Forge Orbital

Live demo, AI agent decision

An AI agent wanted to release a refund. Here is the proof trail Forge returned.

An autonomous customer-operations agent proposed a high-consequence action: release a 4,200 USD goodwill refund to a flagged account. Forge is the independent checkpoint that action clears. It does not replace the agent or the human. It takes the messy evidence, applies the customer's encoded policy, and returns a deterministic, signed proof trail an outside reviewer can re-derive. Every value below is synthetic and labeled.

Synthetic and illustrative Human keeps the decision No generative model in the signed path
Everything on this page is synthetic and illustrative. The account, the amounts, the hashes, the keys, the signature, and the record identifiers are invented to show the shape of a real run. No value here refers to a real customer, agent, or outcome.

The scenario.

A subscription retailer (synthetic archetype) runs an autonomous customer-operations agent that resolves billing complaints end to end. On a ticket about a service outage, the agent proposes a goodwill gesture: refund 4,200 USD to keep a long-tenured account happy. The catch is that the risk service has flagged the account, and the amount is far above the level a policy would ever let an agent release on its own.

This is the moment that hurts to defend later. If the refund is fraud, someone has to explain why it went out. If the refund is legitimate and it is blocked, a good customer is punished. The honest reviewer of that call, a chargeback and dispute reviewer, an internal auditor, and a regulator, all sit outside the team that built the agent. Forge is built for exactly that moment: the customer encodes the refund policy, Forge applies it and returns a disposition with its full proof trail, and a human keeps the decision.

The messy evidence in.

Before anything is signed, the agent and natural-language extraction pull the values the decision needs, each carried with its source and a content hash, entirely outside the signed path. Two facts pull toward approval, two risk signals pull the other way, one is the hard policy limit, and one is context. That tension is the point.

E-01 Account tenure 4 years, 2 months as a paying account. source: crm_account_record
hash sha256:a19b4c...b3e2
E-02 Lifetime value 18,420.00 USD billed to date. source: billing_ledger_export
hash sha256:5c8ba1...10f4
E-03 Refund-authority limit 500.00 USD auto-approve ceiling for goodwill credits. source: goodwill_refund_policy_v6
hash sha256:4e19b2...c7a0
E-04 Fraud signal, velocity 3 refund requests in 14 days. Elevated against this account's baseline. source: risk_service_response
hash sha256:9d0411...7c55
E-05 Fraud signal, device Device fingerprint mismatch on last login. Single signal, unresolved. source: risk_service_response
hash sha256:e2f19b...44a1
E-06 Prior ticket history 2 goodwill credits in 90 days, both approved. source: support_ticket_system
hash sha256:0f83aa...9b6c

Nothing here is missing. The problem is that the evidence disagrees, and the account has been flagged. An agent that just averaged this and acted would leave nobody able to prove, later, why the money moved.

The proof trail Forge returned.

This is the product: a defensible proof trail, not a signed blob. The action was pointed at the Forge API against the encoded refund policy. Forge did not release the money. It returned the disposition, the numbers behind it, and every field an outside reviewer needs. All values are synthetic.

record_id: dr_7c41f0a9e2b8455d

Goodwill refund authorization

Action under review: release a 4,200 USD goodwill refund. The amount is 8.4x the encoded 500 USD auto-approve ceiling, on an account the risk service has flagged.

workflow: customer_ops_goodwill_refund_authorization agent: customer_ops_agent_v4 tenant: synthetic-retail-archetype policy_ref: goodwill_refund_policy_v6 (ruleset_hash sha256:4e19b2...c7a0) created_at: 2026-03-04T17:22:08Z
selected_actionapprove with human confirmation
0.62
confidence (floor 0.75)
posteriorlegitimate 0.71
legitimate_goodwill 0.71 fraud_pattern 0.29

Disposition and math

selected_action
approve_with_human_confirmation
The engine leans approve under the encoded policy, but the action cannot release without a named human confirming it.
confidence
0.62
How strongly the recorded evidence supports the selected disposition. Below the 0.75 review floor, so a human is required.
posterior
legitimate_goodwill 0.71 / fraud_pattern 0.29
The deterministic posterior over the claim, computed from the recorded evidence and the encoded priors. No generative model produces it.
data_reliability_index
0.90
Sources are reliable. Confidence is capped by two unresolved fraud signals and the over-ceiling amount, not by source quality.

evidence_chain

ev-1account_tenure
4 years, 2 months
source: crm_account_record  |  class: system_of_record  |  reliability 0.93  |  sha256:a19b4c...b3e2  |  extraction: pre-signature, outside signed path
ev-2lifetime_value
18,420.00 USD
source: billing_ledger_export  |  class: gl_reconciled  |  reliability 0.95  |  sha256:5c8ba1...10f4  |  extraction: pre-signature, outside signed path
ev-3auto_approve_ceiling
500.00 USD
source: goodwill_refund_policy_v6  |  class: encoded_policy  |  reliability 1.00  |  sha256:4e19b2...c7a0
The requested 4,200 USD is 8.4x this ceiling, so no auto-release is possible under the policy.
ev-4fraud_signal_velocity
3 refund requests in 14 days
source: risk_service_response  |  class: risk_service  |  reliability 0.82  |  sha256:9d0411...7c55
Unresolved. Elevated against the account baseline; caps confidence rather than being silently averaged away.
ev-5fraud_signal_device
device fingerprint mismatch on last login
source: risk_service_response  |  class: risk_service  |  reliability 0.82  |  sha256:e2f19b...44a1
Unresolved single signal. A device mismatch has innocent explanations and fraudulent ones; the record keeps it in view.
ev-6prior_ticket_history
2 goodwill credits in 90 days, both approved
source: support_ticket_system  |  class: operational_sor  |  reliability 0.88  |  sha256:0f83aa...9b6c

alternatives_considered

  • release_refund rejected: 4,200 USD is 8.4x the 500 USD encoded ceiling (ev-3), so auto-release is not available.
  • deny not selected: tenure (ev-1) and lifetime value (ev-2) do not support denial on this evidence.
  • route_to_human not selected: the engine has a supported lean (posterior 0.71 legitimate), so it does not abstain.
  • approve_with_human_confirmation selected: over-ceiling amount plus two unresolved fraud signals cap confidence below the floor, so a human must confirm before release.

