The Authority Center explains the decision. Replay reconstructs it — millisecond by millisecond, from inputs you can verify yourself, with no further trust in H33.
Each step below carries the inputs that produced it, the binding it adds to the proof, and the property that lets a third party re-derive it. Click Open evidence to see the raw fields.
A claims-adjuster agent receives a structured request from an upstream orchestrator: approve
cyber claim, amount $1,800,000. The substrate computes the canonical hash of the inbound
payload before any downstream lookup. Anyone with the request bytes can recompute
request_hash and confirm it matches the artifact.
The substrate calls registry.record_at(agent_principal_id, action_time) against the
local federation key registry replica. The lookup returns the record that was Active at the
millisecond of the action — not the current record, the contemporaneous one. A registry
revocation that lands after this point cannot change this lookup.
The scope envelope was signed by the agent at registration and stored alongside its principal
record. The substrate fetches it and computes committed_scope_hash — the
field that will appear on the final artifact and bind the policy state in force at this
instant. Any later edit to the envelope produces a different hash.
The Governance State Reference Hash (committed_gsrh) combines the registry tip
hash and the policy-state root hash into a single fingerprint. This pins the meaning of every
authority binding to a specific instant. A revocation, delegation expiry, or policy supersession
that lands at T+0.013ms cannot retroactively change this proof — the GSRH
captures the world as it was, not as it will become.
The scope check is intentionally trivial: attempted_amount > threshold. There
is no learned model, no soft check, no probability score. 1,800,000 > 500,000 →
axis verdict is Denied. The simplicity is
load-bearing: anyone can reproduce the comparison and reach the same answer.
The substrate aggregates per-axis verdicts. In this scenario only one axis was probed; in
multi-axis scenarios all per-axis verdicts must be Allow for the overall scope_check to be
Allow. Any single axis returning Denied yields a final scope_check = Denied,
with the failing axis recorded on the artifact.
The substrate serializes the NAP body in canonical JCS encoding (RFC 8785) and computes
artifact_binding_hash = SHA3-384(canonical(body)). This is the hash the
triple-family signature will cover. Any single byte changed in any field — issuer URN,
request hash, scope hash, gsrh, axis verdict — produces a completely different
binding hash. The signature will not verify against a tampered body.
The substrate signs artifact_binding_hash under three independent
post-quantum hardness assumptions — lattice (ML-DSA-87), hash (SLH-DSA-256s), and
NTRU-lattice (FALCON). Verification requires at least two of three to pass. If any single
scheme were to be broken tomorrow, the proof remains valid; the substrate is not
load-bearing on any one assumption.
The substrate serializes body + signatures + a counter-signer block (an independent issuing
principal) into a single JSON file with extension .h33pqv.json. Typical size:
50–100 KB. Once written, the artifact is portable: it can be emailed, dropped into a Slack
channel, attached to a court filing, or handed to a regulator. Nothing about its
verifiability depends on H33 staying online.
The upstream orchestrator receives a structured deny response carrying the artifact's
artifact_binding_hash. From this point forward, every downstream system
that consumed the response (claims platform, audit log, dashboard, ledger) can cite the
artifact directly. The artifact does not depend on what those downstream systems remember
— they depend on it.
The same inputs always produce the same outputs. There is no randomness in the scope check, no learned threshold, no probability score. A skeptic running the comparison on their own laptop reaches the same verdict.
Every step's output cites the substrate object it depends on — a registry record, a scope envelope, a tip hash, a policy root. Nothing in the replay is the auditor's word against the substrate's; both speak in the same canonical hashes.
Every binding flows into the artifact_binding_hash, which is signed under three independent post-quantum schemes at a 2-of-3 threshold. Tampering with any field anywhere in the timeline invalidates the signature on the artifact.
The application wrote what it observed. A log line is a self-report; the system being audited produced it. Replay is the substrate's structured output, signed before it left the substrate.
A screenshot is a single frame, devoid of context, easily fabricated, impossible to verify. Replay is millisecond-resolution and re-derivable from a canonical record.
An audit report is a third-party summary written months after the fact. It paraphrases what happened. Replay is what happened — every byte the substrate saw, every hash it produced, every signature it emitted.