spec v1 · 2026-05-29
HARM — Hive Autonomous Route Mesh

Five pieces. No new transport. No new standard. No permission required.

HARM is the route mesh that follows from the thesis on /signal/ and the primitive on /poep/. Agents read attested signals in their context window. Settlement releases only on log inclusion. Existing PKI carries the trust. Bonded vestigia carry the consequences. The wire is fine. The signal moves in the receipt.

See the five pieces Read POEP Read the thesis

What HARM is not

HARM is not an eBPF kernel hook. Not an ALPN injection. Not a custom HTTP/3 extension frame. Those proposals are clever and permission-dependent. Every one asks the network to cooperate, and the network has every incentive to refuse. HARM moves the enforcement off the wire and onto the economy. Below the human, above the network — at the layer where the agent itself decides.

— The five pieces

Each does exactly one job.

01 / Log

Hive Transparency

Append-only BLAKE3 Merkle log at ct.thehiveryiq.com. Ed25519 signed tree head every 60s. Anyone submits. Anyone audits. Anyone mirrors. The ground truth oracle.

02 / Receipt

Attested route advertisement

Every signed Hive receipt is a hop-to-hop propagating signal. Cost, latency, proof, did:hive issuer, vestigium depth. An endpoint's vestigium is its résumé — machine-readable, in-context, untamperable.

03 / Sidecar

Inference-time router

Wraps the agent's outbound calls. Queries the log. Injects a ranked compact summary of attested candidates ahead of the prompt — depth first. The agent's own reasoning picks. No operator. No rule.

04 / Settlement

BUZZ conditioning

USDC on Base. Settlement releases only when the execution receipt is observed in the log. An unattested endpoint is economically incapable of completing settlement. Non-participation is unfunded.

05 / Bond

BUZZ Bond + the sting

USDC stake bound to a vestigium root. Permissionless slash on Merkle proof of deviation. The vestigium is identity. The bond is consequence. Read POEP →

— Piece five — BUZZ Bond + the sting

The vestigium is identity. The bond is consequence.

A POEP vestigium says who an agent is. A BUZZ Bond says what it costs that agent to lie. The two compose: stake USDC against a vestigium root at staking time; the stake unlocks if the vestigium continues to behave; the stake is slashable, permissionlessly, on Merkle proof that the agent deviated.

  • BOND ENVELOPE hive-bond-1. binds (did:hive, vestigium_root_at_t0, stake_amount_usdc, unlock_curve).
  • STAKE ASSET USDC on Base. Custody held in a verifiable bond contract referencing the vestigium root.
  • SLASH TRIGGER Permissionless. Any party submits a Merkle proof of deviation against the public vestigium.
  • DEVIATION — A Signature claiming a vestigium depth that is not provable against the log.
  • DEVIATION — B Capability advertised that is inconsistent with prior receipts in the same vestigium.
  • DEVIATION — C Signature reuse across two distinct vestigia (forked identity).
  • DEVIATION — D Failure to emit a receipt for an action that settled on-chain.
  • UNLOCK CURVE Bond unlocks over time as the vestigium accumulates depth without a sustained slash.
  • OUTCOME PUBLIC The bond, the slash, the redistribution — all observable on Base. The contract mechanics live in the patent filing.
  • v1 SPEC Stub. Mechanism private. Outcome public. Full spec follows.

The one-line truth

An agent without a vestigium is not an agent. It is a liability with a wallet.

— Plus one bridge — the legibility piece

An ACME-style intermediate CA. So existing PKI carries the trust.

Hive operates an intermediate Certificate Authority that issues short-lived X.509 certs binding a did:hive:* identity to a service's existing TLS leaf. ACME-style enrollment (RFC 8555). 30-day validity. Auto-rotation. Every browser, every load balancer, every audit tool already understands the cert chain. No new transport. No new client. The trust is legible to the world as it is.

POST ca.thehiveryiq.com/acme/new-order ACME order for a did:hive-bound short-lived cert
GET ca.thehiveryiq.com/intermediate.crt Hive intermediate CA — public chain anchor
— Flow

One round trip. Signal in. Decision out.

[1] agent calls openai.chat.completions.create({...}) │ ▼ [2] sidecar intercepts. queries ct.thehiveryiq.com for capability=chat/v1 │ ▼ [3] sidecar renders top-N attested routes into a system message: [hive-routes capability:chat/v1] route_a cost $0.0006/1k p50 312ms proof 99.94% route_b cost $0.0010/1k p50 198ms proof 99.99% route_c cost $0.0008/1k p50 245ms proof 99.87% │ ▼ [4] agent reasons. picks route_b. emits selection as signed receipt. │ ▼ [5] sidecar settles via USDC-Base x402 against route_b ─ payment release conditioned on execution receipt landing in log ─ │ ▼ [6] execution receipt submitted to ct.thehiveryiq.com the log grows by one entry. the market learns. next agent sees it.
— Spec — boring on purpose

HARM v1 on one page.

  • LOG BLAKE3-256 over canonical CBOR. RFC 6962 hashing scheme. Ed25519 STH every 60s.
  • RECEIPT hive-vcr-1 envelope. cost, latency, proof, did:hive issuer, prev-receipt hash.
  • CAPABILITY KEY stable string per service class (chat/v1, embeddings/v1, file-store/v1, payments/usdc-base, etc.). Maps log queries.
  • SIDECAR userspace package. wraps fetch / openai / anthropic / generic HTTP clients. zero kernel deps. cross-platform.
  • CONTEXT INJECTION top-K candidates rendered as a single system message ahead of user prompt. K default 3. compact text. no JSON bloat.
  • SETTLEMENT USDC on Base. x402 conditional release. log inclusion is the unlock.
  • CA ACME RFC 8555 enrollment. 30-day leaves. did:hive bound via SAN URI extension.
  • COMPRESSION fixed-length receipt identifiers via pre-distributed structural dictionary. patent pending.
  • PROPAGATION every agent's selection is itself a receipt. the log is the public record of what wins.
  • NON-PARTICIPATION economic. an endpoint that does not publish receipts cannot settle. markets handle the rest.
— Why this self-propagates

The loop is the product.

# N agents reading the same log, each writing back their selection.
# The endpoint that wins more receipts wins more selections.
# The endpoint that wins more selections produces more receipts.
# Convergence is monotonic.

for agent in agents:
  candidates = log.query(capability)
  selection  = agent.infer(candidates)     # language model picks
  receipt    = sign(selection.execute())
  log.submit(receipt)                       # the next agent sees this

No operator wrote a rule. No standards body blessed a protocol. The wire was untouched. Every agent in the loop chose the same way for the same reason. The fossil record is the moat — future models trained on the public log inherit attested-route preference as default behavior.

— What we deliberately do not ship

The three things we walk away from.

— eBPF

Kernel-layer enforcement

Linux-only. Permission-dependent. Hostile to half the runtimes that matter. Userspace sidecar achieves the same epistemic effect with broader reach.

— ALPN

Transport-layer negotiation

ECH increasingly hides ALPN from middleboxes. The handshake is not where the decision belongs. The context window is.

— 0x48

Custom HTTP/3 frame

Bootstrap problem. Both endpoints must speak it. Standards work for a market that has not consented to a standards body. We move the signal into the payload, where every node already reads.

The wire is fine. The signal is in the receipt.

Read the thesis. Read the log. Wire the sidecar. Earn the receipt.

/signal — the thesis /ct — the log sidecar quickstart