Payment Healing Rail — receipt-first controls for agentic payments

Heal what's healable. Prove what isn't.

Start Receipting Now → Receipt a payment event See it in Hive Ledger

Receipt a payment intent or event now — pause, quarantine, and recovery controls apply where the rail allows. Healing is a defined spectrum, not universal reversibility: pre-broadcast stop/revoke, escrow or quarantine hold, issuer/custodian freeze if integrated, counter-transfer recovery, or evidence-only after final settlement.

Most agentic-payment safety products either can't act fast enough or pretend blockchain payments are always reversible. Neither is true. Hive receipts every step of an agentic payment — intent, policy check, signature, submission, settlement — and acts exactly as fast, and exactly as far, as each rail actually allows: pause, quarantine, revoke a key, request an issuer freeze, trigger a counter-transfer, or preserve evidence. This is not universal reversibility. Its value is honest classification of recoverability, built on the same signed Receipt Relay and Hive Ledger that underpin the rest of the proof layer.

Read this first — what this is not

Hive does not claim that broadcast, finalized transactions on public blockchains can be reversed. Once a transfer reaches finality on a base-layer public chain, no software layer — Hive included — can claw the assets back without cooperation from whoever now controls them, or without the issuer holding a contractual / technical clawback capability.

Nothing here is a promise of FDIC/SIPC-style protection, Reg E chargeback rights, or guaranteed fund recovery. "Healing" describes a spectrum of outcomes, not a guarantee. The recoverability class of each payment path is shown as a visible property before an incident, not discovered after one.

— The recoverability spectrum

Five real outcomes — never a single undo button.

Recoverability is a property of the rail and the integration depth, not of Hive alone. Every payment path resolves to one of these five outcomes, and Hive states which one applies going in.

Best case
Prevented
Stopped before submission — the strongest control. Duplicate-nonce and sanctioned-destination blocks live here.
Reversible by design
Quarantined
Held in an escrow / hold state during a delayed-settlement window — reversibility is a property of the contract, not the base chain.
Rail-specific
Clawed-back
Reversed via issuer / token-level authority. Rare, contractual, and the issuer's power — never Hive's.
New transaction
Counter-acted
A separate transfer, demand, or claim recovers or offsets value. Not a reversal of the original.
Final transfer
Evidence-only
The transfer is final. Hive produces a forensic, compliance-grade Recovery Receipt to drive human / issuer / regulator recovery.
— The pipeline

The receipt is the control object.

Most fraud systems bolt detection onto a payment after the fact by watching logs. Receipted Payment Healing makes the receipt itself the control object: a payment intent cannot be authorized without first existing as a signed, hashed, policy-evaluated receipt, and every state transition appends to that same chain. That is what makes millisecond response possible — the system isn't searching for what happened, it already holds a live, structured object it is continuously re-scoring.

1
Preflight intent receipt

Who (agent id + human principal), what (amount, asset, destination), why (task / invoice reference), when — signed and hashed before any funds move.

2
Policy check

Spend limits, velocity limits, destination allow / deny lists, jurisdiction rules, dual-control thresholds evaluated against org policy.

3
Risk scoring

Novel destination, invoice text altered vs. last known vendor record, velocity anomaly, poisoned-address near-match — scored in real time.

4
Nonce / intent binding

A single-use payment-intent ID + nonce is bound to the scored intent — not a free-floating amount+address the agent could replay.

5
Submission

Signed and broadcast, submitted to a custodial API, or queued to a processor — the exact payload and timestamp are receipted.

6
In-flight detection

For rails with a pre-settlement window, scoring continues between submission and finality.

7
Action — rail-dependent

Freeze, quarantine, cancel, revoke, escalate, or counter-transfer — only the action the specific rail and stage actually supports. If final, evidence-only.

8
Healing Receipt bundle

One cryptographically chained bundle of every step, including an explicit "no action was technically possible" state where that is the truth.

— Staged roadmap

What is live-eligible today, and what requires partnership.

The stages are ordered by dependency, not hype. Early stages need only Hive-built infrastructure; later stages depend on third parties and, eventually, licensed-entity and regulatory posture.

v0

Receipt-only

Live-eligible today

Hive receipts intent, policy check, submission and outcome for agentic payments across supported rails. No blocking authority. Pure observability and audit trail — this runs on the Receipt Relay that is live today.

What's real at this stage: zero custody, minimal regulatory surface, and the strongest foundation for the Ledger / Verifier architecture.

v1

Preflight / quarantine

Hive-built · roadmap

Hold a payment intent pre-submission pending policy / risk clearance, and route eligible payments through Hive-deployed escrow / quarantine contracts on EVM / Solana where the customer opts in.

