Trust Without Trusting: Why the Referee Needs a Replay
A referee makes a call. For most of sport's history you had two options: accept it, or argue and accept it anyway. The referee's authority was the mechanism — the call was final because the official said so, and no one else could see what he saw.
Video replay broke that bargain. The call now stands for a different reason. Not because the referee is trusted, but because the footage is on the record and anyone watching can run the same frames and reach the same verdict. Authority moved from the person to the recording. The referee can still be wrong; the difference is that being wrong is now checkable by parties who were never in the room.
Autonomous agents need the same move. Our new preprint, Trust Without Trusting: A Recomputable Trust Protocol for Autonomous Agents (arXiv:2605.06738v2), is about making an agent's conduct checkable without asking anyone to trust the operator that recorded it.
The call you can't replay
An agent receives a payment and acts. A model screens a transaction and blocks it. A delegate spends against a budget on a principal's behalf. Each is a call. And in nearly every deployment today, the only record of what happened lives in the operator's own logs — writable, revisable, and visible only to the party with the most reason to revise them.
When a regulator, an auditor, or a counterparty asks what did the agent actually do, and was it allowed to, the honest answer is usually: trust our logs. That is the referee with no replay. It works right up until the call is contested — and that is the moment it needs to work.
Settlement is not compliance
Payment rails have gotten very good at proving one specific fact. On x402, a payment_hash is cryptographic proof that a transfer settled. But settlement and compliance are different facts. A settled payment says money moved. It says nothing about whether the action behind the payment stayed inside the authority the agent was granted.
That gap is not academic. For regulated deployments — EU AI Act Article 12 record-keeping, financial-conduct supervision, SOC 2 audit trails — "the money moved" is not the question. "The agent acted within scope, and here is a record no one can quietly edit" is the question. Logs can be rewritten. An external anchor cannot.
Trust without trusting
The phrase is a design constraint, not a slogan. A trust record is only worth what it can prove to someone who does not trust the recorder. If verifying the record requires believing the party that produced it, the record adds nothing a sworn statement wouldn't.
So the protocol's job is to take the recorder out of the trust path. A verdict about an agent's conduct should be reproducible from data that is anchored, not asserted — the way a replay verdict is reproducible from footage, not from the referee's testimony about the footage.
A predicate anyone can recompute
Any conditions-based trust signal has a hidden dependency. If the evidence reads "enough independent parties have adopted this boundary," someone has to measure that — count the parties, judge their independence, decide the threshold is met. Whoever holds that measurement becomes an oracle: a single party who can misreport the world and quietly reintroduce the authority the conditions were meant to remove. The paper names this the oracle problem for recomputable evidence.
The Combined Evidence Protocol (CEP) answers it by combining five conditions about the relying-party population into one predicate — evidence that holds only when all five hold at once:
- a minimum elapsed time since the thresholds were anchored — a timelock and public-veto window;
- a minimum number
Nof Sybil-qualified relying parties; - distribution of those parties over a minimum number
Kof independent clusters; - no single actor holding more than a share
Xof the voting weight; - no single cluster holding more than a share
Yof the total.
The conjunction is the whole point — and the source of the name. Any single threshold — "N relying parties" on its own — is gameable: an adversary mints identities until the count is met. Combining all five forces that adversary to clear a Sybil filter, populate multiple independent clusters, and stay under both the per-actor and per-cluster caps at the same time, while the timelock exposes the attempt to public veto. The conditions are a set of gates that must all open at once, and the cost of opening them jointly — not any single number — is what makes the combined predicate strong evidence rather than a gameable count.
Verification over production
To remove the oracle rather than trust it, CEP publishes the condition data to permanent storage and anchors it as a (merkle_root, data_uri) commitment across multiple chains. The evidence is then a deterministic function any party recomputes from the published data: a relying party, a skeptic, or a regulator fetches the committed data, recomputes the five-condition predicate, and arrives at the same answer. There is no privileged measurer, and multi-chain anchoring means the determination survives the failure or censorship of any one chain.
The paper calls this stance verification over production, and names its lineage directly: the same security argument that underwrites optimistic rollups, where correctness rests not on trusting a producer but on any verifier's ability to recompute and challenge a published claim. No party has to be believed, because every party can recompute — which is what "trust without trusting" means in practice.
One correlation key, many verifiers
Recomputability has to reach the per-action layer too. The accountability records that sit alongside the population predicate key on action_ref: a content-addressed identifier any verifier derives from the disclosed intent of an action alone — no upstream lookup, no operator-held mapping.
action_ref = SHA-256( JCS({
"action_type": "payment.send",
"agent_id": "did:web:example.com:agent-7f3a9c",
"scope": "x402.pay:api.merchant.example",
"timestamp": "2026-06-16T10:30:00.000Z"
}) )
That identifier substrate is shared with the evidentiary-provenance work underway in the W3C Community Group's AI Agent Protocol (#34), whose accountability-record subsection defines anchors at #accountability-record and #action-ref-correlation. The same key lets three different records — a commitment to authority, a decision at the moment of action, and a receipt of what occurred — each prove the distinct fact it attests, without collapsing into one ambiguous node where you can no longer tell which signature proved what.
Anchored, not asserted
The replay settles arguments only because the footage cannot be edited after the whistle. The protocol's equivalent is a public anchor. This preprint is its own worked example: version 2.0 is committed by SHA-256 and anchored on Base L2 (block 47,325,854, tag MolTrust/arXiv/v2.0), with the integrity record on our integrity dashboard and the anchored PDF at moltrust.ch/arxiv-preprint-v2.0.pdf.
You do not have to take our word that this is the paper we published. You can recompute the hash and check the chain. That is the whole point: the document about recomputable trust is itself verified by recomputation.
What a replayable record buys you
None of this is design discussion on our side. The trust layer runs in production on x402 through MoltGuard, live since March 2026. What the recomputable framing adds is the part that matters when a call is contested — an AI-assisted claim denial, a credit decision, a cross-organisation handoff: a third party who trusts no one in the transaction can still reach a verdict, from the record alone.
That is the difference between an agent economy that asks regulators and counterparties to trust operators, and one where the record speaks for itself. The referee can still make the call. The replay is what makes the call hold.
Read the full preprint: Trust Without Trusting: A Recomputable Trust Protocol for Autonomous Agents (arXiv:2605.06738v2).