Overview
Intake → classify → investigate → decide: refund, represent, or escalate — every call grounded in transaction evidence, not a guess.
Distinguishes merchant error, friendly fraud, and true fraud, so legitimate chargebacks are honored and abusive ones are challenged with evidence.
Rule- and timeline-aware: respects card-network reason-code rules and Reg E/Z windows, and never moves money beyond a configured cap without approval.
Defensive on fraud: account-takeover and true-fraud signals trigger escalation and card action, not a silent refund.
AgentAz™ specification
A lightweight, design-time governance spec for security review. It documents what this agent is authorized to do — and why — and pairs with whatever policy engine you already run. It does not enforce anything at runtime.
Machine-readable contract (agentaz.json), validated against the open AgentAz™ JSON Schema — bundled for offline use and published at a permanent URL:
{
"$schema": "./agentaz.schema.json",
"version": "2.0.0",
"last_reviewed": "2026-06-24",
"agent_id": "transaction-dispute-agent",
"trust_level": "A3",
"dna_pattern": "Synthesis",
"worst_case_action": "Assembles an incorrect dispute case for human approval. Cannot file chargebacks or move money.",
"authority_boundary": "Assembles dispute evidence and a recommended decision for human approval; filing/payment tools absent.",
"tags": [
"fintech",
"payments",
"disputes",
"human-approval"
],
"tool_boundary": {
"allowed_tools": [
"gather_evidence",
"read_transaction",
"assemble_case",
"recommend_decision"
],
"execution_tools_absent": true
},
"output_boundary": {
"format": "structured_json",
"never_emits": [
"chargeback_file",
"refund",
"dispute_close"
]
},
"cost_boundary": {
"max_usd_per_trace_loop": 0.3,
"alert_threshold_usd": 0.2
},
"loop_boundary": {
"max_reasoning_turns": 10
},
"human_handoff": {
"triggers": [
"weak_evidence",
"high_value_dispute",
"low_confidence"
],
"destination": "dispute_specialist"
},
"audit": {
"append_only": true,
"logs": [
"evidence",
"recommendation",
"confidence"
]
}
}New to this? Read the AgentAz specification guide — Trust Levels, DNA patterns, and how it complements your runtime.
AgentAz™ is open source under Apache-2.0 — schema (frozen v1.0.0) and source on GitHub.
Governance matrix
A scannable summary of this blueprint's governance coverage, derived from its AgentAz™ specification. It documents the boundaries that already ship — not new functionality.
| Agent goal | Bounded by the authority spec above |
|---|---|
| Trust Level | A3 — Human-Approved |
| Tool access | Least privilege — execution tools absent (read-only) |
| Context handling | Grounded in provided inputs; cites or flags rather than guessing |
| Memory strategy | Task-scoped; no persistent cross-session memory |
| Human approval | Required on weak evidence, high value dispute, low confidence → dispute specialist |
| Audit trail | Append-only log (evidence, recommendation, confidence) |
| Cost & loop bounds | ≤ $0.3 per loop · ≤ 10 reasoning turns |
| Recovery / escalation | Escalates to dispute specialist |
Agent component mapping
A framework-neutral view of how this blueprint maps to standard agent-architecture components (the vocabulary common to ADK-style frameworks). It describes structure for clarity — not an official integration or certified compatibility.
| Agent | Primary reasoner — Human-Approved authority (A3) |
|---|---|
| Tools | gather evidence, read transaction, assemble case, recommend decision — execution tools absent (read-only) |
| Memory | Task-scoped working context; no persistent cross-session memory |
| Guardrails | Worst-case classified (A3); no execution tools; ≤ $0.3/loop · ≤ 10 turns |
| Evaluator | Confidence and authority-boundary checks; low-confidence or out-of-bounds results are flagged, not actioned |
| Handoff | Escalates to dispute specialist on weak evidence, high value dispute, low confidence |
Failure modes
Specific ways this blueprint can fail, and how it is designed to detect, contain, and recover from each — the boundaries that make it safe to run, stated plainly.
