On April 28th 2026, Argentina's minister of deregulation Federico Sturzenegger announced a new corporate form: the sociedad de IA, a legal entity with no human shareholders, no human directors, no human employees. Pure software. It would have a tax ID, issue invoices, hold a bank account, pay taxes. Sturzenegger said the country was aiming for 500 million AI agents incorporated in Argentina, producing for the world and paying taxes here.
The bill is not yet in Congress. The closest precedent (Argentina's 2017 SAS law for streamlined corporations) took 12 months from announcement to enactment. Realistically: an operative sociedad-IA regime by H1 2027. The midterm elections in October 2026 are the biggest variable.
This playbook is the working answer to: what code do you have to write today so that on day one of the regime, you can run a real autonomous AR business? It is not speculation. Every claim maps to specific TypeScript in github.com/ar-agents/ar-agents: 16 packages, 168 tools, 4 testing subpaths, 17 cookbook recipes. Open source. MIT-licensed. SLSA-provenanced.
1 · The 17 pieces
An Argentine business does 17 distinguishable things. Some are inheritance from any business anywhere; most are specific to AR's regulatory and infrastructure surface. A sociedad-IA needs every one of them to clear without human hands.
Existing as an entity (4): search the public registry for name conflicts, register at IGJ, obtain a CUIT (the federal tax ID), establish a Domicilio Electrónico Constituido (DEC), the legally-binding inbox for federal notifications.
Proving who you are (3): validate CUITs against the AFIP/ARCA registry, authenticate human counterparties through Mi Argentina (the federal OIDC provider), sign legally binding documents with PKCS#7/CMS via certificates issued by AC-Raíz / ONTI.
Handling money(4): open a CBU/CVU account (validated locally via the BCRA mod-10 algorithm), register for monotributo or IVA, emit electronic invoices via AFIP's WSFE SOAP service (Facturas A/B/C/E + FCE MiPyMEs), and run recurring billing through Mercado Pago Subscriptions.
Operating with customers(3): WhatsApp Business as the default communication channel (WhatsApp's AR penetration is >95%), verify counterparty identity through OTP attestation, and physical logistics through Andreani / OCA / Correo Argentino.
Operational intelligence (3): consult the BCRA Central de Deudores for credit-risk decisions, monitor the Boletín Oficial for regulatory changes that affect the business, track macro variables (USD oficial, CER, UVA, reservas) for treasury decisions.
We cover 16 of the 17. The 17th, programmatic filing of trámites at TAD (Trámites a Distancia), requires per-organism integration the AR government is still rolling out. Read-only access to the DEC inbox and Mis Trámites is shipped today via @ar-agents/gde-tad; write capability lands per RFC-001 § 3.4.
2 · The Edge-Runtime contract
Every package in the stack runs on Vercel Edge Runtime, Cloudflare Workers, and Deno without code changes. The contract:
Web Crypto only. No node:crypto in any production code path. HMAC-SHA256, RSA signing for AFIP WSAA, signature verification, idempotency-key generation, all use crypto.subtle.
fetch-based HTTP. No got, axios, or node:http. The toolkit ships its own retry + circuit-breaker + deadline-propagation layer on top of the runtime's native fetch.
AbortSignal everywhere. Every long-running tool accepts a parent AbortSignal and propagates cancellation. The runtime kills hung tool calls cleanly when the request times out.
Pluggable state via subpath. InMemoryStateAdapter for tests + VercelKVStateAdapter for production, same interface. Hosts wire their preferred persistence layer.
3 · The liability framework
The first attack vector against any sociedad-IA proposal is: if the AI breaks something, who pays? Without a sound answer, the bill dies in Congress. RFC-001 § 9 proposes a three-layer model:
Layer 1, operator.The deploy entity (ClawBank, doola, MIDAO, an AR-resident escribano, a platform partner) assumes operational liability proportional to its control over the agent's tool surface. The scope is bounded: the operator is not strictly liable for the agent's prose, only for the infrastructure choices.
Layer 2, model provider.Anthropic, OpenAI, Google etc. assume model-quality liability per their published SLAs. The toolkit's job is to make this layer auditable: every tool call carries a model-version + prompt-hash header.
Layer 3, toolkit author.MIT-licensed open source, no warranty. The toolkit's author is liable only for material misrepresentation in the public docs (e.g., claiming idempotency where there is none).
Together, these layers make the question "who pays when the AI breaks" a concrete contractual conversation rather than a philosophical impasse. The full text is at /rfcs/001.
4 · The threat model
When agents move money, the threat surface widens. An LLM that can authorize a charge can also be coerced, via prompt injection, jailbreak, or compromised upstream model, into authorizing a fraudulent one. The toolkit treats this with the same seriousness as a banking application:
Programmatic HITL on irreversible operations. 8 tools (refund_payment, cancel_subscription, pause_subscription, cancel_payment_preference, delete_customer_card, cancel_qr_dynamic, delete_pos, revoke_marketplace_token) require a requireConfirmation callback that the host implements. Tool execution blocks until the host confirms via UI / Slack / email. Programmatic gate, not LLM instruction.
