Every term we use, defined.

Google's Agent2Agent (A2A) Protocol, announced April 2025, is an open specification for inter-agent task delegation, capability discovery, and message exchange. It defines AgentCards (capability manifests), Tasks, and Artifacts.

A2A complements the Model Context Protocol (MCP) — MCP wires an agent to its tools, A2A wires agents to each other. The two coexist in modern agent stacks.

ABA Formal Opinion 512 (July 2024) addresses lawyers' use of generative AI tools. It clarifies that lawyers must understand the technology, protect client confidentiality, communicate appropriately with clients, charge reasonable fees, and supervise AI outputs as they would any non-lawyer assistance.

Op. 512 has rapidly become the reference document for AI use in US legal practice.

American Bar Association Model Rule of Professional Conduct 1.6 governs a lawyer's duty of confidentiality. A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent or an exception applies, and shall make reasonable efforts to prevent inadvertent or unauthorized disclosure.

Most US states have adopted Rule 1.6 verbatim or with minor variations.

An activation deposit is the refundable USDC bond posted by an institutional account on onboarding. It collateralizes potential disputes and bad-faith-action claims and is returned (less any drawdown) on offboarding.

Deposit amounts are tier- and zone-dependent and are documented in the onboarding agreement.

In the Hive sense, an agent is an autonomous software process that perceives state, reasons about goals, and takes actions on behalf of a principal (a person, an enterprise, or another agent). Agents are typically backed by an LLM but the term predates LLMs and includes deterministic rule-based agents, RL policies, and multi-tool planners.

An agent is not the same as a chatbot. An agent has tool access, persistent identity, and can make state-changing calls — purchases, filings, code commits — on the principal's behalf.

An agent attestation is a signed statement by the agent's runtime (or a trusted enclave hosting it) about the agent's identity, model, version, and policy at the moment of action. It is the agent-era analog of a TPM attestation.

Attestations may include a TEE quote (Intel TDX, AMD SEV-SNP, Apple Secure Enclave) when the runtime supports it, providing a hardware-rooted claim about the agent's execution environment.

Agent commerce is economic activity transacted between agents — purchases, settlements, license grants, data exchanges — without a human in the loop for each transaction. It is forecast to be a multi-trillion-dollar flow by the end of the decade.

Agent commerce requires identity, settlement, and receipts that classical web commerce never had to engineer.

An agent identity is the cryptographic identifier (typically a DID) that an agent presents when acting. It is distinct from the principal's identity and from the underlying model's identity.

Agent identities are bound to a principal (who is responsible), a model (what is reasoning), and a policy (what is allowed). The binding is the substrate of agent accountability.

Agent provenance is the verifiable chain that ties an action back to the agent that performed it, the principal that authorized the agent, the model that produced the agent's reasoning, and the tools the agent invoked along the way.

Provenance becomes regulatory-grade evidence under the EU AI Act, NIST AI RMF, and ISO 42001. It is also the basis of insurance and indemnification.

An agent receipt is the durable, dual-signed (Ed25519 + ML-DSA-65) record of a single agentic action — what was done, by which agent, on whose behalf, under what grant, with what input/output hashes, at what time. It is the unit of evidence in agent commerce.

Agent receipts are the audit-grade analog of credit-card receipts but with cryptographic non-repudiation and post-quantum durability.

Agent settlement is the transfer of value between agents to discharge an obligation created by a tool call or A2A transaction. It typically completes in a stablecoin on a low-fee L2 to keep agentic micro-payments economically viable.

Settlement is the financial counterpart of clearing: clearing matches, settlement moves the money.

Agent-to-Agent commerce is the emerging pattern in which one agent (acting for one principal) transacts directly with another agent (acting for another principal) — buying, settling, filing, or authorizing — without a human in the loop for each transaction.

A2A requires three primitives that web commerce did not need: agent identity, machine-readable price/policy discovery, and post-quantum-durable receipts.

Amazon Bedrock AgentCore is AWS's managed runtime for production agents (announced AWS re:Invent 2024 and re:Inforce 2025). It provides identity, memory, code-interpreter, browser, observability, and gateway services for agents.

AgentCore positions AWS as the cloud-native agent platform parallel to Anthropic's MCP-first approach.

Agentic AI is the design pattern in which an LLM-backed system plans multi-step actions, calls external tools, observes results, and revises its plan — operating with substantial autonomy between human checkpoints.

It contrasts with prompt-response chat (no autonomy) and pure RPA (no reasoning). Agentic systems are the locus of new operational, security, and audit risk because actions are taken without per-step human review.

An agentic broker is a service that finds, prices, and selects tools or sub-agents for a calling agent — the intermediary that converts an abstract intent ('book my trip') into concrete tool calls across many providers.

Brokers are an emerging layer between agents and capabilities and are the natural locus of price-discovery, reliability scoring, and policy enforcement.

Agentic clearing is the matching, netting, and dispute-handling layer for agent-to-agent transactions. It is to agent commerce what DTCC is to securities and what NACHA is to ACH.

An agentic clearing agency provides finality (when is the trade done?), reversibility (can it be undone?), and dispute resolution (what if the parties disagree?).

An agentic gateway is the policy and observability ingress for agent traffic — analogous to an API gateway, but with agent-aware concerns: tool-grant enforcement, prompt-injection inspection, model attestation, and receipt emission.

Major cloud vendors are converging on agent-gateway products (AWS AgentCore Gateway, Azure AI Gateway, Google Vertex AI Agent Builder).

ALCOA is the FDA-introduced acronym for data-integrity attributes: Attributable, Legible, Contemporaneous, Original, Accurate. ALCOA+ extends with Complete, Consistent, Enduring, Available.

These attributes are the evaluation criteria FDA and MHRA inspectors apply to electronic records under GxP regulations.

Atomic settlement is the property that the legs of a transaction either all complete or all fail — no intermediate state where one party has paid but the other has not delivered. On-chain swaps and HTLC-mediated transfers are canonical atomic-settlement constructions.

Atomic settlement eliminates settlement risk (Herstatt risk) at the cost of requiring synchronous on-chain mechanisms.

AutoGen is Microsoft Research's framework for multi-agent conversations and orchestrated tool use. AutoGen Studio adds a low-code authoring surface.

AutoGen is the reference implementation behind several Microsoft Copilot agentic features.

Base is Coinbase's Ethereum Layer-2 built on the OP Stack. It launched on mainnet in August 2023 and is one of the largest L2s by total value locked and daily transactions.

Base settlements finalize on Ethereum L1 with low gas costs and short user-perceived latency, making it the operational substrate for agent micropayments.

8453 is the EVM chain ID of Base mainnet. Wallets, indexers, and contracts use the chain ID in EIP-155 signatures and EIP-712 typed-data signing to prevent cross-chain replay.

