Every image leaves a receipt. Every prompt leaves a hash.
An image-gen merchant on the Visa CLI mints one hive-vcr-1 receipt per image. Prompt hash, output hash, model class, training-data posture, and rights class are co-signed by the operator before the image returns. The receipt verifies offline. Provenance is not promised; it is a primitive.
The fields the operator co-signs before this call returns.
Every field below is co-signed by the operator with ML-DSA-65 and countersigned by Hive. Absence is not a default. Absence is a verification failure. The merchant cannot return the call's result without the receipt; the receipt cannot exist without these fields.
Image Generation · attestation fields
Three places this category needs a receipt yesterday.
Stock photography replacement
Per-image receipts make a generated image admissible as a licensed asset under the same posture as a traditional stock license. The license tier is in the envelope; the audit is a 4-second offline check.
Brand-safe creative pipelines
Operator co-signs that no protected likeness, no protected mark, and no copyrighted training corpus contributed to this specific image. The countersignature binds that claim to Hive's trust anchor.
Litigation-grade provenance
When a generated image is used in advertising, the receipt stands as the FRE 902(13)–(14) artifact. No expert testimony required to admit it.
One endpoint. One envelope. No Hive dependency in your inference path.
A image generation operator adopts hive-vcr-1 by appending the receipt envelope to the response and exposing a public verification key. Hive's countersignature is a sidecar; it does not sit on the critical path. If Hive disappears, the operator's receipts remain verifiable against the operator's own key.