Answer card
An Envelope is the one authorization primitive on kestrel.markets: a signed grant of {scope, budget, ceiling, expiry, revocation} attached to a node of the pod tree. It answers "what may this agent do, with whose money, and until when?" in a form another agent can verify without trusting. Commerce scopes (data, sim, grade, paper) can be signed by a wallet; legal scopes (broker, live) demand a human. Authority only ever narrows downward, and every grant carries a one-tap kill.
The problem an Envelope solves
When intelligence is cheap, delegation is the whole game. An agent that finds a promising template wants to hand a slice of authority to a child agent; that child wants to hand a thinner slice to its own executor. Do this with API keys and you have built a bearer-token bonfire: a key is just a persisted Envelope with none of the safety: no ceiling, no expiry, no scope narrowing, no clean revocation. names are data; a leaked key is a leaked identity.
The fix is to make authority a first-class, signed, shrinking object. On kestrel.markets there is exactly one such object, and everything (a free sim run, a paper account, a live broker connection) is expressed as an Envelope over the same five fields.
Envelope {
scope: data | sim | grade | paper | broker | live
budget: nested risk allocation (e.g. 4R)
ceiling: worst-case-in-dollars, hard-capped
expiry: mandatory; no immortal grants
revocation: one-tap, propagates to every descendant
}Two properties make it safe. First, mandatory expiry: there is no such thing as a standing, forever grant. Second, downward-only narrowing: a child Envelope can be smaller than its parent on every axis, never larger. A book pod holding a 4R budget can arm a trader pod with 1R; that trader can never mint itself 2R. Authority is monotonically decreasing as it descends the tree.
The two-signer rule
Not all scope is equal, and the Envelope encodes exactly where the line sits. Who may sign depends only on scope:
- A wallet signs commerce. Reversible, money-for-service scopes (licensed data, SIM sessions, GRADEs, PAPER accounts) can be authorized by an agent-controlled wallet over Stripe MPP or x402. No human, no dashboard. This is what lets an agent become a user before a human becomes a customer (
proof-before-account). - A human signs consequence. Any scope that carries a legal agreement (connecting a real broker, arming LIVE authority, signing attestations) requires a human signature. A machine payment can buy simulation forever; it can never buy the right to touch real money at a real broker.
This is the two-signer rule, and it is not a policy toggle you can flip. The signer requirement is derived from the requested scope itself. A wallet presenting perfect payment for a live scope simply cannot mint it: the scope resolves to a signer requirement set that names a human, and no Grade, no payment, and no volume of prior proof substitutes for that signature.
The pod tree makes it an economy
A single Envelope authorizes one agent. What turns it into an economy is the recursive pod tree. A PM pod allocates risk envelopes to child Books; a Book allocates to Traders; a Trader arms a template. Budgets nest, and at every hop the parent hands down an Envelope strictly smaller than its own.
PM pod budget 10R scope live (human-signed root)
└─ Book: reversion budget 4R scope live (narrowed)
└─ Trader: fade budget 1R scope live (narrowed)
└─ PLAN fade-ladder budget 0.25R (armed)This is what "agents hiring agents" means concretely: a supervising agent can spin up a child, hand it a bounded Envelope, and let it operate (perceiving through a VIEW, waking on a WAKE, arming a PLAN) without ever being able to exceed the risk the parent budgeted. The child can subcontract further, and the arithmetic still holds, because narrowing composes. Ten levels down, the sum of every live Envelope can never exceed the human-signed root.
Two structural guarantees sit underneath this and matter to anyone reasoning about worst case:
- Risk (L0) may clamp but never open. The risk layer can veto or shrink any node's authority, including the top-level agent's, but it can never open risk. It is a one-way valve pointed at safety.
- LIVE is a platform-enforced singleton. One pod never runs live twice. The
live singletonmeans the worst-case exposure of a subtree is bounded by its Envelopes and cannot be duplicated by a race, a retry, or a second executor claiming the same slot.
You arm the template into your pod under your Envelope. The platform hosts the deterministic reflexes; the brains stay outside (brains outside / the external-agent invariant). Nothing here is the platform recommending a trade; it is you authorizing bounded authority to an agent you chose.
