From OAuth or service accounts to OC Agent.

Pick one agent in staging — preferably the one your compliance reviewer worries about most. Issue a single OC Agent delegation envelope binding that agent's Bitcoin address to a tight initial scope set. Your existing OAuth token / service account stays in place; nothing about the runtime path changes yet.

The delegation is a one-time BIP-322 signature in your wallet — Console never holds keys. The envelope is content-addressed and published to Nostr; you can verify it offline immediately.

Install the adapter for your stack: @orangecheck/agent-mcp (live) or one of agent-anthropic / agent-openai / agent-vercel / agent-langgraph (in-design, canonicalization locked). Wrap one tool call in invokeWithStamp:

import { invokeWithStamp } from '@orangecheck/agent-mcp';

const { result, action } = await invokeWithStamp({
  agent,
  delegation,
  invocation: {
    server:    'https://mcp.example.com',
    tool:      'invoice.create',
    arguments: { customer: 'acme', amount: 14.20 },
  },
  call: async (inv) => myExistingHandler(inv),  // your code unchanged
});

await yourAuditPipeline.append(action);
return result;

Your OAuth / service-account auth path runs unchanged on the inner call. The wrapper adds a signed agent-action envelope on top, content-hashing the tool input and binding it to the live delegation. The first envelope appears in your audit log in under an afternoon.

Show your compliance reviewer the verification path. Hand them an audit bundle (signed tarball of action envelopes), the OpenTimestamps proofs, and a recent Bitcoin headers file. They run:

import { verifyAction } from '@orangecheck/agent-core';

// no network. no console.ochk.io. no anthropic/openai/vercel.
const r = await verifyAction(action, { delegation, btcHeaders: './btc.headers' });

console.log(r.ok ? 'verified' : 'FAILED');
console.log('agent:',          r.agent);
console.log('scope exercised:', r.scopeExercised);
console.log('anchored block:',  r.anchoredAtBlock);

No network calls to Console. No Anthropic / OpenAI / Vercel API keys involved. The verifier reproduces every action receipt from the canonical bytes and confirms each envelope id matches the published one byte-for-byte. This is the moment compliance signs off on agent authority.

Promote the delegation from test to prod. Either issue a new delegation against the production agent address (recommended; clean break) or extend the test delegation's scopes to cover production verbs. Both routes are wallet-signed; both produce an audit-trail entry.

The runtime path is identical — you wrap each tool call with the adapter; envelopes flow into the OC Stamp anchor pipeline; receipts appear in /audit. Your existing OAuth / service-account auth keeps running. Compliance can now see every action with a cryptographically bound principal, scope, and Bitcoin-block ordering.

Once compliance is signing off on agent authority via OC Agent envelopes, the legacy auth path becomes redundant for the agent surface. Many teams keep OAuth for human SSO and use OC Agent only for autonomous principals — that's a clean separation and there's no reason to force a migration.

Other teams replace service accounts entirely with BIP-322-bound agent addresses, since the audit story is strictly stronger. We don't rush you. The protocol layer is permanent; the legacy layer's deprecation runs on your finance / re-platforming calendar.