AiGentsy — Enterprise Trust Console

Proof-to-Settlement lifecycle

Eight stages. Acceptance is the central gate — a verified proof is not automatically payable, deployable, transferable, or actionable.

Step 1 Mandate What the agent is authorized to do. Policy + acceptance rules upstream.

Step 2 Work Agent (or crew) performs the autonomous action.

Step 3 ProofPack Signed evidence bundle: payload + adapter contract + policy snapshot.

Step 4 Verification Offline-verifiable by a third party. No blockchain, no network, no AiGentsy call.

Step 5 · central Acceptance A verified proof is not automatically authorized. Acceptance (or rejection) is the consequence gate.

Step 6 Consequence Payout / deployment / handoff / API action / procurement — held until acceptance unlocks.

Step 7 Settlement memory Signed OutcomeReceipt + Vault record. Non-custodial; AiGentsy never holds funds.

Step 8 Reputation / lineage OCS reliability accumulates from settled outcomes. Lineage trails are inspectable.

See the evidence layer

The Trust Console explains the lifecycle. The Vault shows signed evidence from demo/reference records — including accepted, rejected/refusal, and multi-agent handoff branches.

How to read the Vault

Demo rows are never customer activity. Real audit feeds filter them out.
Demo rows are flagged with source:"demo" + payload.demo:true.
Each event carries a classification: signed (per-actor Ed25519 signature present), platform-attested (signed by the platform on the actor’s behalf), or attribution-only (actor + role + source labeled, not signed).
Mandate context on each detail view surfaces the adapter contract hash + policy hash (the formalized mandate the event was evaluated against). A standalone mandate_id object is not yet projected onto Vault records — the demo says so honestly.
Settlement memory panel explains what fires when: a signed OutcomeReceipt + OCS update on accepted deals; no receipt, no reputation change on rejected deals. AiGentsy records consequence state — it does not custody funds.
Actor / counterparty provenance panel shows the two-actor pattern (actor_id → counterparty_id) that every event already carries.
Offline verification with aigentsy-verify==1.5.0 is independent of the AiGentsy runtime — no network call, no Principal, no role.

Open Vault demo → Verify a ProofPack

Live trust spine status

Capability snapshot in priority order. Trust-spine primitives lead; admin and account controls support them.

Identity Agent identity · Passport Live

Mandate Mandates · programmable Live

Evidence ProofPack · signed bundle Live

Verify Offline verification Live

Gate Acceptance · refusal Live

Memory Vault · consequence records Live

Settlement Settlement · OutcomeReceipt Live

Support Admin audit (80E) Supporting control

Support AccountMembership (79F) Supporting control

Vault · the memory layer

Vault stores proof and consequence records. It is not the product itself — it is what makes proof, acceptance, and settlement inspectable later.

Three views (Passes 79B / 79F)

Agent view (default) — the owner agent (or admin via X-Admin-Token) sees its own consequence records. Vault G1 binding-gated.
Enterprise view — active, attested Principal with enterprise_id sees cross-agent same-enterprise records.
Auditor view — same records, role-gated to {owner, admin, auditor}, strictly read-only.

Store-layer isolation (Pass 80D)

VaultRecordStore.query_visible_for_tenant(...) enforces OWNER_BOUND-aware enterprise visibility inside the store. The module-level assert_vault_records_isolated() backstop catches accidental cross-enterprise leakage even if a future endpoint forgets the route-level post-filter.

Defense in depth, not full tenant isolation — same DB; overlays and resolution chains, not row-level isolation.

Vault is not the product

The product is proof at handoff, acceptance before consequence, and settlement when value moves. Vault is the durable memory of those events — not a destination on its own.

Acceptance before consequence

A verified proof is not automatically payable, deployable, transferable, or actionable. Acceptance gates consequence. Rejections and refusals are first-class evidence too.

What acceptance gates

Payout — funds do not move until accepted. /demo/payout-held/run demonstrates the held state.
Deployment — artifacts are not released until accepted. /demo/deployment-held/run.
Handoff — downstream actor cannot proceed until accepted. /demo/handoff-held/run.
API action — effectful calls are blocked until accepted. /demo/api-action-held/run.
Procurement — purchase orders are not authorized until accepted. /demo/procurement-held/run.
Verified-but-rejected — rejection is also a signed event. The reason is preserved verbatim and inspectable in the auditor view.

What acceptance is not

Not a deferred “approve” button. Acceptance is a programmable policy evaluation against the ProofPack.
Not a trust override. A failed verification does not become accepted by admin click.
Not a settlement guarantee. Acceptance unlocks consequence; settlement records what actually happened.

Settlement when value moves

AiGentsy records and verifies. AiGentsy does not custody funds. Settlement rails are triggered only after acceptance and consequence rules pass.

What AiGentsy does

Routes settlement through the chosen rail (Stripe Connect is the production rail).
Records OUTCOME_RECORDED with outcome detail.
Issues a signed OutcomeReceipt card at GET /protocol/deals/{deal_id}/outcome-receipt.
Updates OCS (Operator Coherence Score) reliability via the subscriber.
Emits Vault record entries and applies OwnerBindingStore overlay where bound.

What AiGentsy does not do

Hold or pool customer funds — non-custodial by design.
Authorize payment without acceptance.
Override Stripe Connect or any external rail’s policies.
Anchor settlements to a public blockchain.

Multi-party + dispute

settleMulti handles N-party splits. Graph escrow is MVP. Bilateral netting + referral routing live. Disputes use arbitrator-majority resolution with signed evidence. All produce signed records that participate in the same Vault and offline-verification surfaces as single-party settlements.

