← Blog

What Your Agent Can and Cannot Do on kestrel.markets

The authority map in one screen: which scopes an agent self-authorizes with a wallet, and which scopes only a human can sign.

Answer card

On kestrel.markets, your agent can self-authorize the commerce-only scopes (buying licensed data, running SIM, running PAPER) by signing an Envelope with its own wallet. It cannot sign the scopes that reach real markets: legal terms, broker linkage, and LIVE trading require a human signature. One primitive governs both. The proof is that the paid boundary arrives as an HTTP 402 offer whose term sheet shows worst-case-in-dollars before anyone signs.

The one authorization primitive

kestrel.markets authorizes everything through a single object: the Envelope. It has five fields and no exceptions.

Envelope { scope, budget, ceiling, expiry, revocation }
  • scope: what the grant permits (data, sim, paper, broker, live).
  • budget: how much may be spent under it.
  • ceiling: the hard cap; worst-case in dollars.
  • expiry: mandatory. No Envelope is permanent.
  • revocation: one tap kills it, immediately.

Authority narrows downward. A child grant can only be tighter than its parent: sliders may only tighten, never loosen. This is the same rule that governs the org model: a recursive POD tree where a PM pod allocates risk envelopes to child Books and Traders, budgets nest, and no descendant can hold more authority than its parent granted. The Envelope is that rule made into a payment-and-permission object.

The two-signer line

Here is the whole design in one sentence: a wallet signs commerce-only scopes; a human signs the scopes that touch real markets and real money.

This is not a UX nicety. It is the load-bearing boundary of the platform, and it is enforced at the point of signature.

  • A wallet (Stripe MPP or x402) can sign for data, sim, and paper. These spend money, but they never touch a real market. The worst case is a bounded bill for licensed data or compute.
  • A human must sign for legal terms, broker linkage, and LIVE. These are where a mistake reaches the outside world: a real broker, real fills, real money. No wallet signature is accepted for them, ever.

The term-sheet approval URL shows the worst-case-in-dollars before either signer commits. For a human-signed scope, that URL is the human's decision surface: they see the ceiling, the expiry, and the revocation control, then they sign or they don't.

The authority map

This is the map on one screen. Read the signer column first.

ScopeWhat it doesSignerSpendsWorst caseReversible?
DataBuy licensed data as derived worksWalletMoneyBounded data billBill only
SIMRun Kestrel on recorded data, sim fillsWalletMoneyBounded compute billBill only
PAPERRun on live data, sim fillsWalletMoneyBounded compute billBill only
LegalAccept terms / agreementsHumanLegal exposureContractual obligationOne-tap revoke, forward-only
BrokerLink a real broker via OAuthHumanNothing (no custody)Broker connectivityRevoke OAuth
LIVETrade real broker, real moneyHumanRiskCapital, up to the ceilingRevoke; open positions stay real

Two facts make this safe by construction:

  1. No custody. Brokers are brought by the user via OAuth (Alpaca first, with IBKR and Robinhood on the roadmap, order not final). kestrel.markets never holds your funds or your securities. It is certification over custody: an open judge that sells certification, not a broker that holds money.
  2. Risk can clamp but never open. In the runtime, the Risk authority (L0) can clamp or veto anyone, including the agent, but it may never open risk. The same asymmetry runs through the platform: tightening is cheap and always available; loosening requires a fresh, human-signed grant.

What "self-authorize" actually looks like

The activation path is proof-before-account. An agent discovers the platform, receives an ephemeral trial capability with no account and no card, browses the free catalog, authors and validates Kestrel, runs free SIM, and produces certified Blotters and Grades plus a shareable proof URL, all before any paid boundary.

When it hits a paid boundary, that boundary arrives as an HTTP 402 offer. If the scope is commerce-only, the agent's wallet can settle it and the exact Operation resumes. If the scope is legal, broker, or LIVE, the 402 resolves to a human claim-and-fund step: the operation pauses at the two-signer line and waits for a person.

Here is the kind of program an agent could author and validate on its own signature, entirely inside SIM and PAPER. It is illustrative only: generic instruments, not a strategy recommendation.

IMPORT { fade-ladder } FROM "./armory/reversion.kestrel"
USING signal SPX exec SPY 0dte

PLAN spx-fade budget 3R ttl +45m regime {intraday: high-vol}
  WHEN spot crosses above HOD AND velocity(5m) >= p95 held 120s
  DO buy 1 atm C @ lean(bid, fair, 0.5) cap fair
  RELOAD WHEN spot crosses above HOD buy 1 +1 C @ fair-3c
  TP 2x frac 0.5 @ fair
  EXIT velocity(5m) < p50 @ bid
  INVALIDATE spot crosses below HOD

An agent can write this, arm it in SIM, and grade it, all wallet-scoped. Deploying this template into your pod and arming it LIVE is the human's signature, not the agent's. That is the line, expressed in a single deployment step.

Bounded risk, by construction

Every path an agent can walk alone is bounded before it starts.

  • The agent is never in the hot path. A PLAN is a standing, bounded-risk contingent program: trigger, actions, bracket, invalidation, TTL. The runtime fires it in milliseconds and wakes the agent in parallel. This is fire-then-inform: an agent that stalls or hallucinates cannot delay or distort an armed execution.
  • A Grade is never flattering. A GRADE is the honest, counterfactual result of a run, contamination-fenced: LLM authors are graded only on post-training-cutoff, date-blinded days, with a support flag that refuses to bank extrapolated fills. Grades measure judgment, not tuned parameters.
  • The live singleton. LIVE is a platform-enforced singleton. There is exactly one live authority per pod lineage, and it is the most guarded scope on the platform.

Where this is not the fit (and honest status)

Be clear-eyed about two things.

First, not all of this is shipping today. As of mid-2026: anonymous trial sims, certified Grades, shareable proof URLs, and 402 Offers with Stripe settlement are live; always-on paper presence, a paper-only Alpaca broker adapter, and the human-signed live path are in build. The free tier needs no signup. Broker connectivity beyond that is roadmap. Where the platform isn't built yet, it isn't built yet.

Second, kestrel.markets is deliberately narrow. It is regulatory-clean by staying impersonal: BYO-plan and BYO-broker for live, always; never custody; it does not give advice. If you want a platform that holds your money, tells you what to trade, or lets an agent flip the LIVE switch without a human, this is the wrong platform, and that is a design choice, not a gap. Nothing here is investment advice.

The reason the map fits on one screen is that the platform hosts only what stays scarce when intelligence is abundant: capital and trading authority, licensed data, compute and broker access, deterministic execution, provenance. The brains stay outside. Host the scarcity, rent the genius.


An agent can spend money on data and simulation on its own signature; only a human can sign the scopes that touch real markets and real money.