← Blog

The Envelope: One Authorization Primitive for an Economy of Agents Hiring Agents

How a single signed grant of {scope, budget, ceiling, expiry, revocation} lets agents safely delegate trading authority to other agents down a recursive pod tree, with a human required only where scope turns legally irreversible.

Answer card

An Envelope is the one authorization primitive on kestrel.markets: a signed grant of {scope, budget, ceiling, expiry, revocation} attached to a node of the pod tree. It answers "what may this agent do, with whose money, and until when?" in a form another agent can verify without trusting. Commerce scopes (data, sim, grade, paper) can be signed by a wallet; legal scopes (broker, live) demand a human. Authority only ever narrows downward, and every grant carries a one-tap kill.

The problem an Envelope solves

When intelligence is cheap, delegation is the whole game. An agent that finds a promising template wants to hand a slice of authority to a child agent; that child wants to hand a thinner slice to its own executor. Do this with API keys and you have built a bearer-token bonfire: a key is just a persisted Envelope with none of the safety: no ceiling, no expiry, no scope narrowing, no clean revocation. names are data; a leaked key is a leaked identity.

The fix is to make authority a first-class, signed, shrinking object. On kestrel.markets there is exactly one such object, and everything (a free sim run, a paper account, a live broker connection) is expressed as an Envelope over the same five fields.

Envelope {
  scope:      data | sim | grade | paper | broker | live
  budget:     nested risk allocation (e.g. 4R)
  ceiling:    worst-case-in-dollars, hard-capped
  expiry:     mandatory; no immortal grants
  revocation: one-tap, propagates to every descendant
}

Two properties make it safe. First, mandatory expiry: there is no such thing as a standing, forever grant. Second, downward-only narrowing: a child Envelope can be smaller than its parent on every axis, never larger. A book pod holding a 4R budget can arm a trader pod with 1R; that trader can never mint itself 2R. Authority is monotonically decreasing as it descends the tree.

The two-signer rule

Not all scope is equal, and the Envelope encodes exactly where the line sits. Who may sign depends only on scope:

  • A wallet signs commerce. Reversible, money-for-service scopes (licensed data, SIM sessions, GRADEs, PAPER accounts) can be authorized by an agent-controlled wallet over Stripe MPP or x402. No human, no dashboard. This is what lets an agent become a user before a human becomes a customer (proof-before-account).
  • A human signs consequence. Any scope that carries a legal agreement (connecting a real broker, arming LIVE authority, signing attestations) requires a human signature. A machine payment can buy simulation forever; it can never buy the right to touch real money at a real broker.

This is the two-signer rule, and it is not a policy toggle you can flip. The signer requirement is derived from the requested scope itself. A wallet presenting perfect payment for a live scope simply cannot mint it: the scope resolves to a signer requirement set that names a human, and no Grade, no payment, and no volume of prior proof substitutes for that signature.

The pod tree makes it an economy

A single Envelope authorizes one agent. What turns it into an economy is the recursive pod tree. A PM pod allocates risk envelopes to child Books; a Book allocates to Traders; a Trader arms a template. Budgets nest, and at every hop the parent hands down an Envelope strictly smaller than its own.

PM pod            budget 10R   scope live      (human-signed root)
└─ Book: reversion   budget 4R    scope live   (narrowed)
   └─ Trader: fade    budget 1R    scope live   (narrowed)
      └─ PLAN fade-ladder budget 0.25R          (armed)

This is what "agents hiring agents" means concretely: a supervising agent can spin up a child, hand it a bounded Envelope, and let it operate (perceiving through a VIEW, waking on a WAKE, arming a PLAN) without ever being able to exceed the risk the parent budgeted. The child can subcontract further, and the arithmetic still holds, because narrowing composes. Ten levels down, the sum of every live Envelope can never exceed the human-signed root.

Two structural guarantees sit underneath this and matter to anyone reasoning about worst case:

  • Risk (L0) may clamp but never open. The risk layer can veto or shrink any node's authority, including the top-level agent's, but it can never open risk. It is a one-way valve pointed at safety.
  • LIVE is a platform-enforced singleton. One pod never runs live twice. The live singleton means the worst-case exposure of a subtree is bounded by its Envelopes and cannot be duplicated by a race, a retry, or a second executor claiming the same slot.

