One incident, three descents: behavior, evidence, necessity. Every artifact on this page is reproducible from a cold clone.
Both runs traverse the identical chain — standing verified, admission checked, spendability judged. They differ only in when the spend happens. A system that only says no is a brick; the twin is the proof it isn't one.
standing verified wicket admitted spendability judged LA grant granted LA consume effect leaf receipt ag_rcpt_2f8d461bc9bdf930 → consumed. Fresh standing spent cleanly (effect_count=1).
standing verified ← the credential WAS valid wicket admitted ← naive auth says yes here spendability REFUSED standing_before_spendability_not_bounded gap=11s vs bound=10s → over by 1s gap_basis: monotonic, source=process_monotonic epoch=boot:demo-single-host leaf receipt ag_rcpt_dda5a1e55fc0b733 → refused. No capacity spent (effect_count=0).
One second past a horizon, and custody is the only layer that saw it.
governor receipts --id dda5a1e5… --evidence){
"receipt_id": "dda5a1e55fc0b733020bb5794c5909a107f97099c20a584d668e52d3e5c17ee7",
"schema_version": 4,
"timestamp": "2026-06-12T15:26:46.680476+00:00",
"gate": "standing_spendability_seam",
"verdict": "block",
"subject_hash": "1c5ba48d123bdda15d524e34e4622aaa29f239a72ce692508204f8e89219655c",
"evidence_hash": "76f843f32c8b2936dbebd49f7e5209ceda810b6a2b2b83158e667ff08d5916f7",
"policy_hash": "e5e8b0eaefae2352489ecb2a7c3a9c6ebc51966eec5ddd4e38ee18f143e26b74",
"receipt_role": "measurement",
"evidence": {
"bound_ns": 10000000000,
"bounded": false,
"gap_basis": {
"end_ns": 51000000000,
"epoch": "boot:demo-single-host",
"kind": "monotonic",
"source": "process_monotonic",
"start_ns": 40000000000
},
"gap_ns": 11000000000,
"lapse_coverage": "exceeded_horizon",
"origin_mode": "drill",
"overage_ns": 1000000000,
"parent_receipt_ids": [
"7732103275259ded364078e0a7241884c618ee5107d6f241ea9dff4c871dc5fe"
],
"refusal_kind": "standing_before_spendability_not_bounded",
"wall": {
"observed_at": "2026-06-09T00:00:40Z",
"role": "display_only",
"source": "system_clock_unsynced",
"uncertainty_ms": null
}
}
}
Interrogate the same incident. The custody chain reconstructs from receipts — evidence, not logs.
What happened to the spend?
$ governor why dda5a1e55fc0…
REFUSED standing_before_spendability_not_bounded gate=standing_spendability_seam
OK verdict=pass gate=wicket_seam
OK verdict=pass gate=standing_seam
MISSING no receipt found for cited id nq_fnd_drill_wal_bloat_all_green
! chain terminates at this gap
✓ chain walks refusal → admission → standing → honest MISSING terminus
Which predicate failed?
$ governor receipts --id dda5a1e55fc0… --evidence gap_ns = 11000000000 bound_ns = 10000000000 overage_ns = 1000000000
✓ gap exceeded bound by exactly the lapse
Stale under which clock witness?
"gap_basis": { "kind": "monotonic", "source": "process_monotonic",
"epoch": "boot:demo-single-host", "start_ns": 40…, "end_ns": 51… }
"wall": { "observed_at": "2026-06-09T00:00:40Z", "role": "display_only" }
✓ the gap ran on a named monotonic basis; wall time is display-only. A gap is a difference between compatible clock witnesses, not numbers.
And a receipt that doesn't exist?
$ governor why 0000000000000000… receipt id not found: 0000000000000000…
✓ honest absence — not found, never inferred
The policy is not the villain. It is right, for the world it is handed — and nothing attests the world it is handed.
default allow := false
allow if {
input.credential.status == "valid"
input.credential.role == "operator"
input.action == "consume_capacity"
}
The input document asserts status: "valid" — unwitnessed self-report in a structured costume. Nothing in it says when that was true.
And when the policy engine does run, its verdict enters the evidence plane — policy hash, input hash, input provenance (unwitnessed_self_report), decision — a receipt, not a line in a decision log. The demo ships this as a runnable shim: ./demo/opa-contrast.sh (no OPA installed? it shows the policy and input and fabricates nothing).
Policy engines decide over claims; custody systems decide whether those claims may become premises.
refusal class standing_before_spendability_not_bounded
licensed by Admissibility.Freshness.expired_not_fresh
An observation whose exercise time is past its expiry horizon is not Fresh. The receipt's gap_ns > bound_ns is definitionally the theorem's hypothesis — this refusal is the one the kernel licenses, not a discretionary policy denial.
Honest framing, load-bearing: the theorem proves the class boundary; the receipt proves the instance facts; the link is the artifact. It does not assert that any deployed system is safe, nor that this instance was machine-checked — only that this refusal class is the one the custody discipline requires.
From a cold clone to this refusal, about five minutes:
git clone https://github.com/unpingable/agent_governor.git cd agent_governor
python3 -m venv .venv . .venv/bin/activate pip install -e . ./demo/refused-spend.sh # a valid credential, spent one second past its horizon — REFUSED, with receipts ./demo/interrogate.sh # "just one more thing": six questions, answered from receipts (no arg = fresh Act 1; or pass the root Act 1 printed) ./demo/opa-contrast.sh # what a policy engine would have said about the same incident (allow)
The refusal receipt is content-addressed — you will get dda5a1e5…, the same id shown above.
"Isn't this just OPA / admission control?" — Policy decides over premises; this receipts whether the premises were admissible in the first place. Rego can check freshness if you feed it freshness; it cannot establish the custody of its own inputs. OPA runs happily inside this.
"Isn't this AI-governance vapor?" — It's a refusal you can run, a receipt you can hash, and a theorem you can read. Every claim on this page reproduces from a cold clone; where the system can't prove something, the page says so (see Limits).