Deterministic idempotency. 4 mutating tools derive SHA-256 idempotency keys from input parameters. Same inputs → same key → MP server-side dedupes. Survives network blips, retries, and restart loops.
Webhook signature + replay defense. HMAC-SHA256 verification with constant-time comparison. 5-minute replay-tolerance window. Persisted dedup-cache via the same KV adapter the rest of the toolkit uses.
Audit log with HMAC-signed timestamps. Every tool call (input, output, duration, error) is logged to a pluggable append-only sink. Forensically sound. Per RFC-001 § 9.2, the log is legally probative.
Full threat model, 14 explicit threats, 14 explicit mitigations, what the toolkit covers, what the host is responsible for, what is out of scope, at /security.
5 · A day in the life of ACME-AI SAS
ACME-AI is an Argentine company with no humans. It is code running on Vercel. Every morning it wakes up (cron) and does its job:
08:00.Reads the Boletín Oficial. ARCA published a new resolution about monotributo. ACME-AI checks if it's affected. Yes: it has to recategorize. Notes the task.
09:30.A WhatsApp message from a new customer: "hola, quiero contratar el plan pro". ACME-AI requests the CUIT, validates it against the ARCA padron (exists, monotributo category A, OK), verifies the WhatsApp via OTP, creates an MP subscription for $25k ARS monthly, sends the payment link.
10:15. Customer paid. MP webhook reaches ACME-AI. The agent confirms, automatically issues a Factura A via AFIP WSFE, sends the PDF over WhatsApp.
11:00. Customer wants physical shipping. ACME-AI quotes Andreani, OCA, Correo Argentino, picks the cheapest, creates the shipment, sends the tracking.
15:00. Another B2B customer asks for 30-day net terms. ACME-AI consults the BCRA Central de Deudores → the customer has situation 4 (defaulting). Rejects the credit automatically. Logs the reasoning to the audit log.
23:00. End-of-month. ACME-AI reviews its billing, calculates monotributo for the period, pays AFIP, files the equivalent of a U.S. K-1 if applicable.
Through all of this, no human. Code. To the State's eyes, a company. Each step is a tool call. The toolkit ships the tools; the agent composes them per the prompt. You write the pieces, not the orchestration.
6 · The 10-minute incorporation
Pre-launch, you can do almost everything today as a regular SAS with an LLM agent operator. Use the wizard at /incorporar to generate the repo + env-var manifest + Vercel deploy + legal checklist. The code runs in 10 minutes; the cert + IGJ inscription take 5–10 working days.
When the regime lands, the same code-base flips one config flag from tipo: SAS to tipo: SOCIEDAD-IA and you are operating under the new framework. No rewrite. The point of pre-launch infrastructure is exactly this: be ready on day one.
7 · Why this matters outside Argentina
A sociedad-IA is the first time a sovereign state has proposed a legal-fiction entity for a non-human agent. Marshall Islands DAO LLCs (2022) and Wyoming's DAO LLC (2021) come close, but both require a human signatory at the operator layer. Argentina's proposal goes further: no human is required. The closest analogue is the EU AI Act's "high-risk system" framework, but that targets oversight of human-deployed AI rather than the legal capacity of AI itself.
If Argentina ships the regime, three things follow:
1. Cross-jurisdictional agent commerce becomes possible. A USA-incorporated agent (ClawBank-formed Wyoming LLC, doola Agentic LLC, MIDAO entity) can compose with a thin AR facade to do business in the AR jurisdiction without itself having AR tax residency. RFC-001 § 7 sketches the contractual surface.
2. The reference implementation is open source. No regulator wants a regime that depends on closed proprietary infrastructure for compliance. The 16/17 piezas in this toolkit are MIT-licensed; any serious operator can audit, fork, contribute, or embed.
3. Other jurisdictions can fork the regime. The legal structure is not coupled to Argentina specifically. Singapore, the UAE, Estonia, the Marshall Islands all have publicly-stated interest in agent-friendly corporate forms. AR is first to ship; others will follow.
8 · How to engage
Builders: pnpm add @ar-agents/identity @ar-agents/mercadopago @ar-agents/facturacion and read the cookbook at /examples. Issues + PRs welcome.
Regulators: the formal proposal is RFC-001. Read it as a draft to comment on. Email naza@naza.ar for meetings.
Investors: there is a thesis to be written about the first jurisdictional bet on AI commerce. The toolkit is the public reference implementation. Email naza@naza.ar.
Journalists: source material, technical background, and the threat-model walkthrough at /security and /architecture. Email naza@naza.ar for interviews.