Future Native · Worked example · Confidential

One agent action, end to end

The path one agent action takes, from the harness a firm already runs to the regulatory box a licensed officer has to tick.

Scenario: a Hong Kong SFC-licensed asset manager (Type 9, discretionary mandates) runs an in-house portfolio-rebalancing copilot. The Responsible Officer who owns the mandate needs to deploy it without putting their license on the line.

01
The harness

The agent the firm already runs

Their own agent on a standard harness (e.g. the OpenAI Agents SDK) wrapping a frontier model, with tool access to the firm's OMS and market data.

Vendor-agnostic: OpenAI, Anthropic, or in-house. Future Native wraps whatever they run.

02
The action

It places a real order

The copilot rebalances a discretionary mandate (the client pre-delegated and never approved this specific trade) and calls the OMS tool:

BUY 5,000 · 0700.HK
discretionary mandate · client #A-4192

what this is
03
The Trust Manifest SDK in dev

A signed record is emitted

Captured at the tool call. An agent's actions are its tool calls. Cartographer emits one record in the open Trust Manifest format, auto-signed under the officer's delegated authority.

  • which agent · on whose authority
  • data it touched · counterparty
  • reported outcome · timestamp
  • hash-chained to the prior record
04
The regulatory box

The officer can sign off

It satisfies what the SFC Manager-in-Charge / RO accountability regime requires for an automated investment action:

  • stayed within an authorized mandate
  • attributable to a named licensed person
  • tamper-evident, regulator-verifiable record
Trust Manifest · v0.2 · one leafsigned · anchored
// emitted the instant the OMS tool is called
{
  "manifest": "trust-manifest/v0.2",
  "seq": 4192, "prev": "sha256:1d9e…",   // chained per agent
  "agent": { "id": "did:fn:acme/agent/rebalance-copilot",
    "authority": "did:fn:acme/officer/j.chan" }, // RO · SFC CE-XXXXXX
  "action": "place_order",
  "data_scope": ["positions:read", "orders:write"],
  "counterparty": "HKEX:0700",
  "outcome": { "status": "executed", "reported": "BUY 5,000 @ 312.40" },
  "ts": "2026-07-02T01:22:07Z", "salt": "b7f0…",
  "sig": "ed25519:…"          // the officer's key, never ours
}

One record = one action. The card is a single place_order. A busy agent emits thousands; they chain per agent (seq/prev) and batch for anchoring (see the rail below).

Why these two fields are the whole point

authority binds the action to a named, licensed human rather than a service account. It's what turns a log into accountability: someone is answerable.
sig is the customer's key signing, with the key held in their KMS. We never hold it, so the record can be verified without trusting Future Native.
Only the hash of the record is anchored on-chain. The data stays with the firm, in-jurisdiction.

Who signs? Not a human per action. The officer delegates authority to the agent once (a signed credential bound to their corporate identity and SFC licence), and every action is then auto-signed under that delegation. It scales to thousands of actions while staying bound to a named, liable person. (Chain structure is settled; the signature and delegation format is an implementation choice.)

then · design
Batch
Records roll into a Merkle tree. We anchor the root, not each record.
then · design
Anchor
The root is written on-chain via EAS on Base, then to Ethereum L1 for the high-assurance tier. Async, off the agent's path.
later
Verify, independently
The SFC recomputes the hash and checks the officer's signature and the Merkle proof against the on-chain root, with no involvement from us.
the moat
Designation
An accredited neutral operator holds the standing the regulator references. Entities get accredited, not code.
Why a chain, not just our database?

A neutral auditor you have to trust isn't neutral. Anchoring is the only way the operator can prove it didn't alter, withhold, or backdate a record, including against itself. Keep the record in our own database and you are back to trusting Future Native, which is the one thing the thesis can't allow. This is why the chain is load-bearing rather than decoration: it makes the record verifiable independently of us.

What it guarantees, and the one thing it doesn't

✓ solved · signatures

Non-falsification

A signed record can't be altered after the fact without detection.

✓ solved · anchoring

Non-deletion

Once a hash sits in an anchored root, no one can deny it existed or remove it from the history.

△ the honest limit

Non-omission

Nothing cryptographic forces an action to be recorded in the first place. The denominator problem.

Cryptography can't prove a log is exhaustive from inside a runtime the auditee controls, so we bound it the way every audit regime does: runtime hooks that instrument the agent instead of hand-logging, a per-agent sequence chain where a dropped action leaves a visible gap, certified coverage, and an officer personally liable for attesting the log is complete. A deliberate omission then becomes a false statement by a named person, not an invisible act. Human financial audit works the same way.

On the roadmap · not yet built
Zero-knowledge proofs. Prove an action stayed within the officer's mandate (within limits, on authorized data) without revealing the records themselves. This narrows the non-omission limit above, and lets a firm prove compliance to a regulator in one jurisdiction while the data never leaves another. Today only hashes touch the chain, so it extends the architecture instead of replacing it.
Why this isn't observability

Observability tells you what the agent did

A monitoring tool watches the agent for you, and you hold the data. A regulator still has to trust your word for it. Useful, but it doesn't make anyone answerable.

This makes someone answerable for it

A named licensed officer signs their authority into a record no one in the loop can alter, and the regulator verifies it themselves. Answerability is the whole product.

Observability is what happened. Accountability is who is answerable for it, provably, to a regulator who never has to trust us.

early: SDK in dev design: architecture settled, not yet built Future Native layer the regulatory outcome