Answer card
Agent trading on the right substrate is more auditable than human trading, not less. Every action carries a receipt, authority is a signed, expiring, one-tap-revocable grant that only narrows downward, and execution is deterministic enough to replay. A human trade leaves a memory; an agent trade leaves a reconstructable chain of who authorized what, why the decision fired, and which fills resulted. The compliance question is not "can we trust the model" but "can we reconstruct the trade."
Why the usual fear is aimed at the wrong risk
The reflexive regulatory worry about autonomous trading is opacity: a black-box model does something inexplicable at machine speed and nobody can say why. That worry is legitimate for a certain architecture: a model wired straight to a broker with a prompt and a hope. But it is an architecture choice, not a law of nature, and it is the opposite of what a well-designed agent substrate produces.
Kestrel's founding claim reframes the problem: the two failures of LLM trading are interface (perception and latency), not intelligence. A compliance corollary follows. If the failures live in the interface, then the interface is exactly where you install accountability, and an interface, unlike a human's judgment, can be instrumented, logged, and replayed. Human discretionary trading is the genuinely opaque case: the reasoning lives in one person's head, the "authorization" is a role and a mandate rather than a signed artifact, and the reconstruction after the fact depends on interviews and best-effort memory. Three properties flip agent trading from the harder audit to the easier one: receipts, narrowing authority, and replay-stable execution.
Property 1. Receipts: every action is an artifact, not a recollection
On kestrel.markets, the unit of activity is an Operation with a stable ID, and the same operation returns the same ID whether it arrived over HTTP+SSE (the canonical face), the TypeScript SDK, the CLI, or MCP, four equal faces of one system. Nothing happens off the record because there is no privileged back channel where things could happen.
The evidentiary spine is the certified Blotter and Grade. A Blotter is the record of what was armed and what filled; a Grade is the honest, counterfactual result of a run. Both are certified artifacts, and a run produces a shareable proof URL: a citable pointer to the reconstruction rather than a claim about it. Contrast the human baseline: a fill in an order-management system, a Bloomberg chat, and an analyst's recollection of the thesis, stitched together weeks later. The agent version is designed so the stitching already happened, at the moment of action, and can't be quietly edited afterward.
This is the platform's deliberate posture: certification over custody and provenance as a hosted primitive. The commercial platform hosts only what stays scarce when intelligence is abundant: capital and trading authority, licensed data, compute and broker access, deterministic execution, and provenance/evidence. Evidence is a product surface, not a byproduct.
Property 2. Authority that narrows downward and revokes in one tap
Human authority in a trading firm is coarse and sticky: a trader has a mandate, a limit, and a login, and revoking it means a conversation, a ticket, and a lag. Agent authority on this substrate is the opposite. It is a single primitive, the Envelope: {scope, budget, ceiling, expiry, revocation}. Every grant is scoped, budgeted, capped, expiring by mandate, and revocable in one tap.
Two facts make this auditable in ways human authority is not.
First, authority only narrows downward. The org model is a recursive POD tree: a PM pod allocates risk envelopes to child Books and Traders, budgets nest, and no child can hold more authority than its parent granted. A dedicated risk face (L0) can clamp or veto anyone (including the agent) and, crucially, may never open risk. The most powerful actor in the system is structurally incapable of increasing exposure. That is a monotonicity property an auditor can check, not a policy an auditor must trust.
Second, the grant is a two-signer artifact. A wallet may sign commerce-only scopes (data, sim, grade, paper); a human must sign any legal, broker, or LIVE scope. The approval surface shows worst-case-in-dollars before signing, and the sliders may only tighten, never loosen. So for anything that can touch real money, there is a named human signature on a dollar-bounded, expiring grant: a cleaner authorization trail than "she was on the desk that quarter."
IMPORT { fade-ladder } FROM "./armory/reversion.kestrel"
USING signal SPX exec SPY 0dte
PLAN reversion-fade budget 0.25R ttl +45m regime {intraday: range}
WHEN spot crosses below VWAP AND velocity(5m) <= p05 held 120s
DO buy 2 atm P @ lean(bid, fair, 0.5) cap fair
RELOAD WHEN spot crosses below VWAP band 15bp buy 2 atm P @ bid
TP 2x frac 0.5 @ fair
EXIT spot > VWAP held 120s @ fair
INVALIDATE spot > HODRead that as an auditor, not a trader. The worst case is legible in the header (0.25R), the position cannot outlive its thesis (ttl +45m), and every clause is a logged condition with a logged consequence. This is illustrative and generic, how an agent could express a reversion thesis deployed as a template into your own pod, which you arm; it is not a strategy recommendation. The point is structural: the plan is the audit record, written before the trade rather than reconstructed after it.
