Home

Triple-Leaf Ledger

Authorization proves intent.
Execution proves reality.
Variance proves the gap.

This is what differentiates ObligationSign from every other governance product: not just "we record what was permitted" but "we prove what actually happened against that permission."

L2+ FeatureNormative

The accountability gap

Most governance systems stop at authorization: they record that an action was permitted. But between permission and execution, anything can change:

Model drift

A model authorized for deployment at safe parameters can drift during execution. The authorization leaf says "permitted." Reality says something different. Without an execution witness, the gap is invisible.

Supply chain excursion

A shipment authorized under cold chain conditions can experience a temperature excursion. The authorization exists. The deviation does not appear in the governance record without closed-loop execution capture.

Financial overshoot

A trading algorithm authorized within VaR limits can exceed them during a market event. The authorization says "within bounds." The execution exceeded them. Invisible without an execution witness.

Without an execution witness, the governance record says "permitted." Reality says something different. The gap is invisible. AGTS closes this gap.

The Triple-Leaf Ledger

Three cryptographically linked leaves per governed action:

Leaf 1 · Authorization "This action was permitted under these conditions." type: AGTS_GOVERNANCE_ENVELOPE_V1 Contains: proof_bundle_hash · quorum_certificate · authority_signature · log_binding parent_auth_leaf_hash log enforces: no execution leaf without valid parent authorization Leaf 2 · Execution "This is what actually happened." type: AGTS_EXECUTION_TRACE_V1 Contains: post-exec H/C/E state · execution_metrics_hash · outcome · parent_auth_leaf_hash parent_auth_leaf_hash + parent_exec_leaf_hash log enforces: no variance record without both parent leaves Leaf 3 · Variance "This is the measured gap: Δ = ‖V_auth − V_exec‖" type: AGTS_VARIANCE_RECORD_V1 Contains: ΔH · ΔC · ΔE · l2_distance · NOMINAL/DRIFT/BREACH · omega_breach feeds back into next cycle HCE observables updated · nudge applied → next authorization cycle (closed loop)

All three leaves are in the same transparency log. The log enforces cross-leaf linkage: an execution trace cannot be admitted without a valid parent authorization. A variance record cannot be admitted without both parent leaves present. No orphans. No fabricated execution data.

Leaf 1

Authorization

Type: AGTS_GOVERNANCE_ENVELOPE_V1

Contains: proof bundle, validator quorum signatures, Sovereign Authority signature, log binding.

Fires: after 3-of-4 validator quorum and Sovereign Authority signing

Leaf 2

Execution

Type: AGTS_EXECUTION_TRACE_V1

Contains: post-execution H/C/E state, domain metrics hash, outcome pre-classification, parent_auth_leaf_hash.

Fires: after the authorized action executes

Leaf 3

Variance

Type: AGTS_VARIANCE_RECORD_V1

Contains: per-observable deltas (ΔH, ΔC, ΔE), L2 distance, NOMINAL/DRIFT/BREACH classification, omega_breach flag.

Fires: after execution trace is admitted

Variance classification thresholds

The L2 distance between authorization state and execution state in the health-space [H, C, 1−E] determines the outcome classification:

ClassificationL2 distanceMeaningHCE effect
NOMINAL ≤ 0.05 Execution matched authorized intent +H +C −E (positive nudge)
DEVIATED ≤ 0.20 Measurable drift, within operational tolerance −H −C +E (mild negative nudge)
BREACHED > 0.20 Execution exceeded authorized bounds −−H −−C ++E (strong negative nudge)

Omega breach — the most critical scenario

auth_in_omega = true (system was in safe region Ω when authorized) exec_in_omega = false (system exited Ω during execution) omega_breach = true (governance gap — authorized safe, executed unsafe)

This means the five-gate validation correctly permitted the action — the system was healthy at authorization time. But the execution drove the state outside the admissible region. Without the closed loop, this breach is invisible. The log shows a valid authorization leaf and nothing else.

What monitors see

A regulator or insurance monitor scanning the log can filter for governance gaps in real time, without any access to the operator's systems:

Filter: AGTS_VARIANCE_RECORD_V1 with classification: "BREACH" → governance gap detected, L2 distance exceeded threshold Filter: omega_breach = true → system authorized inside safe region Ω, executed outside it Filter: drift_direction showing which observables degraded → "H: degraded" means epistemic uncertainty worsened → "C: degraded" means model coherence dropped → "E: degraded" means execution entropy increased

No access to the operator's systems. No proprietary data. Just the governance record in the public log, verifiable with standard SHA-256 and ECDSA operations.

The feedback loop

The variance classification feeds back into the HCE observables for the next governance cycle:

NOMINAL

Positive nudge — execution confirmed governance quality. Next authorization starts from a stronger baseline.

DRIFT

Mild negative nudge — operational tolerance but degrading. Governance tightens gradually.

BREACH

Strong negative nudge. Three consecutive breaches trigger QUARANTINE — autonomous authorization suspended until remediated.

This is the RTR "Iterative Refinement Cycle" — the system learns from its own execution variance and adjusts its governance posture automatically. The feedback is one-directional and forward-only: variance from cycle N affects observables for cycle N+1. The append-only log guarantees no retroactive modification.

Read the technical specification → See it in action: supply chain →