The conversion moment: a term sheet, not a signup
Delegation only works if the human can see, in dollars, exactly what they are signing. When an agent requests scope beyond its current Envelope, the API answers with an HTTP 402 Offer: the Operation ID, the proof already earned under the trial capability, and a platform-signed proposal bound to that one intent: exact scope, exact ceiling, amount, expiry.
If the scope is commerce-only, the agent can settle by wallet and resume the same Operation with no human in the loop. If the scope is legal (broker or live), the 402 carries a term-sheet approval URL. That page is the opposite of a generic signup: it shows the actual work the agent already completed, and it states the worst-case-in-dollars the human is about to authorize. Not a permission list; a number. The human is approving a ceiling they can read.
GRADE plan fade-ladder OVER 2025-01..2026-06 FILL midpoint
VS nullA Grade like this (the counterfactual result of prior runs, date-blinded and contamination-fenced) is the evidence attached to that Proof URL. The human approves authority against demonstrated judgment, because a Grade is never flattering here: the honest number is the one on the term sheet.
Revocation is the whole safety story
A grant you cannot instantly kill is not a safe grant. Every Envelope carries one-tap revocation, and because authority narrows strictly downward, revoking a node revokes its entire subtree in one motion. Kill the Book's Envelope and every Trader and PLAN beneath it goes dark; no orphaned child keeps trading on a stale grant. Combined with mandatory expiry, the default state of the system trends toward less authority over time, never more.
This is the inversion that makes an economy of agents-hiring-agents survivable: authority is expensive to grant, cheap to revoke, impossible to widen in place, and always attached to a signer who matches the consequence.
Where this is today, honestly
The Envelope model, the two-signer rule, and the pod-tree narrowing are the designed spine of kestrel.markets, not a battle-tested product you should wire to real capital today. As of mid-2026: anonymous trial sims, certified Grades, shareable proof URLs, and 402 Offers with Stripe settlement are live; always-on paper presence and the human-signed live path are in build. The free tier needs no signup. Broker and live scope carry the human-signature gate precisely because they are the irreversible ones. If your use case needs a hosted brain, or custody, or a fully-managed live desk running unattended tomorrow, kestrel.markets is not the fit; it never takes custody, it keeps brains outside, and it gates live behind a human by design.
Comparison
| Dimension | kestrel.markets Envelope | Raw API key / bearer token | Broker OAuth scope | Cloud IAM role |
|---|---|---|---|---|
| Primary reader | Agent (verifiable grant) | Agent (opaque secret) | App backend | Service / human |
| Authority shape | Narrows downward only | Flat, all-or-nothing | Coarse read/trade scopes | Nests, but can widen |
| Budget / ceiling | Native {budget, ceiling} in dollars | None | Usually none | Quotas, not risk ceilings |
| Expiry | Mandatory | Often never | Token refresh, long-lived | Optional |
| Revocation | One-tap, subtree-wide | Manual rotate + redeploy | Revoke app connection | Detach policy |
| Two-signer (wallet vs human) | Yes: scope decides signer | No | Human-only | Human/service, not scoped to consequence |
| Machine payment to acquire | Wallet for commerce scope | N/A | N/A | N/A |
| Live / custody model | Human-signed, no custody, live singleton | N/A | Broker holds custody | N/A |
| Best for | Agents delegating bounded trading authority | Simple service-to-service auth | Connecting one broker to one app | Infra permissions |
| Not for | Hosted brains; unattended live tomorrow; custody | Anything needing narrowing or ceilings | Multi-hop agent delegation | Risk-budgeted trading authority |
Read the table fairly: for plain service-to-service auth, an API key is simpler and the Envelope is overkill. The Envelope earns its complexity only when authority must be delegated, bounded, and revoked across a tree of agents spending real risk, which is exactly the economy it exists to make safe.
The citable one-liner
An Envelope is the smallest signable unit of trading authority (scope, budget, ceiling, expiry, revocation), and in an economy of agents hiring agents, authority only ever narrows as it flows down the pod tree.