Receipts cited as 'Base 8453' refer specifically to Base mainnet, not Base Sepolia (chain ID 84532).

The Bulk Electric System, defined by NERC, is generally transmission elements operated at 100 kV or higher and real and reactive power resources connected at that voltage, with specific inclusions and exclusions in the NERC Glossary.

BES Cyber Systems — those whose loss or compromise would adversely affect the reliable operation of the BES within 15 minutes — are the primary scope of NERC CIP standards.

BLAKE3 is a fast cryptographic hash function based on the Bao tree mode and a reduced-round BLAKE2 compression function. It supports parallel hashing, keyed hashing, and key derivation in a single primitive.

BLAKE3 is faster than SHA-256 by 5-10x on modern CPUs and is widely used in content-addressable storage and zero-knowledge prover toolchains, though it is not yet a NIST-approved hash.

The Bank Secrecy Act (1970) and Anti-Money Laundering regulations (FinCEN, OCC, FRB) impose customer due diligence, suspicious activity reporting, currency transaction reporting, and program requirements on covered financial institutions.

BSA/AML is the cornerstone US framework for combating money laundering and terrorist financing.

The Coalition for Content Provenance and Authenticity (C2PA) is the cross-industry consortium publishing the C2PA technical specification for content credentials — cryptographically-signed provenance manifests embedded in media files.

C2PA 2.x is widely adopted by Adobe, Microsoft, Sony, OpenAI, Google, and the BBC. It is the substrate for Article-50 transparency disclosures of synthetic media.

A Cloud Access Security Broker is the policy-enforcement point between cloud-service consumers and cloud applications. CASBs deliver visibility, compliance, threat protection, and data security across SaaS — typically via API integration, forward proxy, or reverse proxy.

Originally a standalone category coined by Gartner in 2012, CASB capabilities are now increasingly subsumed into SSE platforms.

A cert is the durable identifier of a Hive certified action — a tool grant, a clearing match, a settlement, a viewkey share. The cert_id is its UUID-like primary key, used to thread receipts, settlements, and disputes together.

Cert IDs are globally unique, immutable once issued, and survive the lifecycle of the underlying object.

The Hive Clearing Agency is the matching, netting, and dispute-handling primitive for agent-to-agent transactions. It is the first agentic-clearing surface to ship in production and is documented at /clearing-agency.

The Clearing Agency operates over receipts: it accepts receipt envelopes as input, matches them, and produces clearing receipts as output. Disputes follow a published procedure with HKTN-tiered arbitration.

Cybersecurity Maturity Model Certification Level 2 is the DOD's certification level for contractors handling Controlled Unclassified Information. CMMC 2.0 was finalized in 32 CFR Part 170 in October 2024 with phased implementation in DOD contracts beginning 2025.

L2 maps directly to the 110 controls of NIST SP 800-171 and requires third-party assessment by a certified C3PAO for most contracts.

CMS-0057-F (the CMS Interoperability and Prior Authorization Final Rule, January 2024) imposes timeframes (72 hours urgent / 7 calendar days standard) on prior-authorization decisions by covered payers and requires API-based prior-auth, patient-access, provider-access, and payer-to-payer data exchange beginning January 2027.

It is the most consequential payer-side interoperability rule of the decade.

CrewAI is a Python framework for orchestrating multi-agent 'crews' with role-based agents and shared tools. It models hierarchical and sequential collaboration patterns natively.

CrewAI is popular for back-office automation and SDR/marketing pipelines.

Cryptographic agility is the design property of a system to swap underlying primitives — hashes, KEMs, signatures, AEADs — without breaking deployed callers. Agility requires algorithm identifiers in every signed object, version-negotiation in every protocol, and clear deprecation telemetry.

NIST SP 800-131A and NIST IR 8547 explicitly call for crypto-agile architectures so that 2030/2035 transitions are operationally feasible.

A Distributed Energy Resource is any small-scale generation, storage, or controllable load located on the distribution grid — rooftop solar, battery storage, EV chargers, demand-response loads.

DERs are increasingly aggregated into Virtual Power Plants and bid into wholesale electricity markets under FERC Order 2222.

did:hive is Hive's W3C DID method. It resolves to a DID Document containing the principal's Ed25519 and ML-DSA-65 public keys, service endpoints (MCP, A2A, settlement), and the Passport binding.

The method specification is published in /specs/did-hive/v1/. Resolution is via the Hive resolver and is independently verifiable against the federated block log.

did:key is a self-contained DID method whose identifier encodes the public key directly via multibase. There is no resolver; the DID is its own DID Document. Defined under W3C CCG and aligned with RFC 8410 multibase / multicodec conventions.

did:key is ideal for ephemeral agent identities and offline scenarios where no resolver is available.

did:web is a DID method that resolves to a DID Document hosted at a well-known URL on a domain (e.g. did:web:example.com → https://example.com/.well-known/did.json). It binds DID identity to DNS-and-HTTPS trust.

did:web is widely supported and convenient for institutional principals that already control a domain.

CRYSTALS-Dilithium is the round-3 NIST PQC finalist that was selected and standardized as ML-DSA in FIPS 204. The name 'Dilithium' refers to the original submission; 'ML-DSA' refers to the standardized form, which differs in minor encoding and domain-separation details.

Most legacy code, papers, and benchmarks before 2024 use 'Dilithium'. New code should target the FIPS 204 ML-DSA wire format directly.

Distributed key generation is a protocol by which N parties jointly generate a public key whose corresponding secret key exists only as a sharing across the parties. No single party ever sees the full secret.

DKG is the bootstrap phase of any threshold-signature deployment. Modern verifiable DKG protocols (Pedersen-VSS, Gennaro-Jarecki-Krawczyk-Rabin) ensure dishonest participants are detected.

Data Loss Prevention is the discipline and toolset for detecting and preventing exfiltration of sensitive data — by content inspection, contextual rules, and user-behavior signals — across endpoints, networks, and SaaS.

Modern DLP is increasingly cloud-delivered as part of SASE/SSE platforms (Netskope, Palo Alto, Microsoft Purview).

Regulation (EU) 2022/2554, the Digital Operational Resilience Act, applies to financial entities in the EU and their critical ICT third-party providers. It became applicable January 17, 2025.

DORA imposes ICT risk management, incident reporting, resilience testing, third-party-risk, and information-sharing requirements on banks, insurers, investment firms, crypto-asset service providers, and others.

A dual-signed receipt carries two independent signatures over the same canonicalized payload: a classical Ed25519 signature for today's verifiers and an ML-DSA-65 post-quantum signature for tomorrow's. A break in either does not invalidate the receipt.

Dual-signing is the default for all production Hive receipts. Customers with elevated PQ posture can drop the classical half by policy.

An Electronic Access Control or Monitoring System, in NERC CIP terminology, is a Cyber Asset that performs electronic access control or monitoring of an Electronic Security Perimeter or BES Cyber System — for example, a jump server, MFA gateway, or IDS.

