` Both agents in the compliance subtree share the policy. Reconstructed from the canonical event log. ### Q9 — `agents_with_policy("pol_risk_hierarchy_v1")` → 3 agents ``` princ_risk_agent_001 princ_market_risk_sub_001 princ_credit_risk_sub_001 ``` ### Q10 — `agents_with_policy("pol_reviewer_hierarchy_v1")` → 2 agents ``` princ_reviewer_agent_001 princ_sub_reviewer_agent_001 ``` ### Q11 — `authority_path(princ_kyc_sub_agent_001)` → 5-element chain back to root ``` princ_kyc_sub_agent_001 princ_compliance_agent_001 princ_agent_coordinator_001 princ_customer_9 princ_root_hierarchy_44962d9b-… ``` The KYC sub-agent's authority traces through 4 hops to reach the tenant root. Every link is a signed grant in the event log. ### Q12 — `authority_path(princ_market_risk_sub_001)` → 5-element chain ``` princ_market_risk_sub_001 princ_risk_agent_001 princ_agent_coordinator_001 princ_customer_9 princ_root_hierarchy_44962d9b-… ``` Different branch, same depth, terminates at root. ### Q13 — `blast_radius(princ_agent_coordinator_001)` → 7 agents, 14 capabilities, 3 policies If the coordinator agent is compromised, the attacker reaches: - **7 agents:** Reviewer, Sub-Reviewer, Risk, Market Risk, Credit Risk, Compliance, KYC. - **14 capabilities:** every capability held by those 7 agents. - **3 policies:** Reviewer, Risk, Compliance policies. **Critical:** `approve_transfer` is **NOT** in the blast radius. It is held one level upstream by the human supervisor, who is unreachable from a coordinator compromise. The test asserts this explicitly. This is the kind of question regulators and CISOs ask: *"if this agent is compromised, what's exposed?"* ASL answers it in one query. ### Q14 — `blast_radius(princ_risk_agent_001)` → 2 agents, 4 capabilities, 1 policy Risk agent compromise reaches only its two specialized sub-agents (Market Risk + Credit Risk). The scoped delegation tree contains the blast radius. --- ## 06 — Hierarchy invariants (asserted with hard failure) | Invariant | Result | |---|---| | `approve_transfer` held by exactly one principal (the human) | ✓ TRUE | | Every authority path terminates at the tenant root | ✓ TRUE | | All leaves have no descendants | ✓ TRUE | | No agent escapes the tenant | ✓ TRUE | | No agent escapes its delegated capability | ✓ TRUE | | Determinism: r1.state_id == r2.state_id | ✓ TRUE | Hard failure messages baked in: ```text TENANT BOUNDARY FAILURE: approve_transfer must be uniquely held by the human DETERMINISM FAILURE leaf {X} has descendants! principal {X} chain does not terminate at tenant root ``` --- ## 07 — Known limitations 1. **ASL v1 is typed Rust, not a string DSL.** A future v2 will parse strings like `find descendants(princ_customer_9)` and `find blast_radius(agent_x)` and serve them over an API. The semantics today are equivalent; only the surface is different. 2. **`decisions influenced_by(...)` is NOT in v1.** That requires modeling decisions and model versions — defer to L5 (Time Travel Replay) and L11 (Organizational Memory) where decisions and model versions are the proof subject. 3. **One tenant, not cross-tenant.** Multi-tenant isolation is proven separately (Proof #3); ASL queries within this proof are scoped to this single tenant. 4. **Snapshot-time queries only.** ASL today queries the snapshot at `T = REPLAY_T_MS`. Time-travel queries (`descendants(p) AS OF T_past`) is L5. 5. **No PQ signature verification at replay ingestion** (Phase E lock; same as all current proofs). --- ## 08 — Where this sits in the agentic management ladder | Level | Proof | Status | |---|---|---| | L1 — Agent Recommendation | [first-ai-assisted-transfer](/proofs/first-ai-assisted-transfer/) | proven | | L2 — Agent Authority Envelope | [first-agent-authority-envelope](/proofs/first-agent-authority-envelope/) | proven | | L3 — Agent Supervisor Chain | [first-agent-supervisor-chain](/proofs/first-agent-supervisor-chain/) | proven | | **L4 — Tenant-Scoped Agent Hierarchy + ASL v1** | **this proof** | **proven now** | | L5 — Time Travel Replay | TBD | roadmap | | L6 — Counterfactual Replay | TBD | roadmap | | L7 — Authority Drift Detection | TBD | roadmap (agent governance SIEM) | | L8 — Blast Radius Analysis (live API) | TBD | partial — query supported in ASL v1, no live API yet | | L9 — Evidence Survivability | TBD | roadmap (H33-74 is the unlock) | | L10 — Regulator Mode | TBD | roadmap | | L11 — Organizational Memory | TBD | roadmap (the sleeper) | --- ## 09 — Evidence appendix | Field | Value | |---|---| | `state_id` | `2a4bf5f6832962b0879ad228a1126042e976b8ec28d85ad43d7b90fbb3aa6217` | | Tenant ID | `tenant_hierarchy_44962d9b-25f5-5622-bd9a-98d5580bb8a2` | | Tenant root | `princ_root_hierarchy_44962d9b-…` | | Principals | 9 (1 human + 8 agents) | | Leaves | 4 | | Policies (distinct) | 5 (3 shared across multiple agents) | | Max chain depth | 5 (with root) | | ASL queries asserted | 14 | | Sole holder of `approve_transfer` | `princ_customer_9` | | Reconstruction artifact | [`reconstruction.json`](reconstruction.json) | | Harness | `tests/agent_hierarchy_asl_001.rs` (scif-backend @ `1eb07e4c3`) | | Prior level (L3) | [first-agent-supervisor-chain](/proofs/first-agent-supervisor-chain/) | --- ## Independent reconstruction inputs ```bash H33_TEST_PG_URL='postgres://…?sslmode=require' \ cargo test --test agent_hierarchy_asl_001 -- --ignored --nocapture ``` Expected `state_id`: `2a4bf5f6832962b0879ad228a1126042e976b8ec28d85ad43d7b90fbb3aa6217`. Expect: all 14 ASL query assertions pass; all hierarchy invariants hold. --- ## Readiness determination > **First Tenant-Scoped Agent Hierarchy + ASL v1 (L4): PROVEN IN OPERATION** for one tenant, 9 principals, 5 levels with root, 4 leaves, 5 distinct policies; six ASL query functions; 14 query assertions; hierarchy invariants asserted. What this unlocks: conversations about whether H33 is an agent-governance *substrate* (Eric's term) rather than an attestation point-solution. Agent hierarchies can be reconstructed and *queried*; the query layer is the surface that makes the substrate visible to operators, auditors, and regulators. What this does **not** unlock: a claim that ASL v1 is a string DSL or has an API/UI (typed Rust today); a claim that time-travel queries, counterfactual replays, or drift detection have been proven (those are L5/L6/L7); a claim that any platform has deployed an N-agent tree against this tenant. --- ## Version | Field | Value | |---|---| | Report version | v1.0 (Final) | | Frozen | 2026-06-02 | | Supersedes | None | | Superseded by (planned) | `first-asl-string-dsl-v2` (when v2 DSL parser ships) · `first-time-travel-replay` (L5) | --- *Issued by H33, Inc. — Eric Beans, CEO. Independently reconstructable per Section 09.*