A draft is a proposed change to your ad account, never a pending action. It carries a before → after field diff and a projected dollar impact, so you approve the outcome — not a vague suggestion. This is the same object the queue, the audit log, and the landing page all render.

Every draft lands in the approval queue. You review the diff, then run the two-step Approve & push live → Confirm control. There is no one-click spend anywhere in SpendSignoff — the arm/confirm step is deliberate by design.

• Approve applies the diff to the live account and writes an audit entry.
• Reject discards the draft; the operator learns from it.
• Stale drafts (data moved underneath them) must be re-armed before they can apply.

The loop runs continuously: it reads your accounts, finds drift and opportunity, and drafts changes via propose_change. In V1 the loop only ever proposes — it does not apply. The operator works while you sleep; the spend decision stays with you.

The envelope is a hard cap on how much net spend change your approvals can push live in any rolling 24-hour window. It is enforced server-side as a real ceiling: once the day's envelope is consumed, further approvals are blocked until the window rolls — not warned about, blocked.

Each approval writes an immutable, signed audit entry: who approved it, the exact diff, and the projected vs. realized impact. Any applied change can be rolled back in one click, restoring the prior values from the recorded before-state.