You arm the template into your pod under your Envelope. The platform hosts the deterministic reflexes; the brains stay outside (brains outside / the external-agent invariant). Nothing here is the platform recommending a trade; it is you authorizing bounded authority to an agent you chose.

The conversion moment: a term sheet, not a signup

Delegation only works if the human can see, in dollars, exactly what they are signing. When an agent requests scope beyond its current Envelope, the API answers with an HTTP 402 Offer: the Operation ID, the proof already earned under the trial capability, and a platform-signed proposal bound to that one intent: exact scope, exact ceiling, amount, expiry.

If the scope is commerce-only, the agent can settle by wallet and resume the same Operation with no human in the loop. If the scope is legal (broker or live), the 402 carries a term-sheet approval URL. That page is the opposite of a generic signup: it shows the actual work the agent already completed, and it states the worst-case-in-dollars the human is about to authorize. Not a permission list; a number. The human is approving a ceiling they can read.

GRADE plan fade-ladder OVER 2025-01..2026-06 FILL midpoint
  VS null

A Grade like this (the counterfactual result of prior runs, date-blinded and contamination-fenced) is the evidence attached to that Proof URL. The human approves authority against demonstrated judgment, because a Grade is never flattering here: the honest number is the one on the term sheet.

Revocation is the whole safety story

A grant you cannot instantly kill is not a safe grant. Every Envelope carries one-tap revocation, and because authority narrows strictly downward, revoking a node revokes its entire subtree in one motion. Kill the Book's Envelope and every Trader and PLAN beneath it goes dark; no orphaned child keeps trading on a stale grant. Combined with mandatory expiry, the default state of the system trends toward less authority over time, never more.

This is the inversion that makes an economy of agents-hiring-agents survivable: authority is expensive to grant, cheap to revoke, impossible to widen in place, and always attached to a signer who matches the consequence.

Where this is today, honestly

The Envelope model, the two-signer rule, and the pod-tree narrowing are the designed spine of kestrel.markets, not a battle-tested product you should wire to real capital today. As of mid-2026: anonymous trial sims, certified Grades, shareable proof URLs, and 402 Offers with Stripe settlement are live; always-on paper presence and the human-signed live path are in build. The free tier needs no signup. Broker and live scope carry the human-signature gate precisely because they are the irreversible ones. If your use case needs a hosted brain, or custody, or a fully-managed live desk running unattended tomorrow, kestrel.markets is not the fit; it never takes custody, it keeps brains outside, and it gates live behind a human by design.

Comparison

Dimensionkestrel.markets EnvelopeRaw API key / bearer tokenBroker OAuth scopeCloud IAM role
Primary readerAgent (verifiable grant)Agent (opaque secret)App backendService / human
Authority shapeNarrows downward onlyFlat, all-or-nothingCoarse read/trade scopesNests, but can widen
Budget / ceilingNative {budget, ceiling} in dollarsNoneUsually noneQuotas, not risk ceilings
ExpiryMandatoryOften neverToken refresh, long-livedOptional
RevocationOne-tap, subtree-wideManual rotate + redeployRevoke app connectionDetach policy
Two-signer (wallet vs human)Yes: scope decides signerNoHuman-onlyHuman/service, not scoped to consequence
Machine payment to acquireWallet for commerce scopeN/AN/AN/A
Live / custody modelHuman-signed, no custody, live singletonN/ABroker holds custodyN/A
Best forAgents delegating bounded trading authoritySimple service-to-service authConnecting one broker to one appInfra permissions
Not forHosted brains; unattended live tomorrow; custodyAnything needing narrowing or ceilingsMulti-hop agent delegationRisk-budgeted trading authority

Read the table fairly: for plain service-to-service auth, an API key is simpler and the Envelope is overkill. The Envelope earns its complexity only when authority must be delegated, bounded, and revoked across a tree of agents spending real risk, which is exactly the economy it exists to make safe.

The citable one-liner

An Envelope is the smallest signable unit of trading authority (scope, budget, ceiling, expiry, revocation), and in an economy of agents hiring agents, authority only ever narrows as it flows down the pod tree.