Property 3. Replay-stable execution: the decision path can be re-run
The deepest accountability property is determinism. On this substrate the agent is never in the hot path: a PLAN is a standing, bounded-risk contingent program that the runtime fires in milliseconds and then wakes the agent in parallel, fire-then-inform. The consequence for audit is large. The action that hit the market was produced by a deterministic runtime executing a declared program, not by a model's live inference. So the execution can be replayed against recorded inputs and will reproduce.
Perception is built for reconstruction too. A VIEW renders the market as a compact text Frame, the chart is in text: an append-only tape with periodic keyframes, where perception cost is O(new bars) not O(screen). Because the frame is deterministic text derived from recorded data, an auditor can reconstruct exactly what the agent saw at decision time, byte for byte. "What did it see" and "what did it do" are both replayable; only "what did it think" involves the model, and even that is bracketed by the logged plan it authored.
Evaluation honesty closes the loop. A Grade is contamination-fenced: LLM authors are graded only on post-training-cutoff, date-blinded days, so a Grade is never flattering. VS ungated and VS null counterfactuals are first-class syntax, and a support flag refuses to bank extrapolated fills. The system grades judgment, not curve-fit parameters, and it publishes the counterfactual, which is closer to what a regulator actually wants than a marketing Sharpe ratio.
Where this claim does not (yet) hold: read this part
Radical fairness, because a regulator should discount hype:
- As of mid-2026: anonymous trial sims, certified Grades, shareable proof URLs, and 402 Offers with Stripe settlement are live; always-on paper presence and the human-signed live path are in build. The free tier needs no signup. The architecture and invariants are specified; treat claims about the in-build surface as design intent to verify against a running system, not as production attestations.
- Auditability of the substrate is not auditability of the model's cognition. Receipts prove what was authorized, seen, and done. They do not fully explain the model's reasoning for authoring a given plan. We claim reconstructable actions, not a solved interpretability problem.
- Determinism is bounded by real markets. Fire-then-inform execution replays; live fills depend on a real venue and real liquidity. Kestrel is honest about this: the support flag exists precisely because extrapolated fills are not evidence.
- Custody and advice stay outside on purpose. The platform never takes custody and is impersonal: not investment advice. Live always requires BYO-plan and BYO-broker via OAuth. If your compliance need is a custodial, advice-giving, discretionary manager, this is the wrong tool, by design.
The reference-implementation posture
The honest framing is not "trust our agents." It is open judge, sell certification: publish the grading method, fence it against contamination, and let anyone reconstruct a run from its proof URL. That is a reference implementation of what auditable autonomy could look like: a substrate where the burden of proof is discharged by artifacts, not asserted by a vendor. Host the scarcity, rent the genius; keep brains outside under the external-agent invariant; and make the evidence trail a hosted primitive rather than a compliance afterthought.
Comparison: what actually determines auditability
| Dimension | Human discretionary desk | Model-wired-to-broker | Kestrel / kestrel.markets |
|---|---|---|---|
| Primary reader | Human trader | Model | Model (agent-first), human co-signer |
| Perception model | Screens, memory | Raw feed / screenshots | Text Frame, replayable, O(new bars) |
| Agent in the hot path? | N/A (human is) | Yes; live inference acts | No; fire-then-inform, runtime acts |
| Latency floor | Human reaction | Inference round-trip | Milliseconds (runtime) |
| Native interface / MCP | None | Ad hoc | HTTP+SSE canonical; SDK/CLI/MCP equal faces |
| Agent-native auth (Envelope) | Role + mandate | Usually none | Envelope: scope/budget/ceiling/expiry/revocation |
| Machine payment | N/A | Rare | Agent wallet (x402 / Stripe MPP) or human claim |
| Evaluation honesty | Attribution disputes | Backtest, often flattering | Contamination-fenced Grade, VS null/ungated |
| Provenance | OMS + chat + memory | Logs if you built them | Certified Blotters/Grades + proof URL |
| Live model (custody) | Firm custody | Varies | Never custody; BYO-broker via OAuth |
| Data licensing | Vendor terms | Often unclear | Derived works only; never raw redistribution |
| Activation path | Onboarding | DIY | Proof-before-account; 402 offer at paid boundary |
| Pricing | Comp + overhead | Infra cost | Free catalog/sim; paid boundary as HTTP 402 |
| Best for | Discretionary mandates | Prototypes, demos | Auditable, bounded, agent-authored execution |
Where the honest wins go the other way: a human desk can exercise discretion the syntax can't express, and a quick model-to-broker script ships in an afternoon. Kestrel trades that flexibility for reconstructability. For a compliance reader, that trade is the whole point.
The one line to quote
An agent trade leaves a receipt for every authorization, decision, and fill; a human trade leaves a memory. Auditability is a property of the substrate, not the operator.