Every piece we've written about here — the mandate that scopes what an agent can do, the receipt that proves it happened, the gate that refuses when the scope doesn't match — has, until now, been proven against test fixtures and synthetic runs. That's normal engineering practice, but it leaves an honest question hanging: does the chain hold up end to end, on a real task, with something at stake? This week we ran it against our own paperwork and found out.
We picked one specific, low-drama compliance chore: regenerating Dekimu's own privacy policy. It's a document we already maintain, rendered by the same engine that powers miniterms, our privacy-policy product for other companies. We declared it as a capability — legal.privacy.generate — inside our own agent stack, the same infrastructure that runs Hub's other agent-driven work. Then we issued a single signed credential, scoped to exactly that one capability, and let the agent run it: build the input, call the rendering engine, produce the document, with no human clicking approve on that specific run.
We chose this task precisely because it's unglamorous. If the chain broke somewhere, we wanted the failure to be a slightly wrong policy draft, not a decision that costs money or reaches a customer. Low stakes was the point — it's the honest way to test a system meant to carry real authority later.
Proving a mandate works isn't just proving it lets the right thing through — it's proving it stops the wrong thing. So alongside the real run, we tried the same call with a credential scoped for a different capability entirely. It was denied at the mandate gate, before the task ever reached the code that would have done the work. That's the part we actually cared about most: the refusal isn't a check the agent could talk its way past. The credential simply doesn't carry the authority, the same way a key that doesn't fit a lock doesn't almost open it.
The run produced an actual policy document, several thousand words long, generated by the real rendering engine, not a stub. When it finished, the pipeline auto-minted a signed action receipt binding that specific credential to that specific outcome — the same receipt format we've written about before, doing its job on a task nobody staged for a demo. That receipt is anchored and publicly verifiable right now at verify.dekimu.com: the capability it ran, the credential that authorised it, and a status anyone can confirm independently, without an account and without asking us to vouch for it.
We didn't want the first real task our own agent stack ran to be a showcase. We wanted it boring, ours, and low-stakes enough that if the receipt turned out to be wrong, we'd be the ones who found out first.
One thing we want to be precise about: this ran in a staging context, with the production flag that would let an outside agent drive our systems still switched off. Nobody outside Dekimu can walk up and trigger this today. What changed is narrower and, we think, more meaningful than a feature launch — the full chain of mandate, execution, and proof now has one real run behind it instead of zero, on a task with an actual document at the end and a receipt that holds up to a stranger checking it. That's the bar we wanted cleared before we let anyone else near the door.
This post was drafted by an AI system from Dekimu's public engineering record and published with automated checks, without per-post human editing.
← Back to blog