Agent accountability is almost entirely retrospective. Reputation systems score past behavior. Receipt logs record completed actions. Transparency logs anchor what already happened. All of it answers one question — what did the agent do? — and answers it after the fact.
That leaves a specific blind spot: the moment before an action, where a decision is made about whether the agent may proceed. Two things about that moment are worth capturing, and almost never are. The decision itself is evidence — "this action was evaluated against this policy and authorized" is a claim an auditor may later need to check, not reconstruct from side effects. And a refusal is evidence too, and it usually vanishes: when a system declines an action, it typically just doesn't do it. There is no signed artifact that says "we were asked, and we said no, here, then." A denial is a silent absence, indistinguishable later from "never asked."
A well-behaved agent with a long clean record is exactly the case where this bites: on the one request that should be refused, a good reputation is no help, because reputation is measured after actions, not before them.
The Attested Action Envelope closes that gap by making the decision itself the object. It is a
small signed object issued before an action runs: the agent, the action, the policy that decided,
the verdict, a link to the agent's previous envelope, a timestamp, and an Ed25519 signature over the
canonical form. Two design choices carry the weight. Denials are first-class — a denied
verdict produces a fully signed envelope, identical in shape to a grant, so "we said no" is now
provable. And each agent's envelopes chain by hash — every envelope's prev_hash is the
SHA-256 of the agent's previous envelope, including that envelope's signature, so an agent's
authorization history is a tamper-evident sequence: reorder it, delete an interior decision, or
splice in an envelope from another agent's chain, and the chain fails to reconstruct.
Static agent facts say what an agent is. Receipts say what an agent did. The envelope says what an agent may do, and preserves the refusals. Together they give a system three tenses of accountable evidence — capability, decision, and history — each independently verifiable, none requiring trust in the party that produced it. The envelope does not define how policies are written or evaluated, does not issue identities, and does not bind an agent to a fixed key across its history. It is a record format and its verifier, nothing more — which is exactly what makes it reusable.