The Protocol In Action

Principal registration

Halberd presents its vLEI to AURA. The Trust Framework verifies the credential and assigns a trust level. AURA stores the attestation, never the underlying PII.

The vLEI (verifiable Legal Entity Identifier) was issued earlier this year by a GLEIF Qualified vLEI Issuer. AURA accepts the credential as a relying party: it matches the format against the accepted-issuers list, verifies the KERI signature against the GLEIF root, checks expiry and revocation, and assigns the trust level entity_verified.

The result is a principal_id that every subsequent message references. AURA never runs KYC; it consumes the work GLEIF has already done.

Agent registration

HalberdProcureBot, the Scout, registers with its own Ed25519 keypair and binds to the principal.

The Scout declares capacity: agent_for_principal. From here, every protocol message it sends carries an Ed25519 signature traceable through GLEIF → vLEI → Halberd Europe → HalberdProcureBot.

Delegation scope

CFO Sarah Müller signs a delegation scope. Below €10,000 the Scout commits autonomously. Above it, the Scout must produce a fresh CFO signature.

The scope sets categories, currencies, geographies, daily caps, and a per-transaction cap of €50,000. It is bounded by date and signed with the principal's Ed25519 key. AURA's commit endpoint walks the chain on every commit: agent → principal → credentials → scope → policy rule → approval. If anything is stale, the commit is rejected.

Operator brief into Scout chat

Halberd's procurement lead types the need into the Scout's chat panel. Verbatim. This is the L1 link of the chain of custody.

The brief is multi-dimensional: a regulatory replacement, a quarterly supply pattern, a sourcing constraint, an explicit price reference. Real procurement never speaks in clean structured fields. The protocol records the exact words used; nothing is paraphrased away.

Structured generation from intent

AURA's NLP layer produces a structured constraint set. A signed interpretation attestation links the verbatim brief to the structured output. This is the L2 link.

What the operator said in plain English becomes a typed object the protocol can route, project, and rank against. Categories, quantities, regulatory regimes, supply-chain constraints, certifications, geography, settlement preference, price references. Each pulled out and labelled.

Both forms are kept. The structured interpretation drives matching. The verbatim brief is what an auditor or dispute reviewer can return to if a nuance was lost.

Disclosure projection

Beacons see a projected subset of the request. Buyer identity is null. The exact price ceiling is hidden behind a range. The original natural-language brief is never forwarded.

Catalogue-driven commerce protocols (Google's UCP, OpenAI's ACP) treat the seller's catalogue as the discovery surface; the agent browses what the merchant exposes. AURA inverts this: the buyer's structured request is the discovery surface, and what reaches the seller is governed by the active market profile's disclosure schedule.

The structural privacy guarantee is enforced by the wire format. A Beacon cannot see the buyer's identity because the message that reaches the Beacon does not contain it.

Five Beacons respond

Each Beacon runs the projected request through its own SDK and returns a signed offer.

Five suppliers respond. Each offer carries price, delivery pattern, certifications and validity windows, supply-chain origin, payment terms, and an Ed25519 signature over the canonical payload. Beacons that decline to bid stay silent; AURA does not penalise non-bidding.

The offer signature is the L4 link of the chain of custody for whichever offer the Scout eventually selects.

NLP-to-exclusion linkage

Three offers are excluded before ranking. Each exclusion ties to a specific extracted constraint from Step 5. The Scout sees the exclusions and the reasons.

Verita's UK supply chain trips the EU-only feedstock constraint. Aurochem's ISO 14001 lapsed in March, failing the certifications-current constraint. OstChem's quote at €47,800 exceeds the 20% soft ceiling. Each exclusion names the constraint and the value that breached it. The Scout has a traceable filter, and an auditor can come back to it later.

Compatibility-Weighted Reputation

The two remaining offers are ranked by Compatibility-Weighted Reputation (CWR). Three published dimensions: base reputation, compatibility with the buyer's preferences, and a risk adjustment.

Sonderlund's price is lower (€38,500) but its monthly-split delivery does not match the buyer's single-quarterly preference, so it ranks below Kontex (€39,375 with a single-delivery commitment, EU feedstock, all certs current). The breakdown is exposed for audit. The exact weights and the compatibility computation are operator-level configuration.

Authority attestation at commit

Sarah signs an explicit approval for this specific offer. The Scout assembles the commit with the full authority chain. AURA Core verifies, and the session state advances to committed.

The trade is over the policy threshold so policy-tier consent is not enough. The Scout requests a fresh approval from the CFO workflow, gets back a signed approval object referencing this offer ID, amount, and currency, and includes it in the commit. AURA verifies the agent signature, the principal binding, the credential currency, the scope, the policy rule, and the principal approval. All pass. State advances. The principal-approval signature is L5 (Principal Consent); Core's atomic commit is L6 (Commitment).

Bilateral risk and reserve

The clearinghouse computes a bilateral risk score and a reserve margin. The seller's settlement proceeds will be the source of the reserve hold.

Both parties' histories contribute: dispute rate, fulfilment reliability, cleared transaction count, risk tier. The Risk Engine produces a bilateral score and a margin amount. The reserve is not funded yet; it is held against the seller's proceeds after settlement confirms.

The inputs are surfaced at protocol level. The function that combines them into the margin number is held at the operator level. Surfacing the inputs lets a counterparty audit the data; holding the formulation lets the operator adjust risk parameters in response to market conditions.

Settlement instruction

The clearinghouse generates a signed settlement instruction. Idempotent. Linked to the L6 commitment hash. Submitted to the SEPA Instant rail adapter.

The instruction is signed with a key dedicated to settlement, separate from the protocol identity key. The same instruction shape routes through any compliant rail: SEPA Instant for euros, RTP and FedNow for US dollars, Stripe MPP, Coinbase x402, Visa ICC, USDC stablecoin. AURA does not move funds; it produces signed instructions.

Rail executes; proof returned

SEPA Instant settles in roughly 4 seconds. The rail returns a proof of settlement. AURA verifies it against five conditions.

The proof is verifiable per the rail's attestation method (a cryptographic signature where the rail publishes a public key, an external reference to the rail's system of record where it does not, or both). The amount matches the instruction. The instruction ID correlates. The finality type meets the market profile's requirement. The settlement timestamp is within the execute-by window. All five pass. State advances to settled.

Reserve, dispute window, clearing

After settlement, a margin hold is placed against the seller's proceeds. The hold sits for the dispute window declared by the active market profile. If the window expires without dispute, it releases to the seller minus the clearinghouse fee. If a dispute is filed and upheld, it draws down to refund the buyer.

The transaction is reconciled in real time against the rail's confirmation. Reputation updates queue for both parties. The chain of custody closes at link L7 (Outcome). End to end, from operator brief to settled cash, this took roughly 47 seconds, of which 4 seconds was the rail.