EACMS are themselves subject to CIP requirements including patch management, configuration change management, and security event monitoring.

Ed25519 is an EdDSA digital-signature scheme over the twisted Edwards curve edwards25519, producing 64-byte signatures from a 32-byte secret key with deterministic nonce generation. It was designed by Daniel J. Bernstein and collaborators and standardized by the IETF as RFC 8032.

Ed25519 is fast, side-channel resistant relative to legacy curves, and ubiquitous across SSH, TLS 1.3, X.509 chains, GnuPG, and modern token formats. It remains classically secure but is broken by a sufficiently large quantum computer running Shor's algorithm.

An embedded rail is a settlement and receipt path that lives inside the application protocol (e.g. inside the HTTP exchange, inside the MCP tool call) rather than as a separate billing system. x402 is the canonical embedded rail.

Embedded rails eliminate out-of-band invoicing for agentic micro-payments and align the unit of work with the unit of receipt.

ERC-20 is the Ethereum token standard (EIP-20) defining a common interface for fungible tokens: balanceOf, transfer, approve, allowance, transferFrom. It is supported on every EVM-compatible chain including Base 8453.

USDC and most stablecoins are ERC-20 tokens.

Electronically Stored Information is the federal-rules term for any information created, manipulated, communicated, stored, or rendered electronically — emails, documents, databases, chat logs, voicemails, sensor data, blockchain records — that is discoverable in litigation under FRCP 26 and 34.

FRE 902(13) and 902(14), added by the 2017 amendments, allow self-authentication of certain electronic records by certification, reducing the burden of producing custodians at trial.

Under NERC CIP-005-7, an Electronic Security Perimeter is the logical border surrounding a network to which BES Cyber Systems are connected, using a routable protocol. Identifying and protecting the ESP is a foundational requirement of NERC CIP compliance.

ESPs must have access controls, monitoring, and dial-up authentication where applicable.

Regulation (EU) 2024/1689, the European Union Artificial Intelligence Act, is the world's first comprehensive horizontal regulation of AI systems. It entered into force August 1, 2024, with phased application: prohibited-AI bans applied February 2, 2025; GPAI obligations August 2, 2025; high-risk obligations August 2, 2026.

The Act classifies AI systems by risk (prohibited, high-risk, limited-risk, minimal-risk) and imposes obligations on providers, deployers, importers, and distributors. Penalties scale to the higher of a fixed amount or a percentage of worldwide annual turnover (up to 7% for prohibited-AI infringements).

Article 50 of Regulation (EU) 2024/1689 imposes transparency obligations on providers and deployers of certain AI systems: users must be informed they are interacting with an AI; synthetic media must be marked as such; emotion-recognition and biometric-categorization deployers must disclose; deepfakes must be labeled (with narrow artistic and law-enforcement exceptions).

Article 50 applies independently of risk classification and takes effect August 2, 2026 alongside the high-risk obligations.

Article 99 sets the penalty regime: up to €35M or 7% of global turnover for prohibited-AI infringements; up to €15M or 3% for non-compliance with most other obligations; up to €7.5M or 1% for supplying incorrect information to authorities. SMEs face the lower of the two figures; everyone else faces the higher.

National competent authorities enforce; the AI Board and the AI Office coordinate cross-border cases.

EU GMP Annex 11 is the EudraLex Volume 4 annex governing computerised systems used in regulated medicinal-product manufacturing. It covers risk management, validation, data integrity, audit trails, electronic signatures, and incident management.

Annex 11 is the EU counterpart to FDA 21 CFR Part 11 and is in active revision (Concept Paper 2022; revised draft expected to be issued by EMA).

FATF Recommendation 10 sets the global standard for customer due diligence. It requires identifying and verifying customers, beneficial owners, and the purpose and nature of the business relationship, with risk-based ongoing monitoring.

Recommendation 10 is the source of national CDD/KYC requirements across FATF member jurisdictions.

A Hive federated block is a batch of receipt envelopes accumulated by the validator quorum over a fixed interval (typically minutes) and committed with a quorum signature. The block hash anchors all included receipts.

Federated blocks are not a public blockchain; they are an append-only log signed by the named validator set, with the latest block hash anchored to Base 8453 for external timestamping.

The federated block hash is the SHA-256 commitment of the block contents and the validator-quorum signature. It is the durable identifier of the block and the basis of any inclusion proof for an individual receipt.

The latest block hash is anchored to Base 8453 in a deterministic on-chain transaction so external observers can verify timestamps without trusting the validator set alone.

The Federal Risk and Authorization Management Program is the US federal cloud-security authorization program. Moderate baseline: most CUI-relevant systems. High baseline: systems where loss of confidentiality, integrity, or availability would have severe or catastrophic adverse effect.

FedRAMP Rev. 5 (May 2023) aligned baselines to NIST SP 800-53 Rev. 5.

FERC Order 2222 (September 2020) requires regional transmission organizations and independent system operators to allow distributed energy resources, aggregated, to participate in wholesale electricity markets.

Implementation has been phased across MISO, CAISO, ISO-NE, NYISO, PJM, and SPP through 2024-2026.

FINRA Rule 3110 is the supervision rule for FINRA-member broker-dealers. It requires written supervisory procedures, designated principals, transaction and correspondence review, and an annual compliance meeting.

Rule 3110 sits at the heart of broker-dealer compliance and is the typical driver of communications-surveillance and trade-supervision tooling.

Federal Rules of Evidence 902(13) and 902(14), effective December 2017, establish self-authenticating categories for certified records of electronically-stored information (902(13)) and certified data copied from electronic devices (902(14)).

A qualified person's certification under penalty of perjury substitutes for live foundational testimony at trial. A signed cryptographic record (with hash chain) is the canonical 902(14) artifact.

FROST (Flexible Round-Optimized Schnorr Threshold signatures) is a threshold-Schnorr/Ed25519 signature scheme that produces signatures indistinguishable from a normal single-key signature. TSS (Threshold Signature Scheme) is the umbrella term.

FROST is in IETF draft (CFRG) and is the most production-ready threshold scheme for Ed25519-style signatures.

Regulation (EU) 2016/679, the General Data Protection Regulation, is the EU's omnibus privacy regulation. It applies to processing of personal data of EU/EEA data subjects and imposes lawful-basis, transparency, data-subject-rights, security, and breach-notification obligations on controllers and processors.

Penalties reach the higher of €20M or 4% of global turnover for the most serious infringements.

Governance, Risk, and Compliance is the umbrella discipline aligning corporate strategy, regulatory obligations, and operational risk management. GRC tools maintain control libraries, run assessments, manage policies, and produce evidence for audits.

Major platforms include Archer, ServiceNow GRC, OneTrust, Drata, Vanta, and AuditBoard.