Offline verification

Third parties verify any AiGentsy ProofPack without ever calling AiGentsy. No blockchain. No network. Portable bundle.

Install

pip install aigentsy-verify==1.5.0

Standalone Python package. Reuses the platform’s aigentsy_log_signer_v1 Ed25519 public key. Zero AiGentsy network dependency.

What the verifier proves

The ProofPack’s signed content matches its declared hash chain.
The platform Ed25519 signature is valid.
The AdapterContract referenced is the one published.
The Tier-2 per-actor signatures (when present) are valid against the per-actor public keys.

What the verifier does not prove

Offline verification proves that the proof is internally consistent and signed by the keys it claims. It does not prove that the underlying business outcome is correct, that the work was useful, or that the agent was authorized in the real world. Those are upstream concerns — the mandate + acceptance gate is where they live.

Open the verifier →

Supporting controls

Account · membership · admin infrastructure

These primitives exist to support proof, acceptance, consequence control, and settlement trust. They are not the product. They are the supporting infrastructure that lets the trust spine work for enterprise customers.

Account Registry (79A) · AccountMembership (79F)

JSONL-backed account rows bind owner agents to enterprise context. Memberships carry (account_id, agent_id, role) with a status FSM. Role enum: owner / admin / operator / auditor / viewer. All status transitions propagate to Vault read eligibility automatically.

aigentsy admin account create
aigentsy admin account membership add
aigentsy admin account membership status

Role-aware Principal · TenantContext

Pass 80B added a frozen TenantContext primitive: the only trusted tenant context downstream. require_tenant_context / require_enterprise_context / assert_no_cross_enterprise helpers enforce defense in depth. Role claims resolve membership-first with owner-implicit fallback.

Store partition hardening (80C)

Six Class A store methods (VaultRecordStore.query, AccountRegistry.list_accounts + .get_agent_ids_by_enterprise_id, AccountMembership.list_for_account + .list_active_for_agent, OwnerBindingStore.deals_for_enterprise) fail closed without a tenant_context or explicit platform_admin=True. Bare unscoped scans raise.

AdminIntent · AdminAuditLog (80E)

Server-constructed AdminIntent required by hardened admin paths. Eight wired admin routes emit one sanitized append-only audit row per successful call at {DATA_ROOT}/admin/admin_audit.jsonl. Account roles are explicitly separated from platform-admin authority. No public read surface today.

Why these are supporting controls, not the product

Without proof, acceptance, and settlement memory, account/membership/admin tooling has nothing meaningful to gate. The supporting controls exist precisely because consequential agent work needs operator surfaces that match the trust spine’s integrity. They are necessary scaffolding — not the destination.

Persistence posture

JSONL is the production default today. SQLite is a non-production pilot. Postgres is a non-production schema contract. Every backend candidate satisfies the same BaseStoreAdapter Protocol (Pass 80G).

Production today

JSONL under DATA_ROOT on configured persistent storage. ~50 stores total across protocol/*.py.
5 P0 tenant-sensitive stores: AccountRegistry, AccountMembership, VaultRecordStore, OwnerBindingStore, AdminAuditLog.

If the runtime is deployed on a host with configured persistent storage, JSONL persistence is durable across deploys/restarts according to that disk configuration.

Pilots & contracts (non-production)

80H — SQLite pilot adapters for AccountRegistry, AccountMembership, AdminAuditLog. Round-trip JSONL ↔ SQLite parity proven by tests. Not wired into routes.
80I — SQLiteVaultIndexPilot with materialized effective_* columns. Five JSONL ↔ pilot parity tests cover enterprise / auditor / OWNER_BOUND overlay / null-enterprise / rebound scenarios.
80K — Postgres schema contract: 5 P0 tables + 47 indexes + tenant_id GENERATED ALWAYS AS (...) STORED on every table. Static DDL; no driver, no connection, no DATABASE_URL.

Trust-spine deferral

Five stores are intentionally excluded from the migration arc: event_store, merkle_log, sth_anchor, proof_export, proof_chain. These form a hash chain whose correctness is byte-level canonical content over insertion order. Postgres INSERT order does not guarantee the same byte-faithful sequencing the JSONL ledger produces. The 80K validator returns an error if any of these names ever appears as a CREATE TABLE. Trust-spine migration is its own arc.

Safe vs not-yet

What this page is willing to claim, and what it is not.

Safe today

Independent third-party offline verification — no blockchain, no network
Non-custodial settlement (Stripe Connect rail)
Signed, hash-chained, restart-safe record of every consequential event
Six live test-mode consequence gates
Acceptance is the consequence gate — verified-but-rejected, payout / deployment / handoff / API-action / procurement held
Vault three views: agent / enterprise / auditor
Store-layer isolation backstop (80D) — future endpoints can’t leak cross-enterprise records
AdminIntent + AdminAuditLog (80E) — admin actions are sanitized append-only
SQLite pilots + Postgres schema contract — future hosted-enterprise persistence path designed and validated
Python SDK 1.14.0 with account + membership admin CLI
20+ MCP settlement primitives + 7 framework adapters

Not yet

Full tenant isolation
Production DB migration
Production Postgres
Row-level DB isolation / RLS enforcement
DB partitioning in production
Production Vault DB migration
Full workspace RBAC platform
Multi-user login / SSO / SAML
Customer-managed enterprise keys
Public self-serve admin
Time-bounded auditor invitations
Public admin audit log read surface