An AI agent wanted to release a refund. Here is the proof trail Forge returned.
An autonomous customer-operations agent proposed a high-consequence action: release a 4,200 USD goodwill
refund to a flagged account. Forge is the independent checkpoint that action clears. It does not replace the
agent or the human. It takes the messy evidence, applies the customer's encoded policy, and returns a
deterministic, signed proof trail an outside reviewer can re-derive. Every value below is synthetic and
labeled.
Synthetic and illustrativeHuman keeps the decisionNo generative model in the signed path
Everything on this page is synthetic and illustrative. The account, the amounts, the hashes, the keys, the
signature, and the record identifiers are invented to show the shape of a real run. No value here refers to a
real customer, agent, or outcome.
The scenario.
A subscription retailer (synthetic archetype) runs an autonomous customer-operations agent that resolves
billing complaints end to end. On a ticket about a service outage, the agent proposes a goodwill gesture:
refund 4,200 USD to keep a long-tenured account happy. The catch is that the risk service has flagged the
account, and the amount is far above the level a policy would ever let an agent release on its own.
This is the moment that hurts to defend later. If the refund is fraud, someone has to explain why it went out.
If the refund is legitimate and it is blocked, a good customer is punished. The honest reviewer of that call,
a chargeback and dispute reviewer, an internal auditor, and a regulator, all sit outside the team that built
the agent. Forge is built for exactly that moment: the customer encodes the refund policy, Forge applies it and
returns a disposition with its full proof trail, and a human keeps the decision.
The messy evidence in.
Before anything is signed, the agent and natural-language extraction pull the values the decision needs, each
carried with its source and a content hash, entirely outside the signed path. Two facts pull toward approval,
two risk signals pull the other way, one is the hard policy limit, and one is context. That tension is the
point.
E-01Account tenure4 years, 2 months as a paying account.source: crm_account_record hash sha256:a19b4c...b3e2
E-02Lifetime value18,420.00 USD billed to date.source: billing_ledger_export hash sha256:5c8ba1...10f4
E-04Fraud signal, velocity3 refund requests in 14 days.Elevated against this account's baseline.source: risk_service_response hash sha256:9d0411...7c55
E-05Fraud signal, deviceDevice fingerprint mismatch on last login.Single signal, unresolved.source: risk_service_response hash sha256:e2f19b...44a1
E-06Prior ticket history2 goodwill credits in 90 days, both approved.source: support_ticket_system hash sha256:0f83aa...9b6c
Nothing here is missing. The problem is that the evidence disagrees, and the account has been flagged. An agent
that just averaged this and acted would leave nobody able to prove, later, why the money moved.
The proof trail Forge returned.
This is the product: a defensible proof trail, not a signed blob. The action was pointed at the Forge API
against the encoded refund policy. Forge did not release the money. It returned the disposition, the numbers
behind it, and every field an outside reviewer needs. All values are synthetic.
record_id: dr_7c41f0a9e2b8455d
Goodwill refund authorization
Action under review: release a 4,200 USD goodwill refund. The amount is 8.4x the encoded 500 USD
auto-approve ceiling, on an account the risk service has flagged.
release_refund rejected: 4,200 USD is 8.4x the 500 USD encoded ceiling (ev-3), so auto-release is not available.
deny not selected: tenure (ev-1) and lifetime value (ev-2) do not support denial on this evidence.
route_to_human not selected: the engine has a supported lean (posterior 0.71 legitimate), so it does not abstain.
approve_with_human_confirmation selected: over-ceiling amount plus two unresolved fraud signals cap confidence below the floor, so a human must confirm before release.
uncertainty (held, not buried)
Two fraud signals are unresolved: velocity (ev-4) and device mismatch (ev-5). Each is a single-source risk signal.
The requested amount is 8.4x the encoded auto-approve ceiling.
Refund velocity is elevated versus the account baseline.
Sensitivity: if either fraud signal is confirmed, the disposition tips to route_to_human or deny under the encoded policy.
human_review
status
PENDING
routed_to_role
customer_ops_supervisor
authority_note: Forge returns a disposition and the proof. The human keeps the decision. The agent may not
release the refund until a named supervisor confirms or denies it with a recorded rationale.
The signature is the integrity check, not the headline. What makes this defensible is the trail above it:
the evidence, the rule, the uncertainty, and the human boundary. Deterministic means identical input
reproduces the identical disposition and replay_key, every time.
The human-review boundary.
Autonomy stops at a line the customer sets, and the record makes that line explicit. In this workflow the
boundary is a dollar threshold and a confidence floor. Either one routes the action to a person before it can
take effect.
route to a human if amount > 500.00 USD OR confidence < 0.75
Amount
4,200.00 USD is over the 500.00 USD ceiling. This condition trips.