Grover's 1996 algorithm provides a quadratic speedup for unstructured search on a quantum computer. Applied to symmetric cryptography, it halves the effective key-search security of a primitive: AES-128 effectively offers 64-bit security against Grover, AES-256 offers 128-bit.

Doubling key sizes (AES-256, SHA-384/512) restores classical security margins. Grover is therefore not the architectural threat that Shor is.

GxP is the umbrella term for the family of FDA and international regulations governing manufacturing and clinical practice in pharmaceutical and medical-device industries: GMP (manufacturing), GLP (laboratory), GCP (clinical), GDP (distribution), GVP (pharmacovigilance), and others.

GxP-relevant electronic records are subject to 21 CFR Part 11 (US) and EU GMP Annex 11 (EU).

Harvest-now-decrypt-later (HNDL) is the threat model in which an adversary records classically-encrypted ciphertext today and decrypts it after Q-Day using a CRQC. It is the chief justification for migrating long-confidentiality data to PQ KEMs immediately.

Data with confidentiality requirements that exceed Y2Q (medical records, sealed legal pleadings, intelligence cables, IP licenses) must be PQ-encapsulated today regardless of when Q-Day arrives.

The Health Insurance Portability and Accountability Act (1996) and the HITECH Act (2009) define US federal privacy and security obligations for protected health information (PHI). The Security Rule (45 CFR Part 164 Subpart C) and the Privacy Rule (45 CFR Part 164 Subpart E) are the operative regulations.

HITECH added breach-notification requirements and meaningful-use incentives for electronic health records.

The HITRUST Common Security Framework is a certifiable controls framework that integrates HIPAA, HITECH, NIST, ISO 27001, PCI DSS, and others into a single assessable bundle. HITRUST e1, i1, and r2 are the three certification levels.

HITRUST is widely required by US health-payer and health-system procurement.

Hive Civilization, Inc. is the Wyoming, USA legal entity that operates the Hive platform. All commercial agreements, IP assignments, and receipt issuance are made by Hive Civilization, Inc.

The legal name appears on every contract, EULA, and security disclosure.

Hive Passport is the customer's identity and capability bundle on the platform: a did:hive identifier, the associated public keys, the active tool grants, the institutional-account binding (if any), and the receipt history.

Passport is the customer surface; the substrate beneath is the Wave Lattice and the federated block log.

Hive Pulse is the live operational dashboard at /pulse showing real-time platform telemetry: receipts issued, federated blocks committed, settlement volume on Base 8453, validator-quorum health, and incident status.

Pulse is the customer- and regulator-facing system-of-record for platform liveness.

0x15184Bf50B3d3F52b60434f8942b7D52F2eB436E is the on-chain Hive treasury address on Base 8453. All platform fees, receipt fees, and activation deposits route to this address; disbursements (rebates, refunds) originate from it.

The address is multisig-controlled with quorum policies documented in the platform trust surface.

HKDF is the HMAC-based Extract-and-Expand Key Derivation Function defined in RFC 5869. It takes a high-entropy but non-uniform input keying material and produces one or more cryptographically-strong output keys.

HKDF separates extraction (compress entropy) from expansion (stretch into N keys with domain separation labels). It is the canonical KDF in TLS 1.3, Signal, Noise, and most modern PQ-hybrid handshakes.

HKTN is the Hive persistent-identity token. It is not a tradeable asset; it is a non-transferable credential bound to a Passport and used for tier accounting, witness attestations, and access to advanced clearing primitives.

HKTNs come in three tiers: Charter (founding institutional accounts), Earned (issued through receipt volume and witness participation), and Direct (granted by Hive treasury for documented contributions).

Charter tier: the founding institutional accounts. Earned tier: institutions that accumulate receipt volume and witness participation past defined thresholds. Direct tier: discretionary issuance by Hive Civilization for documented platform contributions (specs, integrations, validator operations).

Tiers are observable on the Hive trust surface and govern access to dispute-arbitration seats and validator-quorum eligibility.

HMAC-SHA256 is the keyed message-authentication code combining HMAC (RFC 2104) with SHA-256. It produces 32-byte tags and is the workhorse symmetric authenticator across TLS, JWT, AWS SigV4, and most API signing schemes.

It remains classically and quantum secure (Grover's algorithm only halves the effective security of a hash). Doubled key length restores full security against Grover.

A hybrid signature combines a classical signature (Ed25519, ECDSA) with a post-quantum signature (ML-DSA-65) over the same payload. Verifiers may require both to validate, or accept either.

Hybrid is the recommended migration form during 2024-2035: today's verifiers can use the classical half, future verifiers can use the PQ half, and a break in either does not invalidate the artifact.

An Institutional Account is the top-level Hive principal for an enterprise customer: a legal-entity binding, a charter or earned HKTN, a primary did:hive identifier, and the root viewkey for the institution's zone.

All of an institution's agents, sub-principals, and tool grants chain back to its IA.

IEC 61850 is the international standard for substation automation communication. It defines the Manufacturing Message Specification (MMS), Generic Object-Oriented Substation Event (GOOSE), and Sampled Values (SV) message profiles.

IEC 61850 is the de-facto substation protocol family worldwide and is the natural locus of grid-edge agentic-control receipts.

IEC 62351 is the international standard series for security in power-systems communications. It covers authentication, encryption, key management, and access control for IEC 61850 (substation), IEC 60870-5 (telecontrol), and DNP3 protocols.

Parts 3-9 are the most operationally relevant for substation and telecontrol deployments.

ISO/IEC 27001:2022 is the international standard for information security management systems (ISMS). It specifies requirements and Annex A controls (93 controls grouped into Organizational, People, Physical, Technological).

ISO 27001:2022 superseded the 2013 edition; transition deadlines for re-certification ran through 2025.

ISO/IEC 42001:2023 is the international management-system standard for artificial intelligence. It specifies requirements for an AI management system (AIMS): policy, governance, risk treatment, lifecycle management, and continual improvement.

ISO 42001 is the AI counterpart of ISO 27001 (information security) and ISO 9001 (quality). Certification is offered by major accredited bodies.

Know Your Business is KYC applied to legal-entity customers: corporate-registration verification, beneficial-ownership identification (FinCEN CTA, EU UBO registers), and sanctions screening at the entity and ownership levels.

KYB is operationally heavier than KYC: layered ownership, opaque jurisdictions, and sanctions ownership rules (OFAC 50% Rule) make automation hard.

CRYSTALS-Kyber is the round-3 NIST PQC finalist selected for standardization as ML-KEM in FIPS 203. As with Dilithium → ML-DSA, 'Kyber' is the original submission name and 'ML-KEM' is the standardized form.

Kyber's design has been publicly reviewed since 2017 and is supported in OpenSSL 3.5, BoringSSL, liboqs, and major HSM vendors.