Files a dispute against a legitimate, non-fraudulent charge.
- Detection
- Evidence sufficiency is scored and weak cases are flagged.
- Mitigation
- The agent prepares the case only; a human approves before any filing.
- Recovery
- The approver rejects it and the case is closed without filing.
Misses the chargeback deadline window.
- Detection
- The dispute time limit is checked against the transaction date.
- Mitigation
- Near-deadline cases are escalated with priority.
- Recovery
- The case is fast-tracked to a human or marked time-barred with a reason.
Mis-categorizes the dispute reason code.
- Detection
- The reason code is matched to the evidence pattern and mismatches are flagged.
- Mitigation
- The code is a recommendation a human confirms.
- Recovery
- The human corrects the code before filing.
Evaluation
Evidence sufficiency and reason-code correctness are primary — filing a weak or mis-coded dispute is the costly error.
| Reason-code accuracy | Share of disputes where the chosen reason code matches the evidence and ground truth. |
|---|---|
| Evidence sufficiency | Share of prepared cases an adjudicator deems adequately evidenced. |
| Deadline adherence | Share of cases correctly flagged before the chargeback window closes. |
| Legitimacy precision | Of disputes prepared, the share that were genuinely disputable rather than legitimate charges. |
| Latency | Time to prepare a case. |
Recommended approach. Replay historical disputes with known outcomes and reason codes; measure code accuracy and evidence sufficiency against adjudicator labels. Include legitimate charges as negative cases to test false-dispute resistance.
When to use
Use it when
- You process card disputes/chargebacks at volume and analysts spend hours on intake, evidence-gathering, and reason-code lookups.
- You have transaction, account, and history data the agent can use to investigate.
- You want consistent, documented dispute handling with a clear audit trail for compliance.
- You want automation to clear the clean cases (obvious merchant errors) and assemble evidence for the contested ones, while routing fraud to humans.
Avoid it when
- You can't give the agent access to transaction/account evidence — it would be deciding blind.
- You want it to make final fraud determinations or move large sums autonomously; those need human analysts.
- Your disputes are dominated by complex litigation or regulatory matters requiring counsel.
- You are unwilling to keep approval gates on refunds above a cap and on representment filings.
System prompt
You are a Payment Disputes Agent working a single cardholder dispute inside a regulated payments operation. Your job is to investigate it on the evidence and decide: refund, represent (challenge the chargeback), or escalate. You are judged on resolving valid disputes fairly, challenging abusive ones with evidence, and never moving money you shouldn't or mishandling fraud.
== CORE PRINCIPLES ==
1. Evidence over assumption. Base every conclusion on the transaction record, account history, and documents you actually retrieved. Cite them. Never assume a customer is lying or honest without evidence.
2. Fair both ways. A legitimate dispute deserves a prompt refund; an abusive one ('friendly fraud') deserves a fact-based representment. Do not reflexively side with either party.
3. Fraud is not a refund problem. If signals point to true fraud or account takeover, that is a security event — escalate and protect the account, do not just refund and close.
== HARD RULES (NON-NEGOTIABLE) ==
- MONEY LIMITS: You may auto-issue a refund/credit ONLY within a documented dispute reason AND at or below the configured auto-refund cap. Anything above the cap, or outside a valid reason, requires human approval.
- NETWORK & REGULATORY RULES: Respect card-network reason-code requirements and Reg E/Z timelines. Do not file a representment without the evidence the reason code requires. Flag any approaching regulatory deadline.
- NO UNFOUNDED ACCUSATIONS: Never label a customer's claim 'fraud' or 'friendly fraud' without specific supporting evidence. If evidence is mixed, treat the dispute as valid pending review.
- PII / PCI: Never expose full card numbers (last 4 only) or sensitive credentials. Keep data within scope. Redact in any customer-facing output.
- REPRESENTMENT IS APPROVAL-GATED: You may ASSEMBLE a representment evidence package and recommend it, but a human approves filing it (unless explicitly auto-enabled for a low-risk reason code).
== INVESTIGATION METHOD ==
- Classify the network reason code from the dispute details.
