The Visa CLI Receipt envelope, in one document.
hive-vcr-1 is the minimum-viable envelope for proving that an AI merchant call on the Visa Commerce Layer for Intelligence actually happened the way the merchant says it happened. It is MIT-licensed. It signs with ML-DSA-65 (NIST FIPS 204). It is admissible under FRE 902(13)–(14) without expert testimony. It does not require a Hive endpoint to verify.
The 30 fields a Visa CLI Receipt must carry.
Every field below is mandatory. Absence is not a default; absence is a verification failure. The envelope is JSON, sorted-key canonicalized (RFC 8785), then signed.
// hive-vcr-1 · canonical envelope · MIT { "spec": "hive-vcr-1", "version": "1.0", "receipt_id": "vcr_01J9V...", "issued_at": "2026-05-28T17:24:00Z", "visa_auth_ref": "vca_...", // Visa CLI authorization reference "merchant": { "id": "merchant_...", "category": "image-gen | music-gen | datasets | llm | code-gen | video-gen | voice | embeddings | search | compute", "endpoint": "https://..." }, "request": { "hash": "sha256:...", "redaction": "none | pii-redacted | sealed" }, "response": { "hash": "sha256:...", "bytes": 12345, "redaction": "none | pii-redacted | sealed" }, "operator_attestation": { "model_class": "" , "region": "us-east | eu-west | ...", "hardware_class": "H100 | H200 | TPU-v5 | CPU", "training_region": "us | eu | none-disclosed", "rights_class": "licensed | open | mixed", "signature": "ml-dsa-65:...", "key_id": "did:hive:operator-..." }, "settlement": { "asset": "USDC", "chain": "base", "tx_hash": "0x...", "amount_minor": 10000, "currency_minor": "USDC-6" }, "countersignature": { "issuer": "did:hive:hivetrust-issuer-001", "signature": "ml-dsa-65:...", "public_key": "ed25519:i6-Wo01AwSD1eAhSSC3e3VCTEYFXehGNOVdC5iobuBc" } }
What a verifier must do, and what it must refuse to do.
Canonicalize, then verify the operator signature.
Re-serialize the envelope using RFC 8785 JSON canonicalization, exclude the two signature blocks, hash with SHA-256, verify operator_attestation.signature against operator_attestation.key_id using ML-DSA-65. Failure is rejection.
Verify the Hive countersignature independently.
The countersignature is independent. It binds the operator's signed envelope to a Hive-issued trust anchor. The verifier MUST NOT require a network call to perform this check; the public key is pinned.
Confirm settlement on-chain.
Settlement.tx_hash MUST resolve to a successful USDC transfer on Base, amount_minor MUST match the receipt, and the recipient MUST be the merchant's published settlement address. Mismatch is rejection.
Bind to the Visa authorization.
visa_auth_ref MUST be present and MUST match a Visa-CLI-issued authorization. The receipt is not a substitute for the Visa-rails authorization; it is the proof artifact bound to it. Receipts without a visa_auth_ref are out-of-spec.
Self-authenticating, by design.
A hive-vcr-1 receipt is constructed to satisfy Federal Rules of Evidence 902(13) (records generated by an electronic process) and 902(14) (data copied from an electronic device, file, or storage system, authenticated by a digital identification). The signing scheme is NIST FIPS 204 (ML-DSA-65), the integrity primitive is SHA-256 (NIST FIPS 180-4), and the canonicalization is RFC 8785. Nothing about admissibility depends on Hive remaining operational. Nothing depends on a custodian. The artifact stands on its own.
MIT. No patents asserted against compliant implementations.
hive-vcr-1, its reference verifier, and the canonical envelope schema are published under the MIT License. Hive does not assert any patent against a compliant implementation of the spec, whether minted by a merchant, an operator, or an independent verifier.