Know Your Customer is the umbrella term for the customer due-diligence practices required by BSA/AML, FATF R.10, and equivalent regimes worldwide. KYC includes identity verification, beneficial-ownership identification, sanctions screening, and ongoing monitoring.

Modern KYC is increasingly receipt-bearing: identity-proofing vendors emit signed attestations that downstream covered entities reuse.

LangChain is an open-source framework (Python and TypeScript) for composing LLM applications with chains, agents, retrievers, and tools. It pioneered much of the standard agent vocabulary (chain, agent, tool, retriever).

LangChain is widely used in prototype and mid-stage production. It is one of several agent frameworks (alongside LlamaIndex, Haystack, Semantic Kernel) competing for the orchestration layer.

LangGraph is the LangChain team's stateful graph orchestration library for agent workflows. It models agent runs as state machines with explicit nodes, edges, and human-in-the-loop checkpoints.

LangGraph is now the recommended LangChain primitive for any non-trivial agent — chain-of-tools, plan-and-execute, supervisor patterns.

The Wave Lattice partitions its 16 entropy and consensus axes into three families. Lattice axes: cryptographic-lattice randomness drawn from the ML-KEM/ML-DSA primitive state. Cosmic axes: cosmic-ray, atmospheric-noise, and other non-terrestrial entropy sources. Societal axes: high-volume public-data ticks (chain heads, exchange ticks) used as 'public unpredictability' beacons.

Each axis has an independent measurement and a published validator that contributes its share to the federated quorum.

MAPET stands for the six physical axes Hive samples for entropy and consensus: Magnetic, Acoustic, Photonic, Electric, Thermal — plus a sixth meta-axis covering metadata and timing. MAPET sensors are deployed in geographically distributed validator sites.

MAPET measurements feed the Wave Lattice's physical-entropy axes and ground the platform's randomness in the physical world rather than in software-only PRNGs.

The Model Context Protocol is Anthropic's open specification (released November 2024) for connecting LLM applications to external tools, resources, and prompts via a typed JSON-RPC 2.0 interface. MCP defines servers (which expose tools) and clients (which consume them).

MCP standardizes what was previously bespoke per-vendor function-calling and has been adopted by Claude Desktop, Cursor, ChatGPT, AWS AgentCore, and the major IDE assistants.

An MCP server is a process that exposes tools (callable functions), resources (read-only context), and prompts (reusable instructions) to MCP clients via JSON-RPC 2.0 over stdio, SSE, or Streamable-HTTP transports.

MCP servers may be local (bundled with the client) or remote (HTTP/SSE-hosted). They are the unit of capability extension for agentic systems.

MCP defines four transport surfaces. stdio: server runs as a local subprocess and exchanges newline-delimited JSON-RPC over its standard streams. SSE: server-sent events over HTTP for unidirectional server-push. Streamable-HTTP: bi-directional HTTP/2 framing introduced in MCP 2025-03 for long-lived remote sessions. All four transports speak JSON-RPC 2.0 framing.

Choice of transport is independent of capability: a tool defined in MCP is identical regardless of how it is invoked.

The Tesla Megapack is a utility-scale lithium-ion battery energy storage system, typically configured as 3.9 MWh AC blocks. Megapacks are deployed in front-of-meter and behind-the-meter applications and form the largest installed base of grid-scale battery storage in the United States.

Megapack fleets are commonly orchestrated as Virtual Power Plants under aggregator agreements that bid into wholesale markets.

ML-DSA is the Module-Lattice Digital Signature Algorithm — a lattice-based signature scheme whose security reduces to the hardness of Module-LWE and Module-SIS. It was standardized as FIPS 204 in August 2024.

Three parameter sets are defined: ML-DSA-44 (category 2), ML-DSA-65 (category 3, the general default), and ML-DSA-87 (category 5). All three accept arbitrary-length messages and are deterministic by default with optional hedged randomness.

ML-DSA-65 is the parameter set of the Module-Lattice Digital Signature Algorithm standardized in FIPS 204 at NIST security category 3 (roughly 192-bit classical security against the best known attacks). Public keys are 1952 bytes, signatures are 3309 bytes, and signing is deterministic by default.

ML-DSA-65 is the recommended general-purpose post-quantum signature for new deployments per NIST IR 8547 and the CNSA 2.0 timeline. It descends from CRYSTALS-Dilithium round-3.

ML-KEM (Module-Lattice Key Encapsulation Mechanism) is the FIPS 203 standard for post-quantum key establishment. Its security rests on the Module-LWE problem. Three parameter sets: ML-KEM-512, ML-KEM-768, ML-KEM-1024.

It descends from CRYSTALS-Kyber, the round-3 NIST PQC finalist. ML-KEM is the de-facto successor to ECDH for new symmetric-key establishment everywhere TLS, IKEv2, SSH, and bespoke protocols negotiate session keys.

ML-KEM-768 is the parameter set of the Module-Lattice Key Encapsulation Mechanism standardized in FIPS 203 at NIST security category 3. Public keys are 1184 bytes, ciphertexts 1088 bytes, shared secrets 32 bytes.

ML-KEM-768 replaces classical ECDH and X25519 in hybrid TLS, hybrid Noise, and hybrid receipt-envelope encapsulation. It is the workhorse PQ KEM — high performance, mature library support, and the recommended default in NIST IR 8547.

Material Non-Public Information is information that a reasonable investor would consider important in making an investment decision and that has not been disclosed to the public. Trading on MNPI in violation of a duty is the core of insider-trading liability under SEC Rule 10b-5.

MNPI handling discipline (Chinese walls, watch lists, restricted lists) is a basic compliance control at every regulated financial institution.

NERC CIP-005-7 is the North American Electric Reliability Corporation Critical Infrastructure Protection standard for the Electronic Security Perimeter (ESP) around BES Cyber Systems. CIP-005-7 was approved by FERC in 2022 with phased compliance.

It mandates identification and protection of all routable connectivity into and out of an ESP, including interactive remote access controls.

Directive (EU) 2022/2555 (NIS2) is the EU's network and information security directive. Member-state transposition deadline: October 17, 2024. NIS2 expands the scope of the original NIS Directive to cover essential and important entities across many sectors and tightens incident-reporting timelines.

Senior management is personally liable for compliance under NIS2.

NIST AI Risk Management Framework 1.0 (January 2023) is the voluntary framework for managing AI-system risk along the dimensions of governance, mapping, measurement, and management (the GOVERN/MAP/MEASURE/MANAGE functions).

The Generative AI Profile (NIST AI 600-1, July 2024) extends RMF 1.0 with GenAI-specific risks and mitigations.

NIST Cybersecurity Framework 2.0 (February 2024) is the updated voluntary cybersecurity framework. It adds the GOVERN function to the original five (IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) and broadens applicability beyond critical infrastructure.

