# RoomKey proof pack

## What this proves

RoomKey is a control layer for multi-agent rooms on Band. In this run, a supplier bank-change review starts with no authority, blocks sensitive disclosure, accepts a narrow human approval, lets agents collaborate through safe summaries, then revokes access and seals the receipt.

That is the promise being tested here: the room can be useful without becoming the place where raw banking details leak into shared history.

## The case

A supplier asks finance to change payment instructions before a wire is released. The team wants help from agents: one gathers evidence, one checks risk, reviewers weigh in, and an action agent waits to prepare the next step.

RoomKey keeps the boundary simple. Before approval, the gate says no. After approval, agents get only the scoped material for this case. After revocation, the key stops working.

## Proof chain

```text
agent asks -> no human grant -> blocked
human approves this case -> safe fields are released
reviewers deposit decisions -> operator revokes
late replay/post-revocation attempts -> blocked
receipt sealed -> browser and CLI checks pass
```

## What survived in this run

| Attack | Result | Evidence |
|---|---|---|
| pre-grant disclosure request | blocked before scoped grant | `pre_grant_block=true` |
| late participant replay | blocked; recovered=false | `late_replay_recovered=false` |
| receipt/root divergence | browser and CLI fail closed | browser verifier and submit check |
| forged or resealed Band IDs | submit check fails closed in red-team tests | `tests/test_redteam_hardening.py` |
| prompt-like public evidence text | inert; proof roots unchanged | `proof/TEXT_INJECTION_MUTATION_RECEIPT.md` |
| overclaim copy | blocked by banned-claim gate | `scripts/site_check.py --banned-claims` |

## Downloadable artifacts

- `receipts/live-band-demo-20260618T185330Z.json` — canonical receipt JSON, file sha256 `f6d2d843c7523212797a1237675a3592c477c754d0af905df767ea3005fa3b81`
- `site/evidence.json` — public evidence bundle used by the live page
- `proof/ATTACK_MATRIX.json` — machine-readable attack-survival matrix
- `proof/TEXT_INJECTION_MUTATION_RECEIPT.md` — prompt-like text and overclaim mutation receipt
- `proof/USE_CASE_VENDOR_WIRE_APPROVAL.md` — operator/use-case brief
- `docs/PUBLIC_SUBMIT_SEAL.md` — publish/readback seal

## Boundary

This proof is for the receipt-pinned prototype package. It does not prove deployed production security, independent Band-side security, or exhaustive live adversarial coverage.