Use Case: Tacet AI Agent — Privacy-Preserving Financial Query via TEE

Version: v1.0 (Draft) Status: Draft Authoritative: Informative

Scenario

A Tacet user asks their AI Agent a complex financial question: "Why did my dining spend go up 40% this month?"

The Tacet Agent determines that the question requires 90-day transaction history analysis and causal reasoning that exceeds local on-device model capability. The Agent routes the query to the Remote Vault path — issuing a query task to the Symphony Core System on behalf of the user, with the user's pre-authorized delegation credential attached. The query executes inside an attested TEE on a Symphony enterprise node. The result is returned to the user's device and displayed inside the Tacet app.

This use case is informative. It shows how the SCP and SCS specifications support a new actor class — an AI Agent acting on behalf of a data subject — and how the standard task lifecycle handles agent identity, delegated consent, and privacy budget consumption for per-user inference queries.

Canonical protocol terms used here follow SCP Protocol Overview and SCP Core Spec.

Why This Use Case Matters

This scenario is useful because it demonstrates several properties that the existing use cases do not fully cover:

1. the Task Submitter is an AI Agent acting under a user-issued delegation credential, not a human operator or an enterprise system
2. the data subject and the party who initiated the task are the same person — the user is querying their own Vault, not a third party querying consumer records
3. the query concerns a single Vault with no multi-Vault fan-out requirement, but still requires TEE execution because the computation involves sensitive record material that must not leave the enterprise node in plaintext
4. agent identity must be independently verifiable by the master cluster without the user being online at query time
5. privacy budget consumption for agent-initiated queries must be tracked per data subject exactly as it is for externally-submitted tasks, because the privacy budget model makes no exception for self-queries
6. the result must be delivered to the agent's device endpoint rather than to a task submitter's API webhook

It therefore validates that the protocol can support delegated AI Agent access as a first-class pattern, without creating a special bypass path that would weaken consent or privacy budget enforcement.

Entry Distinction

This scenario has two different layers:

1. user-facing conversational interaction within the Tacet app
2. protocol-recognized authorized query work with explicit consent, budget, and execution constraints

The user's natural-language question ("Why did my dining spend go up 40% this month?") is not a protocol event by itself. It becomes part of the SCP lifecycle only when the Tacet Agent transforms it into a structured authorized query task carrying the user's pre-registered agent delegation credential.

Unlike the receipt-upload or coupon-campaign scenarios, this use case involves:

1. a new Task Submitter subtype: an AgentCredential holder acting on behalf of a registered data subject rather than on behalf of an enterprise or advertiser
2. per-user single-Vault execution where the Vault contains that user's own private records
3. TEE execution required not for cross-Vault isolation but because the raw transaction records must remain encrypted until inference time inside the enclave
4. a privacy budget reservation scoped to a single data subject (budget_scope: self_query) that the user pre-authorized at Tacet account setup
5. result delivery to a device endpoint identified in the delegation credential, rather than to a generic task submitter webhook

Protocol View

From the protocol perspective, this scenario transforms a user's conversational query into a verifiable, budget-bounded inference result returned exclusively to that user's authorized agent endpoint.

1. Agent Delegation Registration

Before any runtime query occurs, the user registers a delegation credential during Tacet onboarding. This is a one-time setup step, not a per-query action.

The delegation credential carries:

1. agent_id: a stable, protocol-registered identifier for this user's Tacet Agent instance, bound to the user's device
2. data_subject_id: the user's identity within the Symphony protocol
3. authorized_scopes: the set of usage scopes the agent may invoke on the user's behalf, such as self_query, self_compute, and task_participation
4. budget_allocation: the privacy budget the user pre-authorizes for agent-initiated self-queries per epoch, independent of the budget reserved for third-party task participation
5. delivery_endpoint: the device endpoint (encrypted channel reference) to which query results should be returned
6. expiry and revocation_ref: the delegation credential has a finite validity window and can be revoked by the user at any time through the Tacet app or directly through the master node API gateway

The delegation credential is signed by the user's private key and registered with the master node's Identity and Auth Service. From this point on, the Tacet Agent may submit tasks on the user's behalf without requiring the user to be online or to re-sign each individual task.

2. Query Routing and Task Construction

When the user submits a natural-language question, the Tacet Agent's on-device routing layer evaluates whether the query can be handled locally.

In this scenario, the routing layer determines TEE routing is required because:

1. the query requires joining dining records across 90 days, which exceeds the context window the on-device model can handle efficiently
2. the causal analysis ("why did it go up") requires reasoning over merchant-level breakdowns and time-series patterns that benefit from a larger model
3. the on-device model confidence score for the draft answer falls below the app's quality threshold for financial reasoning

Having decided to route to the Remote Vault path, the Tacet Agent constructs a QueryTaskRequest:

1. task_class: query
2. agent_credential_ref: reference to the pre-registered delegation credential
3. target_vault: the user's own Remote Vault on the Symphony enterprise node
4. query_scope: dining transactions for the last 90 days, grouped by merchant and week
5. computation_intent: causal summary — identify the primary merchant-level and frequency-level drivers of the month-over-month dining spend increase
6. semantic_version: the active semantic version at request time
7. result_delivery: the device endpoint from the delegation credential
8. budget_hint: estimated privacy budget consumption, calculated from query scope

The Agent submits this request to the master cluster's API gateway.