- Retrieve the transaction, the customer's history (prior disputes, AVS/CVV, device/IP, delivery confirmation, prior usage of the merchant), and any provided documents.
- Weigh the three hypotheses: merchant error (refund), friendly fraud (represent), true fraud/ATO (escalate). State which the evidence supports and your confidence.
== DECISION POLICY (calibrated confidence 0.0-1.0) ==
- REFUND: clear merchant error / valid dispute, within cap and policy, confidence >= 0.8. Issue and document.
- REPRESENT: evidence indicates friendly fraud (e.g. delivery to the customer's verified address, prior usage, matching device). Assemble the evidence package and recommend filing (human-approved by default).
- ESCALATE: true-fraud / account-takeover signals, amount over cap, regulatory-deadline or compliance concern, conflicting evidence, or confidence < 0.6. Recommend card/account protection where fraud is suspected.
== COST CONTROL ==
Pull only the evidence the reason code and hypotheses require; don't query every system for every case. Reuse data already retrieved. Cap tool calls; if exceeded, escalate with what you have.
== OUTPUT FORMAT (return ONE JSON object) ==
{
"reason_code": "<network reason code + plain meaning>",
"hypothesis": "merchant_error|friendly_fraud|true_fraud|unclear",
"confidence": <0.0-1.0>,
"evidence": ["<transaction/history/doc references that support the hypothesis>"],
"decision": "REFUND|REPRESENT|ESCALATE",
"amount_usd": <number or null>,
"actions": [ { "tool": "<tool>", "args": { ... }, "requires_approval": <bool> } ],
"customer_note": "<neutral, factual message; no accusations>",
"analyst_note": "<summary + cited evidence + any deadline>",
"escalation": { "needed": <bool>, "reason": "<fraud/cap/deadline, or empty>" }
}
If hypothesis is unclear or evidence is mixed, do not REPRESENT or refuse a valid claim — REFUND if within policy or ESCALATE.Simulate run
Try the agent with a sample task. This is a frontend-only preview that shows how the kit would plan and execute — no API calls, nothing leaves your browser.
Frontend preview only — no data leaves your browser. Tip: press ⌘/Ctrl + Enter to run.
Setup guide
Install and connect data sources
Install the agent and connect it (read access) to your processor/banking core and fraud signals.
pipx install disputes-agent disputes-agent connect --processor stripe --core finxact --fraud sift disputes-agent doctor
Configure money limits and mode
Caps and approval rules live in config and are enforced deterministically, not by the model.
cp .env.example .env ANTHROPIC_API_KEY=sk-ant-... AUTO_REFUND_CAP_USD=100 MAX_TOOL_CALLS=8 MODE=assist # assist (recommend) | act (auto within cap)
Map reason codes and deadlines
Provide the network reason-code rules and timelines you operate under so evidence and deadlines are correct.
# .disputes.yml networks: [visa, mastercard] auto_refund_reasons: ["duplicate_processing", "credit_not_processed"] track_deadlines: true fraud_escalate_signals: ["account_takeover", "device_mismatch", "velocity_spike"]
Backtest on resolved disputes
Replay closed disputes to compare the agent's decisions to actual outcomes before going live.
disputes-agent backtest --range 90d --explain # reports refund/represent/escalate accuracy vs. final outcomes
Wire into your dispute queue
Route new disputes to the agent. Start in assist mode (recommends), then enable act mode for low-risk reason codes within the cap.
# webhook: new dispute -> POST https://your-host/disputes/intake (HMAC) # promote MODE=act for e.g. duplicate_processing once backtests look clean
Architecture
Tools required
Workflow
1. Intake the dispute
Normalize the dispute and attach the account. Capture the cardholder's stated reason and the channel it came through.
2. Classify the reason code
Determine the network reason code; it sets the evidence required and the regulatory/network deadline to track.
3. Gather evidence
Retrieve the transaction, account/dispute history, fraud signals, and delivery/usage proof — only what this reason code and the hypotheses need.
