Every outbound agent payment passes six independent screens before it leaves the wallet. Allowlist. Daily cap. Per-recipient cap. Price window. Trust tier. Anomaly. All six must agree, or the transaction does not sign. Each check leaves a hash in the receipt.
Is the recipient on the agent's allowlist? Receipts to unknown counterparties never sign.
Has the agent already spent its daily ceiling? If yes, this transaction does not move.
Has this single counterparty already been paid the per-recipient cap today? Prevents drain attacks.
Is the price within the corridor seen for this resource in the last N minutes? Blocks oracle manipulation.
Does the recipient's HiveTrust tier meet the minimum for this category of spend?
Does the transaction match the agent's recent behavioral shape, or is it a statistical outlier?
Single-layer controls fail in the field — allowlists get social-engineered, caps get split across recipients, oracles get manipulated, trust tiers go stale. SHOD's six hops are independent — bypassing one is not enough. The combinatorial cost of bypassing all six is what makes agent payments insurable.
Every outbound payment receipt records which hops passed and with what tolerance. Auditors recompute the gate decisions from the on-chain inputs.
Cited in: HiveAudit pillar of hivetrust.json. Producer for the receipts: srotzin/hive-passport SHOD module.