ATTESTOR

Execution boundary

An AI answer is not permission.

Before money, data, or access changes, the proposed action must pass authority, scope, evidence, and proof checks.

Attestor sits between an AI-prepared operation and the system that would execute it. Prompts can guide behavior, but they cannot enforce it or stop an unsafe or unauthorized service call.

Scroll once to enter the proof sequence.

ATTESTOR

GitHub

01 / 10

Start point

Intent is not authority.

Nothing can execute yet: approval is unbound, scope is unchecked, and no service call has been made.

AI intent

The model turns context into a proposed action.

It can assemble a refund request from tools and text, but the right to execute must be checked outside the model.

AI-prepared request

The intent becomes a concrete refund operation.

`issue_refund / 380 USD` targets refund-service. The manager-free limit is 100 USD and approval is pending.

Side-effect boundary

Before this line, it is still only a proposal.

`refundService.issueRefund(...)` is the point where money could move, so the call has to wait.

Harmful retry 01

A malicious input can shape a bad retry.

The next request claims approval from text, but no bound approval exists.

Harmful retry 02

The second retry still cannot pass the boundary.

Changing the shape of the request does not create authority, scope, or proof.

Structured consequence

The proposal is reduced to checkable fields.

Action, amount, limit, approval state, evidence, scope, freshness, replay, tenant, and downstream service are evaluated together.

Check stack

The checks do not produce a safe yes.

The amount is over limit, approval is pending, evidence is partial, scope is not bound, and both retries failed.

Customer gate

Decision: REVIEW. Gate result: HOLD.

The customer-owned gate consumes the decision before the refund-service call and holds execution.

Downstream effect

The refund service is not called.

The downstream receipt records `0 service calls`; no payment side effect is produced.

Proof

The proof shows why no money moved.

The proposed refund, failed retries, checks, decision, gate result, and downstream receipt are recorded together.

AI-prepared request issue_refund
380 USD approval: pendingnot approved
downstream: refund-service

approval not bound service call risk fake approval rejected second retry failed fields identified checks failed review required service not called proof recorded

AI-prepared request issue_refund / 380 USD manager-free limit: 100 USD
approval: pending

DANGER / SERVICE CALL ZONE refundService.issueRefund(...) 380 USD leaves before approval is bound

Harmful retry 01 fake approval claim malicious input tries to turn text into authority

Harmful retry 02 changed refund shape the request still lacks bound approval and scope

Structured consequence

actionissue_refund
amount380 USD
limit100 USD
approvalpending
downstreamrefund-service

Check stack

PolicyOVER LIMIT
ApprovalPENDING
EvidencePARTIAL
ScopeNOT BOUND
Retries2 FAILED
FreshnessCURRENT
ReplayNONE

Decision panel Decision: REVIEW Reason: approval, scope, and retry evidence are not safe

HOLD Execution halted before service call

refund-service NOT CALLED 0 SERVICE CALLS

Proof receipt 0 service calls

Action proposed issue_refund / 380 USD

Decision REVIEW

Gate result HOLD

Downstream effect refund-service NOT CALLED

Reason Approval pending; scope not bound; retries failed

Proof recorded before consequence.

Execution boundary

An AI answer is not permission.

Before money, data, or access changes, the proposed action must pass authority, scope, evidence, and proof checks.

Watch the proof

Scroll to follow the proof sequence.

Attestor sits between an AI-prepared operation and the system that would execute it. Prompts can guide behavior, but they cannot enforce it or stop an unsafe or unauthorized service call.

intent checked action decision proof

AI intent

The model turns context into a proposed action.

It can assemble a refund request from tools and text, but execution authority is checked outside the model.

AI-prepared request issue_refund
380 USD manager-free limit: 100 USD approval: pending downstream: refund-service

Structured consequence

Reduced to checkable fields.

actionissue_refund

amount380 USD

limit100 USD

approvalpending

downstreamrefund-service

Harmful retries

Bad retries are still proposals.

Fake approval text and a changed refund shape still lack authority, bound scope, and proof.

Check stack

Policyover limit

Approvalpending

Evidencepartial

Scopenot bound

Retries2 failed

Freshnesscurrent

Replaynone

Customer gate

Decision: REVIEW.

HOLD

The customer-owned gate consumes the decision before the service call.

Refund-service

NOT CALLED

0 service calls. No payment side effect is produced.

Proof receipt

0 service calls

Action proposedissue_refund / 380 USD

DecisionREVIEW

Gate resultHOLD

Downstreamrefund-service NOT CALLED

ReasonApproval pending; scope not bound; retries failed

Proof recorded before consequence.

View repo Replay proof