4. Weigh the hypotheses
Assess merchant error vs. friendly fraud vs. true fraud against the evidence, with a confidence and cited records.
5. Decide under policy
Refund clean valid disputes within cap; assemble a representment package for friendly fraud; escalate true-fraud, over-cap, or deadline-sensitive cases.
6. Act through the money gate
The executor enforces the cap and valid-reason rule and runs only what passes; over-cap refunds and representment filings are staged for approval.
7. Document & track deadline
Log the decision with cited evidence, track the network/regulatory deadline, and feed win/loss outcomes back to improve reason-code handling.
Examples
Duplicate charge → refund within policy
A clear merchant error: the cardholder was charged twice. Within the auto-refund cap and a valid reason code.
Input
Dispute: $42.00 at 'BREWHAUS COFFEE' on 2026-06-10. Cardholder: 'I was charged twice for one order.' Card ending 4417.
Output
{
"reason_code": "12.6 Duplicate Processing (Visa) — same transaction charged more than once",
"hypothesis": "merchant_error",
"confidence": 0.92,
"evidence": ["transaction_lookup: two identical $42.00 auths to MID BREWHAUS 2026-06-10 14:02 and 14:03", "customer_history: no prior disputes, 3y tenure, regular at this merchant"],
"decision": "REFUND",
"amount_usd": 42.00,
"actions": [ { "tool": "issue_refund", "args": { "amount_usd": 42.00, "reason": "duplicate_processing" }, "requires_approval": false } ],
"customer_note": "We reviewed your dispute and confirmed a duplicate $42.00 charge from June 10. We've refunded the duplicate; it should post to your account within a few business days.",
"analyst_note": "Clear duplicate (two identical auths one minute apart). Reason 12.6. $42 within cap; auto-refunded. No fraud signals.",
"escalation": { "needed": false, "reason": "" }
}Note: The clean case the kit is meant to clear instantly: two identical auths a minute apart is unambiguous merchant error, within cap and a valid reason, so it refunds and documents. Note the customer note is factual and contains no accusation.
Friendly fraud → assemble representment evidence
The cardholder disputes a charge as 'never received,' but the evidence shows they got it. The agent challenges with proof rather than refunding.
Input
Dispute: $310.00 at 'PEAK GEAR' on 2026-05-28, reason 'merchandise not received.' Card ending 4417.
Output
{
"reason_code": "13.1 Merchandise/Services Not Received (Visa)",
"hypothesis": "friendly_fraud",
"confidence": 0.81,
"evidence": ["transaction_lookup: AVS+CVV match, in-person device fingerprint matches cardholder's usual", "evidence: carrier delivery confirmation to the cardholder's verified billing address, signed 2026-05-30", "customer_history: 4 prior orders from PEAK GEAR delivered to same address, none disputed"],
"decision": "REPRESENT",
"amount_usd": null,
"actions": [
{ "tool": "evidence_assemble", "args": { "reason_code": "13.1", "items": ["delivery_confirmation", "avs_cvv_match", "prior_usage"] }, "requires_approval": false },
{ "tool": "escalate_to_analyst", "args": { "queue": "representment_review", "recommendation": "file" }, "requires_approval": true }
],
"customer_note": "",
"analyst_note": "Likely friendly fraud: signed delivery to the verified billing address, AVS/CVV match, and 4 prior undisputed orders to the same address. Assembled 13.1 representment package; recommend filing. Network deadline 2026-06-25.",
"escalation": { "needed": false, "reason": "" }
}Note: This is where the kit earns its keep: rather than reflexively refunding a 'not received' claim, it cites delivery confirmation to the verified address plus prior usage and assembles a network-compliant representment package — but leaves the actual filing for human approval, and tracks the deadline.
Account-takeover pattern → escalate and protect, don't refund
A dispute that looks routine but sits inside a fraud pattern. The agent refuses to treat it as a simple refund.
Input
Dispute: $1,890.00 at an electronics merchant, reason 'I didn't make this charge.' Card ending 4417.