3. Task Admission

The Admission Plane on the master node cluster processes the request:

Identity and delegation verification

1. the gateway resolves the agent_credential_ref and confirms the credential is valid, unexpired, and not revoked
2. the Identity and Auth Service verifies the agent_id is registered and bound to the correct data_subject_id
3. the authorized_scopes field on the credential confirms self_query is permitted

Consent verification

The Consent Verification Service sends a consent check RPC to the user's enterprise node Consent Manager:

1. does data_subject_id have an active consent record for self_query usage scope?
2. is the agent_id listed as a permitted agent under that consent record?

Consent for self_query was granted at Tacet account setup and is stored in the user's Vault. The enterprise node returns a yes/no verification result without exporting the consent record itself.

Semantic resolution

The Semantic Registry Service resolves the query scope to canonical attributes:

1. transaction_merchant (directly queryable, commerce domain)
2. transaction_amount (directly queryable, commerce domain)
3. transaction_date (directly queryable, commerce domain)
4. transaction_category → dining (derived via a categorical filter rule)

Privacy budget reservation

The Privacy Budget Reservation Service sends a reserve RPC to the user's enterprise node Privacy Budget Ledger:

1. the requested consumption is calculated based on query scope (90-day window, per-merchant breakdown)
2. the reservation is drawn against the self_query budget allocation from the delegation credential, not against the third-party task participation budget
3. if budget is available, the ledger returns a reservation confirmation; if exhausted, admission fails and the Agent notifies the user

TaskEnvelope assembly

Upon successful admission, the Admission Plane produces a TaskEnvelope containing:

1. resolved canonical attributes and derivation rules
2. budget_reservation_ref: reference to the privacy budget reservation
3. agent_credential_ref: preserved for downstream verification
4. delivery_endpoint: the device endpoint from the delegation credential
5. semantic_version and policy_version at admission time

4. Execution Dispatch and TEE Inference

The Task Orchestrator dispatches the TaskEnvelope to the user's enterprise node.

The enterprise node's Computation Runtime:

1. receives the execution assignment including the TEE requirement flag (set because the query accesses raw record material)
2. loads the relevant dining transactions for the 90-day window from the Vault Record Store
3. passes the records to the local TEE enclave, encrypted with the enclave's public key
4. inside the enclave, the records are decrypted and a large-model inference call is made — the model reasons over the merchant breakdown, detects that a new merchant (Blue Bottle, Midtown) accounts for 28 of the 40% increase and that overall visit frequency also increased by 12%
5. the enclave produces a structured SliceResultBundle containing the causal summary and supporting data points
6. the enclave generates an AttestationReport linking the computation to the verified enclave measurement, platform identity, and freshness nonce
7. the enclave purges all record material

The enterprise node returns the SliceResultBundle and AttestationReport to the Task Orchestrator.

5. Verification

The Result Verification Service on the master cluster validates the result:

1. the AttestationReport is checked: enclave measurement matches the registered code, platform is not revoked, freshness nonce is valid
2. the SliceResultBundle commitment is verified against the declared query scope
3. the agent credential binding is confirmed: the result is authorized for delivery to delivery_endpoint specified in the delegation credential

If attestation or commitment verification fails, the task is rejected, the privacy budget reservation is released, and the Agent receives a failure response.

6. Result Delivery and Privacy Budget Commit

Upon successful verification:

1. the master cluster delivers the result to the delivery_endpoint specified in the delegation credential — an encrypted channel to the user's Tacet app instance
2. the Privacy Budget Ledger on the enterprise node receives a commit RPC, updating the committed consumption record for data_subject_id under self_query scope
3. the Tacet app decrypts and displays the result: "Your dining spend increased 40%. The main driver is a new coffee shop (Blue Bottle near your new office) accounting for 28% of the increase. You also ate out 3 more times than last month, adding the remaining 12%."

7. Settlement and Audit

Because the task submitter is the user's own agent, the settlement model for self_query tasks differs from third-party task settlement:

1. no SYM escrow is locked — agent-initiated self-queries consume the user's pre-allocated self_query privacy budget but do not trigger a monetary fee paid by an external task submitter
2. the task lifecycle still produces a complete evidence chain: TaskEnvelope, SliceResultBundle, AttestationReport, privacy budget commit record
3. the evidence is stored in the Execution Transcript Store on the enterprise node and the Audit Log on the master cluster, making the agent's data access fully auditable by the user
4. the user can view in the Tacet "data access log" that on this date, their Tacet Agent queried 90 days of dining data to answer a causal question — including which agent credential was used and how much privacy budget was consumed

---

Protocol Extension Points

This scenario requires two extensions to the existing SCP/SCS specification that are not present in the current documents:

AgentCredential as a first-class identity construct

The current actor model covers S_master, S_enterprise, and S_producer staking tiers for nodes and data producers. An AgentCredential is a new, non-staking authorization primitive: it does not represent a node in the network, it represents an authorized software agent acting on behalf of a registered data subject. The Actor Registry and Identity and Auth Service need to support registration, validation, expiry, and revocation of AgentCredential records.

self_query budget scope

The existing privacy budget model tracks consumption per data subject per usage scope (e.g., marketing, training). A self_query scope — where the data subject is both the consumer of and the subject of the query — needs explicit treatment in the budget model to distinguish it from third-party task participation. The key semantic difference is that the data subject directly controls and can refill this budget allocation, whereas the third-party task participation budget is governed by consent records held in the enterprise node.