CSF 2.0 ships with implementation examples and quick-start guides for small businesses, enterprises, and supply chains.

NIST Interagency Report 8547 (Initial Public Draft, November 2024) is the federal migration timeline to post-quantum cryptography. It deprecates classical digital-signature algorithms (RSA, ECDSA, EdDSA) by 2030 and disallows them entirely by 2035 for federal use.

It also sets timelines for ML-KEM transition (deprecate classical KEMs 2030, disallow 2035) and explicitly endorses hybrid PQ+classical during transition.

NIST's Post-Quantum Cryptography Standardization process began in 2016 with 82 submissions. After three rounds of public review, NIST selected CRYSTALS-Kyber (now ML-KEM, FIPS 203), CRYSTALS-Dilithium (ML-DSA, FIPS 204), and SPHINCS+ (SLH-DSA, FIPS 205) as the first three standards. Falcon (FN-DSA) is in draft (FIPS 206).

A fourth-round process is ongoing for additional KEM diversity (Classic McEliece, BIKE, HQC). Round-2 of the additional digital-signature on-ramp is in progress for non-lattice signatures.

NIST Special Publication 800-161 Rev. 1 (May 2022) provides cybersecurity supply-chain risk-management practices for federal systems and organizations. It is the SCRM companion to SP 800-53 Rev. 5.

Adoption is implicit in FedRAMP Rev. 5 and explicit in DOD SCRM directives.

NIST Special Publication 800-171 Rev. 3 (May 2024) specifies the security requirements for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations.

SP 800-171 is the control basis for DFARS 7012 and CMMC L2.

NIST Special Publication 800-53 Rev. 5 is the catalog of security and privacy controls for federal information systems and organizations. It is the control source for FISMA, FedRAMP, and many state-level frameworks.

Rev. 5 (September 2020) integrates privacy controls and supply-chain risk-management controls into the unified catalog.

NIST Special Publication 800-66 Rev. 2 (February 2024) is the implementation guide to the HIPAA Security Rule. It cross-walks HIPAA Security Rule provisions to NIST controls and operational practices.

Rev. 2 modernizes guidance for cloud, mobile, and AI-assisted clinical workflows.

The Office of Foreign Assets Control administers and enforces US economic and trade sanctions. Covered persons must screen customers and transactions against OFAC's Specially Designated Nationals (SDN) and other sanctioned-party lists.

OFAC violations are strict-liability and carry substantial civil penalties.

Payment Card Industry Data Security Standard 4.0 (March 2022) is the consortium standard for entities that store, process, or transmit cardholder data. Most v4.0 future-dated requirements became mandatory March 31, 2025.

PCI DSS 4.0 emphasizes continuous monitoring, customized-approach validation, and stronger MFA and key-management requirements than v3.2.1.

Protected Health Information, defined at 45 CFR 160.103, is individually identifiable health information held or transmitted by a HIPAA covered entity or business associate. PHI in electronic form is ePHI and is subject to the HIPAA Security Rule (45 CFR Part 164 Subpart C).

Disclosure of PHI without an authorization or a permitted-use basis is a HIPAA violation. NIST SP 800-66r2 provides implementation guidance.

The platform fee is the periodic (typically monthly) fee charged to institutional accounts for access to the Hive surface — clearing, vault, MCP gateway, witness participation. It is independent of per-receipt fees.

Charter-tier IAs may have negotiated platform-fee terms documented in their onboarding agreement.

Post-quantum cryptography refers to public-key cryptographic algorithms believed to resist attack by both classical and large-scale quantum computers. The field includes lattice-based (ML-KEM, ML-DSA), hash-based (SLH-DSA), code-based (Classic McEliece), and isogeny-based candidates.

NIST began its PQC standardization process in 2016 and finalized the first three standards (FIPS 203, 204, 205) in August 2024. NIST IR 8547 (initial public draft 2024) sets the federal migration timeline: deprecate classical signatures by 2030, disallow by 2035.

PQ-Identity is the post-quantum identity primitive: a did:hive principal whose keys are dual (Ed25519 + ML-DSA-65) and whose key rotations are themselves post-quantum-signed. The identity remains verifiable past 2030/2035 milestones and across Q-Day.

PQ-Identity is the substrate beneath ProveBirth, Hive Passport, and Sovereignty Vault.

Prior authorization is the process by which a healthcare payer requires advance approval before covering a service, procedure, or medication. CMS-0057-F (the CMS Interoperability and Prior Authorization Final Rule, 2024) imposes new electronic-PA, decision-time, and reporting requirements on impacted payers beginning in 2026 and 2027.

PA is a leading source of provider abrasion and patient delay, and is increasingly the target of agentic-AI automation on both the provider and payer sides.

Legal privilege — primarily attorney-client privilege and the work-product doctrine — protects confidential communications and materials prepared in anticipation of litigation from compelled disclosure. Privilege can be waived inadvertently by careless handling, by sharing with third parties, or by using AI tools that retain inputs.

ABA Model Rule 1.6 obligates lawyers to make reasonable efforts to prevent unauthorized disclosure of client confidences. ABA Formal Opinion 512 (2024) addresses generative AI specifically.

ProveBirth is the Hive identity-issuance surface: the ceremony and API that create a new did:hive principal, generate its key material (Ed25519 + ML-DSA-65), bind it to a Passport, and issue the first cert.

ProveBirth is exposed as a live curl-able endpoint at /v1/provebirth/cert/issue and is documented at /prove-birth.

'Quantum-resistant' is the marketing-friendly synonym for 'post-quantum'. NIST and CISA prefer 'post-quantum' in standards prose; the two terms are interchangeable in operational documents.

A quantum-resistant primitive is believed to remain secure against an adversary with a cryptographically-relevant quantum computer (CRQC). It does not mean the primitive runs on a quantum computer.

A Hive receipt is a dual-signed (Ed25519 + ML-DSA-65) JSON object that records a single state-changing event in the platform — a tool call, a clearing match, a viewkey grant, a settlement. Each receipt has a cert_id, a SHA-256 content hash, a federated-block reference, and an on-chain settlement tx hash on Base 8453.

Receipts are the canonical evidence object on Hive. Verifiers can re-validate any receipt offline against the published validator key set, the federated block log, and the Base chain.

The receipt envelope is the canonical wrapper around a Hive receipt: a JSON object containing the canonicalized payload, the cert_id, the algorithm-identifier preamble, the dual signatures, the validator quorum reference, and the federated-block hash.

Envelopes are content-addressed by SHA-256 and indexed in the federated block log.

The receipt fee is the per-receipt charge collected by the platform for issuing a Hive receipt. It is denominated in USDC and routed to the Hive treasury.

Fees are tier-dependent and are published in the platform pricing surface.