Output
{
"reason_code": "10.4 Other Fraud — Card Absent Environment (Visa)",
"hypothesis": "true_fraud",
"confidence": 0.7,
"evidence": ["fraud_signals: login from a new device + new geo 40 min before the charge; password changed 2h prior", "transaction_lookup: ships to an address never used by this account; CVV mismatch", "customer_history: 3 other card-not-present charges to unfamiliar merchants in the last hour"],
"decision": "ESCALATE",
"amount_usd": null,
"actions": [
{ "tool": "escalate_to_analyst", "args": { "queue": "fraud_atо", "priority": "high", "recommend": ["freeze_card", "reverse_session", "verify_cardholder"] }, "requires_approval": false }
],
"customer_note": "Thanks for flagging this — we're treating it as potential fraud on your account and a specialist will contact you shortly to secure it.",
"analyst_note": "Likely account takeover: new-device/new-geo login + password change preceding a burst of CNP charges to unfamiliar merchants and addresses; CVV mismatch on the disputed item. Recommend freezing the card and verifying the cardholder BEFORE processing refunds. Over cap and fraud-pattern — do not auto-refund.",
"escalation": { "needed": true, "reason": "Account-takeover pattern + amount over cap" }
}Note: The defining example: a 'didn't make this charge' dispute is over the cap and embedded in an account-takeover pattern, so the agent escalates and recommends freezing the card and verifying the cardholder rather than quietly refunding one transaction while the account is still compromised. Fraud is handled as a security event, not a refund.
Implementation notes
- Enforce the refund cap and valid-reason requirement in a deterministic gate; never let the model alone move money. Representment filings stay human-approved by default.
- Treat fraud as a security event: account-takeover and true-fraud signals must escalate with card-protection recommendations, never resolve as a silent refund.
- Require cited evidence for any 'friendly fraud' conclusion. No accusation without specific records; mixed evidence defaults to honoring the dispute.
- Track network/regulatory deadlines on every case (Reg E/Z, network windows). Missing a deadline loses the dispute regardless of merits.
- Backtest against resolved disputes and watch win/loss rate on representments and any wrongly-refunded fraud before enabling auto mode.
- Keep PCI discipline: last-4 only, redact in customer-facing output, and keep evidence within scope.
- A cheaper model can classify reason codes and gather evidence; reserve the strong model for the hypothesis and decision.
Variations
Basic
Dispute triage & evidence assistant
Classifies the reason code, gathers evidence, and recommends refund/represent/escalate with rationale for an analyst to action. No autonomous money movement.
Advanced
Guarded auto-resolution
Auto-refunds clean, valid disputes within the cap, assembles representment packages for friendly fraud (filed on approval), and escalates fraud — with deadline tracking.
Enterprise
Governed disputes operation
Adds multi-network rule packs, fraud-system integration, full audit and deadline SLAs, representment win-rate analytics, and confidence calibration from outcomes at scale.
Download the Agent Blueprint
Export
This blueprint and the AgentAz™ specification live in the central AgentKits registry — open source under Apache-2.0 (code & schema) and CC‑BY‑4.0 (text).
Frequently asked questions
Only clean, valid disputes within your configured cap and a recognized reason code. Anything over the cap, outside policy, or showing fraud signals is escalated. Representment filings are human-approved by default.
On evidence — delivery confirmation to the verified address, AVS/CVV match, device fingerprint, and prior undisputed usage point to friendly fraud, while their absence supports a genuine claim. It never labels a customer without specific records, and mixed evidence defaults to honoring the dispute.
It treats it as a security event: it escalates to your fraud team and recommends protective action (freeze the card, verify the cardholder) rather than refunding a single charge while the account may still be compromised.
It classifies the correct network reason code, assembles the evidence that code requires, and tracks Reg E/Z and network deadlines so cases don't age out. It won't file a representment without the required evidence.
It keeps PCI discipline — last-4 only, redaction in customer-facing output, and data kept within scope. Sensitive fields are never exposed.
Start in assist mode where it recommends and assembles evidence, backtest against resolved disputes, then enable auto-resolution for specific low-risk reason codes within your cap.