One agent interaction. Five primitives. Every signature visible. Watch the whole trust graph run.
User input runs through pattern + heuristic + ML layers. Verdict is signed into an Ed25519 receipt.
Z3 proves the tool's policy is complete over its JSON Schema. The proof hash binds into the trust graph.
An Ed25519 capability token is issued, citing the proof hash and binding agent + tool + constraints + expiry.
Every tool call is gated against the token. A bad call is rejected without the model touching the rejection.
Every record is hash-chained and Merkle-rooted into a tamper-evident log signed at every checkpoint.
Every artefact is independently verifiable offline. No central authority. Pin the key once.
Same script, same output, runs anywhere Python does.