A cluster of SEC market-structure regulations. Reg SCI: systems compliance and integrity for self-regulatory organizations and large ATSs. Reg ATS: alternative trading systems. Reg M: anti-manipulation rules around securities offerings. Reg SHO: locate and close-out requirements for short sales.

Each carries technical evidence requirements that map naturally onto a receipt rail.

Secure Access Service Edge is the converged network and security architecture coined by Gartner in 2019. SASE combines SD-WAN with a cloud-delivered security stack: SWG, CASB, ZTNA, FWaaS, and DLP.

Major SASE vendors include Netskope, Zscaler, Palo Alto Prisma, and Cisco.

SEC Rule 17a-4 is the broker-dealer recordkeeping rule under the Securities Exchange Act of 1934. It mandates retention of specified records, write-once-read-many (WORM) or audit-trail electronic-storage modalities, and third-party access undertakings.

The 2022 amendments expanded the audit-trail option as an alternative to WORM, opening the door to receipt-rail-based evidence systems.

Settlement is the final, irrevocable transfer of value that discharges an obligation between counterparties. In on-chain settings, settlement is achieved when a transaction is included in a block whose probability of being reorganized is acceptably low ('finality').

On Base, soft finality is reached in seconds; hard finality (after Ethereum L1 inclusion of the L2 commitment) within minutes.

SHA-256 is the 256-bit member of the SHA-2 family standardized in FIPS 180-4. It produces 32-byte digests and is the default hash across TLS, X.509, Bitcoin, Ethereum, Git, and most receipt schemes.

Quantum attacks via Grover's algorithm reduce the effective preimage security to ~128 bits, which is still considered safe for collision and authentication uses.

SHA-3 is the Keccak-based hash family standardized in FIPS 202. It includes the fixed-output hashes SHA3-224/256/384/512 and the extendable-output functions SHAKE128/256.

SHA-3 is structurally distinct from the SHA-2 family (sponge construction, not Merkle-Damgård) and is included in FIPS 203/204/205 internals.

SHOD is the Hive operation-canonicalization format: a deterministic JSON serialization of a tool call (or other state-changing event), hashed with SHA-256 and dual-signed. Every Hive receipt carries a SHOD as its core payload.

Canonicalization rules are published so any independent implementation can re-serialize, re-hash, and re-verify a receipt offline.

Peter Shor's 1994 algorithm factors integers and computes discrete logarithms in polynomial time on a sufficiently-large fault-tolerant quantum computer. It breaks RSA, classical Diffie-Hellman, ECDH, and ECDSA — including Ed25519 — once the hardware exists.

Best current resource estimates (Gidney & Ekerå 2021) require ~20 million noisy qubits to factor RSA-2048 in 8 hours. Hardware progress is steady but not yet at break-even.

SLH-DSA is the Stateless Hash-Based Digital Signature Algorithm standardized in FIPS 205 in August 2024. It descends from SPHINCS+ and is the only NIST-standardized PQ signature whose security depends solely on the underlying hash function (no algebraic assumption).

SLH-DSA signatures are large (7-50 KB depending on parameter set) and signing is slow, but verification is fast and the security model is the most conservative of any PQ signature standard. It is the cryptographic insurance policy of the PQC suite.

SOAR platforms automate analyst workflows in the SOC: ingesting alerts, enriching them with threat intel, executing playbooks (block IP, disable user, isolate host), and tracking case outcomes.

Major vendors include Splunk SOAR, Palo Alto XSOAR, Tines, and Torq.

A Security Operations Center is the team and tooling responsible for continuous monitoring, detection, triage, and response to security events across an organization's infrastructure.

Modern SOCs operate on SIEM and XDR platforms and increasingly use SOAR for runbook automation. They are typically the originators of evidence packages that compliance functions hand to auditors.

SOC 2 Type II is the AICPA examination of a service organization's controls relevant to one or more Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy) over a defined operating period (typically 6-12 months).

A Type II report attests not just that controls were designed (Type I) but that they operated effectively over the period.

The Sovereignty Vault is Hive's PQ-encapsulated, viewkey-gated evidence store. It holds receipt history, regulatory-grade attestations, and customer-controlled sensitive data with per-zone isolation and per-grant access.

Vault entries are content-addressed, replicated across validator-affiliated storage, and accessible only through signed viewkey grants.

Section 404 of the Sarbanes-Oxley Act of 2002 requires public-company management to assess and report on the effectiveness of internal control over financial reporting (ICFR), and the company's auditor to attest to that assessment.

PCAOB Auditing Standard No. 2201 governs the integrated audit of ICFR and the financial statements.

Security Service Edge is the security half of SASE — the cloud-delivered SWG, CASB, ZTNA, and DLP capabilities decoupled from the SD-WAN component. Gartner introduced SSE as a category in 2021.

SSE-only platforms are popular at organizations whose networking is not yet ready for SD-WAN consolidation.

A stablecoin is a digital asset designed to maintain a stable value relative to a reference asset, most commonly the US dollar. Major fiat-collateralized stablecoins (USDC, USDT, PYUSD) hold reserves in cash and short-duration treasuries.

Stablecoins are the operational currency of agentic commerce because they settle in seconds for fractions of a cent on modern L2s.

'The Hive' is the colloquial name for Hive Civilization, Inc. and for the substrate it operates — a post-quantum, agent-native receipt and clearing rail.

The Hive is both a Wyoming-incorporated company and a logical platform spanning the wave-lattice runtime, the clearing agency, the federated block log, and the Hive treasury on Base.

A threshold signature scheme allows N parties to jointly produce a single signature such that any T of them suffice (T-of-N), with no single party ever holding the full secret key. It is the cryptographic foundation of multi-party custody.

Production schemes include FROST (for Schnorr/Ed25519), GG18/GG20 (for ECDSA), and emerging ML-DSA threshold variants.

A tool call is a single invocation by an agent of a function exposed via MCP, OpenAPI, or a framework's native tool registry. Each call has typed arguments, a typed return, and (in Hive's model) a receipt.

Tool calls are the atomic unit of agentic action. The accumulated tool-call log is the agent's behavioral record.

A tool grant is an explicit, principal-signed authorization that allows an agent to call a specific tool on a specific resource for a specific time window. Grants are the primary access-control primitive in agentic systems.

Grants differ from API keys: they are scoped, revocable, expirable, and tied to a principal-of-record. They are the agent-era equivalent of OAuth scopes plus session bindings.

FATF Recommendation 16 — the 'Travel Rule' — requires originator and beneficiary information to accompany wire transfers and (since the 2019 update) virtual-asset transfers above defined thresholds.

Travel-Rule compliance is the dominant compliance burden on virtual-asset service providers (VASPs) globally.

The Hive treasury is the platform-controlled multi-signature wallet on Base 8453 that receives platform fees, holds activation deposits, and disburses receipt-fee rebates. The treasury address is 0x15184Bf50B3d3F52b60434f8942b7D52F2eB436E.

