Comment by plastic041

Comment by plastic041 3 days ago

3 replies

View on Hacker News

This is an advertisement for a 'tenuo warrant'. So, I read its document[0]. Put simply, it works like this:

1. A person orders an AI agent to do A.

2. The agent issues a tenuo warrant for doing A.

3. The agent can now only use the tool to perform A.

The article is about that 'warrant' can now be used in case of an incident because it contains information such as 'who ordered the task' and 'what authority was given'.

I get the idea. This isn't about whether a person is responsible or not(because of course they are). It's more about whether it was intentional.

However... wouldn't it be much easier to just save the prompt log? This article is based entirely on "But the prompt history? Deleted."(from the article) situation.

[0]: https://tenuo.dev/concepts

niyikiza 3 days ago

You've got the model right. And saving prompt logs does help with reconstruction.

But warrants aren't just "more audit data." They're an authorization primitive enforced in the critical path: scope and constraints are checked mechanically before the action executes. The receipt is a byproduct.

Prompt logs tell you what the model claimed it was doing. A warrant is what the human actually authorized, bound to an agent key, verifiable without trusting the agent runtime.

This matters more in multi-agent systems. When Agent A delegates to Agent B, which calls a tool, you want to be able to link that action back to the human who started it. Warrants chain cryptographically. Each hop signs and attenuates. The authorization provenance is in the artifact itself.

Reply View 2 replies
  • plastic041 3 days ago

    But the AI agent still needs to determine which tool is necessary to mint the warrant. What happens if the agent makes a mistake when making warrant?

    Reply View 1 reply
    • niyikiza 3 days ago

      A worker agent doesn't mint warrants. It receives them. Either it requests a capability and an issuer approves, or the issuer pushes a scoped warrant when assigning a task. Either way, the issuer signs and the agent can only act within those bounds.

      At execution time, the "verifier" checks the warrant: valid signatures, attenuation (scope only narrows through delegation), TTL (authority is task-scoped), and that the action fits the constraints. Only then does the call proceed.

      This is sometimes called the P/Q model: the non-deterministic layer proposes, the deterministic layer decides. The agent can ask for anything. It only gets what's explicitly granted.

      If the agent asks for the wrong thing, it fails closed. If an overly broad scope is approved, the receipt makes that approval explicit and reviewable.

      Reply View 0 replies