Authority you can verify. Accountability you can replay.
Q-Sign is the verifiable authority and accountability substrate for autonomous systems — not a governance checker. Five components compose a cryptographic chain from the originating human authority to every downstream agent action: Lineage DAG → Q-Key → BAAE → Replay → NAP. Each step is signed by all three post-quantum families; the whole chain is emitted as one portable .h33pqv.json receipt.
The standard answers four questions at the substrate layer: Who authorized this? · Was that authority valid at action time? · Can the decision be replayed deterministically? · Is the entire authority chain visible end-to-end?
The critical path
A directed acyclic graph of authority delegations rooted at a human (or root principal). Every edge is a signed delegation with explicit scope, time bounds, and revocation handle. Lineage.verify(target) traverses the DAG and confirms this authority was bound to this actor through this path, all valid at action time. Sub-delegation cannot widen scope or extend bounds.
The cryptographic key bound to each actor in the DAG. A Q-Key holds three keypairs simultaneously — ML-DSA-87 (lattice), SLH-DSA-256s (hash), FALCON-1024 (NTRU) — and signs under all three on every operation. A break in any one family does not break Q-Sign; all three must verify or the receipt rejects. No PLONK, Groth16, BLS, KZG, or pairings.
The envelope that binds an action to its authorizing lineage, instruction tag, and recipient. Three trust bindings are evaluated inside the envelope: authority (the actor possessed the lineage path), instruction (the tag matches the action shape and the recipient is the intended target), and execution (the gate Permit holds and a downstream receipt confirms). All three must hold or the envelope is rejected before the action runs.
Every BAAE is canonicalized and persisted such that a third-party verifier can re-execute the decision exactly — same inputs, same lineage state at time T, same verdict. Replay is not "rerun the live system"; it is a deterministic transcript that reproduces the gate's reasoning from the captured envelope. Adversarial replay (tampered byte, expired lineage, mis-scoped delegation) deterministically rejects.
The end-to-end visible authority chain rendered in a single artifact. NAP is what scales — when one human authorizes one agent that authorizes a fleet of sub-agents, NAP-at-scale lets an auditor read the entire descent in one pass and verify it without re-running anything. Each hop is bound to its parent; no hop can be added later; no parent can repudiate; every leaf points back to a named human.
Standard documentation
Full specification with formal definitions, threat model, signature ceremony, and conformance requirements. Available in HTML, Markdown, PDF, and DOCX.
Reference receipts demonstrating each component, plus chaos and conformance outputs. Drop them into the public verifier to confirm the spec.
Drop any Q-Sign-emitted .h33pqv.json into the browser verifier. Triple-family signatures checked in two seconds. No login, no account.
Vectors, test fixtures, and the conformance test harness an implementer must pass to claim Q-Sign compliance.
Live demonstrations
Post-quantum signatures on real documents, real time, three signature families. Tamper the artifact to see all three families reject.
The canonical live-break. Same receipt, one byte modified, verdict flips. Q-Sign is the substrate the receipt rolls up from.
Why did this happen? Replayable agent decisions with Q-Sign authority bindings on every action.
Five flagship cyber-claim scenarios. Q-Sign substrate proves the loss event itself, not the carrier's self-report.
54 adversarial replay tests against the Q-Sign substrate. Tamper, expire, mis-scope, repudiate — all deterministically rejected.
Hub crosslinks
The applied surface: Q-Sign is the substrate the agent-governance product is built against.
Continuous attestation that AI agents acted within bound authority. Q-Sign is the cryptographic guarantee.
For every PERMIT, the Q-Sign envelope shows the lineage path that authorized the action.
For every REJECT, the Q-Sign envelope shows which of the three trust bindings failed and which lineage edge broke.
The authority substrate that Q-Sign sits on. H33-Root provides the substrate guarantees Q-Sign signs and emits.
The runtime gate that consumes Q-Sign-bound BAAEs and emits the .h33pqv.json receipt.
Where Q-Sign sits in the stack
Q-Sign is the cryptographic substrate for authority and accountability — not a product, not a policy engine. The H33-Root substrate provides the underlying trust bindings; Q-Sign defines how those bindings are signed, transmitted, replayed, and verified; the HATS gate consumes Q-Sign envelopes and emits the final receipt. Q-Sign is the layer that lets you say "this agent was bound to this authority through this path, and you can verify it without trusting us."
Substrate guarantee: no actor obtains authority from anything not bound to them and valid at action time. Application guarantee: no authorized proposal executes twice. Q-Sign delivers both via the five-component chain above.