uncertainty (held, not buried)

  • Two fraud signals are unresolved: velocity (ev-4) and device mismatch (ev-5). Each is a single-source risk signal.
  • The requested amount is 8.4x the encoded auto-approve ceiling.
  • Refund velocity is elevated versus the account baseline.
  • Sensitivity: if either fraud signal is confirmed, the disposition tips to route_to_human or deny under the encoded policy.

human_review

status
PENDING
routed_to_role
customer_ops_supervisor

authority_note: Forge returns a disposition and the proof. The human keeps the decision. The agent may not release the refund until a named supervisor confirms or denies it with a recorded rationale.

replay and signature

record_id: dr_7c41f0a9e2b8455d
replay_key: rk_8b3e77a1d4c20596   (same canonical input reproduces this exact record)
canonical_input_hash: sha256:c4a90b7e...11f0
signature.alg: Ed25519
signature.key_id: forge-signing-key-2026-02
signature.public_key: ed25519:pub_9Q2mR4... (synthetic)
signature.signed_fields: record_id, canonical_input_hash, ruleset_ref.ruleset_hash, selected_action, confidence, posterior, evidence_chain, replay_key, created_at
signature.sig: 3045a2c1...f7b0 (synthetic base64)   signed

The signature is the integrity check, not the headline. What makes this defensible is the trail above it: the evidence, the rule, the uncertainty, and the human boundary. Deterministic means identical input reproduces the identical disposition and replay_key, every time.

The human-review boundary.

Autonomy stops at a line the customer sets, and the record makes that line explicit. In this workflow the boundary is a dollar threshold and a confidence floor. Either one routes the action to a person before it can take effect.

route to a human if amount > 500.00 USD OR confidence < 0.75
Amount
4,200.00 USD is over the 500.00 USD ceiling. This condition trips.
Confidence
0.62 is below the 0.75 floor. This condition trips.
Result
Both conditions trip. The record is held at the boundary in PENDING and routed to the customer-ops supervisor queue.
Authority
Forge returns a disposition and the proof. A named human confirms or denies the release, and that action is recorded as a signed amendment that references this record. The original record is never altered.

This is what keeps an agent in check without taking a person out of the loop. The agent proposed, Forge scored and signed, and the release itself waits for human authority. The next action Forge recommends is to resolve the device-mismatch signal and confirm the refund velocity, then re-run, or to have a supervisor confirm or deny with a written rationale. That recommendation is not binding.

Verify it yourself, offline.

The reviewer who has to be satisfied should not have to trust the system that produced the action. An outside reviewer receives the exported package and the public key, and checks it on their own machine, offline, with no connection to Forge. Toggle the tamper case to see what changes when a single field is altered after signing.

Offline verification, authentic package (illustrative)
$ forge verify ./goodwill-refund-package/            (illustrative)

  record dr_7c41f0a9e2b8455d
    signature (Ed25519, kid forge-signing-key-2026-02) ... VALID
    canonical_input_hash recomputed from inputs ......... MATCH  sha256:c4a90b7e...11f0
    ruleset_hash present in bundle ...................... MATCH  sha256:4e19b2...c7a0
    evidence content hashes (6/6) ....................... MATCH
    deterministic replay ................................ REPRODUCED
        selected_action = approve_with_human_confirmation
        confidence      = 0.62
        posterior       = 0.71 legitimate / 0.29 fraud_pattern
        replay_key      = rk_8b3e77a1d4c20596  (MATCH)

  RESULT: package is authentic and reproduces the engine
          determination from the recorded inputs.
          Business judgment stays with the customer.
Layer 1

The signature

The Ed25519 signature and key_id prove Forge signed this exact record and that it was not altered in transit. Anyone with the public key can check it. No one holding the package can forge a new record, because the private signing key is never in the bundle.

Layer 2

Deterministic replay

Full field-level tamper-evidence comes from re-deriving the disposition, confidence, posterior, and replay_key from the recorded inputs against the encoded policy. Change one input byte and the recomputed hashes and the replay_key stop matching, as the tamper case above shows.

What VERIFIED proves

Authentic and reproducible

  • The record is authentic and was not edited after signing.
  • The same recorded inputs and encoded policy reproduce the same selected_action, confidence, posterior, and replay_key, offline, without trusting Forge's running system.
  • The classification rested on flagged, unresolved fraud signals, and that this was surfaced, not hidden.
What it does not prove

Not the business judgment

  • That releasing or holding the refund was the right business call.
  • That the 500 USD ceiling or the 0.75 confidence floor are the right thresholds.
  • That the risk service scored the fraud signals correctly. That judgment stays with the customer.

Forge proves the action was justified under the encoded policy and the recorded evidence, and lets an outside reviewer re-derive it. It does not decide whether the policy or the evidence was right. That line stays with the customer and its reviewers.

What a proof trail contains.

Start with the agent action that would hurt to defend later.

You do not need to boil the ocean. Bring one agent action, the messy evidence that feeds it, and the rule you already apply. Forge integrates through the API, encodes the policy, and returns the proof trail so your chargeback reviewer, your internal auditor, and your regulator can re-derive it without trusting the agent's own logs. That first bounded run starts as a scoped Artifact Discovery.