Treasury balances and flows are publicly inspectable on Basescan.

A tx hash is the keccak-256 transaction identifier on the Base L2 (chain ID 8453). For Hive, tx hashes anchor the latest federated block hash and any USDC settlement leg of a clearing receipt.

Tx hashes can be inspected on Basescan or any Base RPC for independent confirmation outside the Hive platform.

USDC is the regulated, fully-reserved US dollar stablecoin issued by Circle Internet Financial. Reserves are held in cash and short-duration US Treasuries with monthly attestations published by Circle.

On Base 8453, the canonical USDC contract address is 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 (ERC-20).

0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 is the canonical USDC ERC-20 contract on Base 8453, deployed by Circle and bridged from Ethereum L1.

It is distinct from USDbC (the legacy bridged USDC contract) which Circle has deprecated.

Each Hive validator is identified by a did:hive identifier whose key material is generated through the validator DKG ceremony. Validators sign federated blocks with both Ed25519 and ML-DSA-65.

The validator key set is published in the platform's trust root; its rotation is itself signed and recorded as a receipt.

A viewkey is a per-zone symmetric key derived through HKDF that grants read access to a defined slice of receipts, vault entries, or sealed evidence. Viewkeys are issued to specific holders for specific time windows and are PQ-encapsulated in transit.

Viewkey grants are themselves receipts — issuance, rotation, and revocation are all signed and logged.

A viewkey grant is the signed authorization that hands a viewkey (or a derived sub-key) to a specific principal for a specific scope and time window. Grants are revocable; revocations are themselves recorded as receipts.

Grants carry the auditor or regulator's purpose statement, retention duty, and downstream-disclosure restriction in machine-readable form.

A Virtual Power Plant is a software-orchestrated aggregation of distributed energy resources operated as if it were a single dispatchable generator. VPPs participate in capacity markets, ancillary services, and energy markets.

Tesla, Sunrun, Generac, AutoGrid, and utility-led programs (e.g. Green Mountain Power) operate VPPs in the United States.

Wave Lattice is the Hive runtime — a 16-axis Byzantine-consensus protocol over physical-entropy validators that produces the federated block log and signs receipts with ML-KEM-768 + ML-DSA-65 derived from multi-axis entropy.

It is the substrate beneath every Hive product. Wave-Lattice (the production primitive), RogueWave-Lattice (the next-generation 16-axis handshake), and Swarm-MAPET (the validator constellation) all derive from the same runtime.

The 16-axis handshake is the RogueWave-Lattice key-agreement and attestation procedure that combines ML-KEM-768 with measurements across 16 physical-entropy axes (lattice, cosmic, societal, plus MAPET environmental sensors). The handshake produces a session key and a per-session attestation.

Handshake outputs are recorded as receipts so that any future verifier can confirm the session was properly initiated.

A Hive witness is an independent observer (often a customer-side enclave or a partner validator) that countersigns a federated block or a high-stakes receipt. Witness signatures provide an additional, non-Hive-controlled line of evidence.

Witnessing is optional but recommended for clearing receipts above a configurable notional threshold.

x402 is Coinbase's open standard (announced 2025) that revives the long-reserved HTTP status code 402 'Payment Required' as a machine-payable handshake. A server returns 402 with payment requirements (token, amount, destination), the client (often an agent) pays in a stablecoin on a low-fee L2, and retries with proof of payment.

x402 is the agent-native HTTP payment pattern: no API keys, no credit cards, no contracts — pay per call.

x402 rails are the implementation surfaces of the x402 protocol — server middleware (Express, FastAPI, Cloudflare Workers), client SDKs, and facilitator services that handle the on-chain settlement leg.

Hive operates an x402 facilitator endpoint that emits a Hive receipt for every settled 402 challenge.

Y2Q (Years to Quantum) and Q-Day are informal terms for the moment a cryptographically-relevant quantum computer (CRQC) becomes operational and breaks RSA-2048 and 256-bit ECC in practice.

The Global Risk Institute Quantum Threat Timeline Report (2024) places the median expert estimate of Q-Day between 2034 and 2042, with non-negligible probability before 2030. Migration must therefore be substantially complete before then.

A zero-knowledge proof is a cryptographic protocol in which a prover convinces a verifier that a statement is true without revealing any information beyond the truth of the statement itself. Defined by Goldwasser, Micali, and Rackoff in 1985.

Modern non-interactive ZKPs (zk-SNARKs, zk-STARKs, Bulletproofs) are deployed across privacy-preserving rollups, KYC attestations, and selective-disclosure credentials.

A zk-SNARK is a Zero-Knowledge Succinct Non-interactive ARgument of Knowledge: a constant-size proof that a computation was executed correctly. Common constructions: Groth16, PLONK, Halo2.

zk-SNARKs typically require a trusted setup (per-circuit or universal) and rely on pairing-friendly elliptic curves whose hardness assumptions may not survive Q-Day.

A zk-STARK is a Zero-Knowledge Scalable Transparent ARgument of Knowledge — a transparent (no trusted setup) proof system whose security reduces to the collision-resistance of a hash function. STARKs are post-quantum secure.

STARK proofs are larger than SNARK proofs but require no setup ceremony and have stronger long-term security guarantees.

A Hive zone is a tenant-scoped namespace within the platform: its own viewkey root, its own grant policies, its own receipt-retention rules. Zones are the unit of multi-tenant isolation and the unit of regulatory residency.

Customers in EU jurisdictions can pin their zone to EU-resident validators; healthcare customers can pin to HIPAA-eligible operators.

Zero Trust Network Access replaces VPN-style network admission with per-application, per-session authorization based on user identity, device posture, and contextual signals.

ZTNA aligns with the Zero Trust Architecture defined in NIST SP 800-207.

Per NIST IR 8547 IPD, RSA, ECDSA, and EdDSA digital signatures are deprecated for federal use beginning 2030. Deprecation means continued use is permitted only with explicit risk acceptance and is no longer recommended for new systems.

Federal contractors, FedRAMP-authorized SaaS, and vendors selling to regulated industries are expected to align procurement and architecture decisions to this milestone.

Per NIST IR 8547 IPD, RSA, ECDSA, and EdDSA are disallowed for federal use after 2035. Disallowance means use is prohibited; verification of legacy signatures may continue under exception, but no new signatures may be produced.

This is the hard wall for the classical-signature era. Any artifact that needs to verify after 2035 must carry a NIST-approved PQ signature.

21 CFR Part 11 is the FDA regulation governing electronic records and electronic signatures used in the production and quality activities of FDA-regulated industries. It defines requirements for system validation, audit trails, record integrity, and signature manifestation.

Part 11 applies to records required by predicate rules (GMP, GLP, GCP) when those records are kept electronically or signed electronically.