What's real at this stage: first real prevention power — but entirely within infrastructure Hive itself deploys or synchronous pre-signature hooks the customer's agent calls. No dependency on a third-party issuer API.

v2

Wallet policy integration

Public smart-wallet ecosystems

Direct integration with account-abstraction / session-key spending policies (ERC-4337 on EVM) and Solana program-based policy accounts, so Hive's risk score is a live input to the wallet's own signature authorization, not just an external advisory.

What's real at this stage: achievable against public smart-contract-wallet ecosystems Hive does not need permission to build against. Wallet-provider SDK cooperation helps but isn't strictly required.

v3

Issuer / processor callbacks

Requires Circle partnership — not today

Formal integration with custodial / issuer platforms (starting with Circle Agent Wallets / Programmable Wallets) so a Hive-detected anomaly can trigger an actual freeze / hold inside the issuer's own systems pre-settlement, and structured freeze-request payloads can be delivered into issuer investigation queues post-settlement.

What's real at this stage: requires Circle (or an equivalent issuer / processor) partnership and API access that does not exist today. This is the outreach conversation, not a shipped capability — an opportunity, not a live integration.

v4

Autonomous recovery agents

Multi-year · licensed entity

SmartRecoveryAgent operates with pre-authorized, policy-bounded autonomy to execute counter-transfers, initiate issuer freeze requests, and coordinate multi-step recovery for defined risk / impact tiers — with full audit receipting throughout.

What's real at this stage: requires the most mature trust, security and regulatory posture — dual control, insurance / liability structuring, and almost certainly a licensed-entity conversation. A multi-year destination, not a near-term milestone.

— Rail-by-rail — do not blur these

Circle · USDC · Solana · EVM

Custodial / issuer rails

Circle / USDC — opportunity, not live

Circle's publicly documented Agent Wallets carry 2-of-2 MPC custody, spending policies, and pre-submission sanctions screening. If Hive were integrated at that layer, its policy engine could sit alongside Circle's checks and withhold authorization before submission.

  • All Circle capability here is conditioned on "if integrated" / "would require" — not a claim Circle has built or endorsed anything
  • Pre-submission is the natural integration point; freezing a Circle transfer needs a Circle-side hook that does not exist today (roadmap v3)
  • Once USDC has moved on-chain, the public-chain finality limits apply — custody of the sending wallet gives no authority over a receiving wallet
  • Today, a Circle/USDC transfer is a self_attested receipt schema on the Receipt Relay
Smart-contract rails

Solana / EVM — quarantine by design

A payment can be routed through a smart-contract escrow that holds funds for a delayed-settlement window before release. This is the cleanest "reversible by design" case, because reversibility is a property of the contract logic — not a claim about the base chain.

  • Session keys / account abstraction (ERC-4337) enforce spend policy before a signature is even produced
  • A session key can be revoked before broadcast — a true prevention control, not a recall of anything already sent
  • Once a tx is in a finalized block, no contract, multisig, or guardian can undo it — only a new tx from whoever now holds the funds
  • An on-chain tx can be receipted and, via the relay, escalated to chain_verified on a read-only RPC lookup
Clawback-capable tokens — stated accurately

Some regulated / permissioned tokens include an issuer-controlled freeze or blacklist function at the contract level. This is issuer authority, not a Hive capability. Hive's role would be to detect and receipt an incident fast enough to make an issuer freeze request actionable — before funds are moved onward. The tokens sit frozen in the recipient's wallet; they are not automatically returned. Hive never describes this as "Hive can reverse a stablecoin transfer." The accurate claim is: "Hive can detect and receipt the incident fast enough to support an issuer freeze request within the window before the tokens are moved again."

— What Hive can promise today vs. what needs partnership

The honest capability table

CapabilityHive-built infra onlyNeeds third party
Receipting every intent / action / outcomeYes
Risk scoring and anomaly detectionYes
Pre-signature blocking via Hive-deployed escrow / policy contractsYes
Duplicate / nonce-based double-payment preventionYes
Poisoned-address similarity flaggingYes
Session-key / account-abstraction policy integrationPartial (public smart-wallet ecosystems)Wallet SDK helps
Freezing a Circle-custodied wallet mid-flightRequires Circle API / partnership
Issuer-side token clawback / blacklist triggerRequires issuer authority + process
Bank / ACH recall executionRequires bank / processor API
Reversing a finalized public-chain transferNot possible for anyone, on any rail
— Compliance posture

Receipt / policy / detection only — no custody by default

The safest initial architecture is receipt, policy and detection only — no custody, no fund control. Hive advises and triggers actions through the custodian's or issuer's own APIs; it does not hold funds. Any screening Hive adds is described as additional / defense-in-depth, not a replacement for issuer-native sanctions and AML screening. Hive avoids language implying Reg E-equivalent guarantees — that liability structure belongs to the licensed / regulated entity in the flow. A control plane with freeze / counter-transfer power is itself a high-value target, so its own key management, action authorization and dual-control posture must be at least as rigorous as the rails it protects.