An AI agent that can act on your behalf is useful right up to the moment something goes wrong — a reminder sent to the wrong client, a document filed you didn't sanction. At that moment you need two things software almost never gives you: proof of exactly what the agent did, and proof that it was allowed to do it. Over the last fortnight we built and merged the layer that binds those two together. The agent doesn't just act — it leaves a receipt that anyone can verify.
Hub's Operator agent does the tedious work — a follow-up draft, a notice, a record — but it stops before the irreversible step. It drafts and holds. A human reads the draft and releases it. That "draft-and-hold" default is deliberate: an agent earns the right to take an action by first showing its work, not by being trusted with a blank cheque on day one. The interesting engineering isn't the drafting. It's what happens at the moment a held action is actually released.
When the agent is authorised to do something, that authority is a narrow, scoped grant — a mandate — not a master key to your account. A mandate says which capability, for how long, within which limits. The agent can't quietly widen its own remit, because the authority it holds is a specific signed grant, and stepping outside it isn't a policy violation it might get away with — it's a credential it simply doesn't possess.
Here's the piece we just finished. When a gated action runs, it mints a verifiable action receipt — and that receipt now carries the identifier of the exact mandate it consumed, sealed in. So the receipt doesn't only say "this happened, at this time, with these contents." It says "this happened, and here is the specific authority that permitted it." You can hand that receipt to a client, an auditor, or a future version of yourself, and they confirm both halves at verify.dekimu.com without an account and without trusting us. The action and its permission are one provable object.
An autonomous agent without an audit trail is a liability with a friendly interface. The receipt is the difference between "it probably did the right thing" and "here is proof of what it did, and that it was allowed to."
We built the proof layer before opening the door. The capability door that lets an outside agent drive Hub is deliberately still closed — fail-closed, off by default — while we get the binding exactly right. That's the unglamorous order of operations we keep choosing: build the part that proves the action was safe before shipping the part that takes it. When the door opens, every action that comes through it will already carry its own evidence.