Without Warrants
Session-based authentication
User
Agent
Tool
OAuth token
?
With Warrants
Cryptographic authorization chain
User
signs ✎
Warrant + PoP
scope:/data/* • ttl:1h
holder proves key
Agent
attenuates ✎
Warrant + PoP
scope:/data/reports/* • ttl:10m
holder proves key
Tool
validates ✓
RECEIPT
User → Agent
→ Tool
Signed proof
✓
vs