Bound

Bound is the trust policy layer for AI agent spending and delegation. Instead of asking "will this agent behave well?", Bound asks "does the surrounding system make worst-case loss acceptable?"

An AI agent that needs to make autonomous payments gets a certificate attesting to its containment architecture: smart contract spending limits it cannot modify, locked USDC reserves, auditor with staked capital, and Ledger hardware co-signatures for large transactions. Counterparties verify the certificate on-chain and transact with quantifiable risk.

The protocol has a 12-stage certificate lifecycle — from building containment, through independent auditor attestation with staked capital, to on-chain publication, active verification, and post-expiry settlement with challenge windows. Three certificate classes (C1 self-attested, C2 auditor-verified, C3 composition-analyzed) offer increasing rigor with higher reserve ratios and stake requirements. A game-theoretic challenge mechanism with automated slash distribution (30% challenger, 50% verifier pool, 20% burned) ensures dishonest audits are never profitable. The demo shows the full flow: an agent making payments within limits, Ledger co-signing large transactions, and the protocol blocking an over-limit payment — the cage holds.

Six Solidity contracts (CCPRegistry, SpendingLimit, ReserveVault, AuditorStaking, ChallengeManager, FeeEscrow) deployed on Hedera Testnet via Foundry, all verified on Sourcify. The SpendingLimit contract implements a dual-signature model — agent signs alone below $5k, Ledger hardware co-signs above — making constraints truly agent independent. ReserveVault locks exogenous USDC collateral that cannot be withdrawn while a certificate is active. The slash distribution in AuditorStaking is on-chain and automatic.

The agent layer is TypeScript using Hedera SDK for HCS event logging, viem for EVM contract interaction, and @ensdomains/ensjs for cross-chain discovery — counterparties resolve an ENS name on Sepolia, read CCP text records pointing to Hedera, and verify everything on-chain without needing Hedera RPC directly. The agent also runs as an MCP server (Model Context Protocol) with 30+ tools, so AI models like Claude can natively verify certificates and execute constrained transactions.

The docs/dashboard are Next.js 16 with Fumadocs, featuring a live protocol explorer that reads contract state via viem. Ledger signing is simulated with a separate private key for demo but the architecture is structured for trivial swap to real @ledgerhq/device-management-kit calls. HCS publishing is non-fatal for testnet resilience. The entire 7-phase demo runs end-to-end: auditor attestation with stake, certificate publication, ENS-based verification, small payment (agent alone), large payment (Ledger co-signed), blocked over-limit payment, and HCS timeline proof.