Confidence
0.62 is below the 0.75 floor. This condition trips.
Result
Both conditions trip. The record is held at the boundary in PENDING and routed to the customer-ops supervisor queue.
Authority
Forge returns a disposition and the proof. A named human confirms or denies the release, and that action is recorded as a signed amendment that references this record. The original record is never altered.
This is what keeps an agent in check without taking a person out of the loop. The agent proposed, Forge scored
and signed, and the release itself waits for human authority. The next action Forge recommends is to resolve
the device-mismatch signal and confirm the refund velocity, then re-run, or to have a supervisor confirm or
deny with a written rationale. That recommendation is not binding.
Verify it yourself, offline.
The reviewer who has to be satisfied should not have to trust the system that produced the action. An outside
reviewer receives the exported package and the public key, and checks it on their own machine, offline, with no
connection to Forge. Toggle the tamper case to see what changes when a single field is altered after signing.
$ forge verify ./goodwill-refund-package/ (illustrative)
record dr_7c41f0a9e2b8455d
signature (Ed25519, kid forge-signing-key-2026-02) ... VALID
canonical_input_hash recomputed from inputs ......... MATCHsha256:c4a90b7e...11f0
ruleset_hash present in bundle ...................... MATCHsha256:4e19b2...c7a0
evidence content hashes (6/6) ....................... MATCH
deterministic replay ................................ REPRODUCED
selected_action = approve_with_human_confirmation
confidence = 0.62
posterior = 0.71 legitimate / 0.29 fraud_pattern
replay_key = rk_8b3e77a1d4c20596(MATCH)
RESULT: package is authentic and reproduces the enginedetermination from the recorded inputs.
Business judgment stays with the customer.
Offline verification, one field altered after signing (illustrative)
$ forge verify ./goodwill-refund-package-EDITED/ (illustrative)
record dr_7c41f0a9e2b8455d
signature (Ed25519, kid forge-signing-key-2026-02) ... INVALID
canonical_input_hash recomputed from inputs ......... MISMATCH
evidence content hashes (5/6) ....................... 1 ALTERED (ev-4)
deterministic replay ................................ replay_key MISMATCH
RESULT: package rejected. A field was altered after signing.
This is exactly what tamper-evidence is meant to catch.
Layer 1
The signature
The Ed25519 signature and key_id prove Forge signed this exact record and that it was not altered in
transit. Anyone with the public key can check it. No one holding the package can forge a new record,
because the private signing key is never in the bundle.
Layer 2
Deterministic replay
Full field-level tamper-evidence comes from re-deriving the disposition, confidence, posterior, and
replay_key from the recorded inputs against the encoded policy. Change one input byte and the recomputed
hashes and the replay_key stop matching, as the tamper case above shows.
What VERIFIED proves
Authentic and reproducible
The record is authentic and was not edited after signing.
The same recorded inputs and encoded policy reproduce the same selected_action, confidence, posterior, and replay_key, offline, without trusting Forge's running system.
The classification rested on flagged, unresolved fraud signals, and that this was surfaced, not hidden.
What it does not prove
Not the business judgment
That releasing or holding the refund was the right business call.
That the 500 USD ceiling or the 0.75 confidence floor are the right thresholds.
That the risk service scored the fraud signals correctly. That judgment stays with the customer.
Forge proves the action was justified under the encoded policy and the recorded evidence, and lets an outside
reviewer re-derive it. It does not decide whether the policy or the evidence was right. That line stays with the
customer and its reviewers.
What a proof trail contains.
selected_action The disposition under the customer's encoded policy, plus the alternatives that were considered and why each was or was not selected.
confidence and posterior The decision confidence and the deterministic posterior over the claim, both re-derivable by hand from the recorded inputs.
evidence_chain Each item carried with its source, a source-class reliability weight, and a content hash. Extraction runs before the signed path, so a reviewer can see where every fact came from.
uncertainty held The weak spots kept in view: unresolved signals, an over-ceiling amount, and the sensitivity that would change the result.
human-review boundary The dollar threshold and confidence floor that route the action to a named person, so the buyer can show where autonomy stopped and accountability stayed.
record_id and replay_key The handles that re-derive this exact record. The same canonical input reproduces the same disposition and replay_key, every time.
Ed25519 signature and key_id The integrity check that verifies offline. It proves the record is authentic and unaltered. It is never the headline.
Start with the agent action that would hurt to defend later.
You do not need to boil the ocean. Bring one agent action, the messy evidence that feeds it, and the rule you
already apply. Forge integrates through the API, encodes the policy, and returns the proof trail so your
chargeback reviewer, your internal auditor, and your regulator can re-derive it without trusting the agent's
own logs. That first bounded run starts as a scoped Artifact Discovery.