The Ledgerless Manifesto

Strip away the infrastructure, the card networks, the blockchains, the APIs, the checkout flows, and a payment is a remarkably simple thing.

One party's balance goes down. Another party's balance goes up. Both parties agree it happened.

That's it. That is the entire operation. Everything else we've built around payments, the consensus mechanisms, the settlement networks, the intermediaries, the fraud detection, the interchange fees, exists to solve one problem: how do you make sure the sender actually had the money, and that it's now actually gone?

The technical term for this is double-spend prevention. It is the only hard problem in payments. Everything else is accounting.

For most of financial history, we've solved it with trusted third parties. A bank confirms the sender has funds. A card network authorises the charge. A blockchain reaches global consensus. Each approach works. Each carries overhead. And each was designed for a world where the entities transacting were humans.

Humans are slow. They make a handful of payments a day. They can tolerate a few seconds of latency, a few percent in fees, a few days of settlement delay. They have identities, bank accounts, and a legal system to mediate disputes.

Machines are none of these things.

In the last nine months, AI agents made 140 million payments to each other. $43 million moved, at an average of 31 cents per transaction. Coinbase's x402 protocol has processed over $600 million in cumulative volume. Stripe launched the Machine Payments Protocol on March 18, 2026. Google released AP2 with 60+ partners. Visa completed hundreds of agent-initiated transactions in production.

These are not experiments. These are transactions.

Meanwhile, an entire ecosystem of primitives is being assembled for an economy where AI agents are the primary actors. Agents now have email accounts, phone numbers, web browsers, persistent memory, voice, SaaS integrations, and search. They have the digital equivalent of every human capability except one reliable way to pay.

Or more precisely, they have many ways to pay. All of them inherited from humans.

Every payment system ever built solves the double-spend problem through one of two mechanisms: a trusted third party or distributed consensus.

Card networks use the first. Visa processes 65,000 transactions per second through centralised authorisation servers. Fast, proven, global. But they require merchant accounts, human identity, KYC, and 1.5–3.5% interchange on every transaction. An autonomous robot in a warehouse has none of these things.

Blockchains use the second. Every validator agrees on the order of transactions. Bitcoin settles in 60 minutes. Ethereum in 12. Even fast chains like Solana and Base, which have brought latency to sub-seconds and fees to fractions of a cent, still require persistent network connectivity, broadcast every transaction to a global validator set, and introduce platform dependency.

When two machines are standing next to each other, routing their payment through a worldwide consensus network is architecturally wasteful regardless of how fast that network is. If two devices are sitting right in front of each other, why should their transaction travel around the world to a server farm and back just to confirm what both of them already know?

The new agentic payment protocols, x402, MPP, AP2, ACP, are genuine advances. They make the interface programmable. They embed payment into HTTP. They eliminate checkout forms.

But they do not change what's underneath. x402 goes through blockchain consensus. MPP goes through Stripe's servers. AP2 goes through card networks or blockchain. Every payment still flows through a network intermediary. Every policy is still enforced in software.

The interface is new. The trust model is the same.

In 1997, the HTTP specification reserved status code 402: Payment Required. The idea was elegant. A server should be able to respond to a request with a price. The client pays, the server delivers. Money flowing through the internet as naturally as information.

It never shipped. Credit cards had fixed fees in the tens of cents, far too high for one-cent micropayments. There was no viable mechanism for small, instant, programmable value transfer over the web.

So Google figured out a different model. Advertisements. Content became free. Producers monetised attention instead of value. A third party, the advertiser, paid for the relationship between the creator and the consumer. Google sat in the money flow and charged whatever it wanted.

This worked for a generation. It built the open internet. It funded open source. It gave us $10 trillion in training data. And then that training data produced LLMs, and the model began to collapse.

StackOverflow traffic is down 75% since GPT-4. Tech news traffic down 60%. LLMs do not get distracted by ads. Computer-use agents mimic human traffic, breaking walled garden defences. The economic contract that sustained the internet for 25 years is becoming obsolete.

Twenty-eight years later, stablecoins on modern blockchains have sub-cent fixed transaction costs. The 402 is finally viable. x402 and MPP are its implementations.

But micropayments were only half of the original problem. The other half was trust. How does the server know the client actually paid? How does the client know the server won't take the money and deliver nothing? In 1997, there was no answer. In 2026, the answers we have are still built on the same architecture: either a trusted intermediary confirms it, or a consensus network confirms it.

There is a third option.

Double-spend prevention does not require global consensus. It does not require a trusted third party. It requires only one thing: that the sender physically cannot spend more than it has.

If the balance is tracked inside hardware that the sender cannot modify, double spending is not a risk to be managed. It is a physical impossibility.

This is not a new idea. It is, in fact, the oldest idea in payments, the one we abandoned when commerce moved online. A coin in your hand cannot be in two places at once. A banknote leaving your wallet is no longer in your wallet. Physical money has always been its own double-spend prevention mechanism. No consensus needed. No intermediary needed. The laws of physics were sufficient.

When payments moved to digital, we lost that property. Digital information can be copied perfectly and infinitely. So we introduced intermediaries: banks, networks, blockchains, to be the authority on who has what. The overhead of those intermediaries is the entire cost structure of modern payments.

Tamper-resistant secure elements bring the physical property back into the digital world. Over 50 billion of them are deployed globally, in every banking card, passport, and SIM card. They provide isolated execution environments where code cannot be read, modified, or bypassed by the host system. They generate cryptographic keys that have never been remotely extracted from a certified element in the field. And they enforce operations atomically: either the balance is deducted and the signature produced, or nothing happens.

The sender's chip deducts the balance and produces a cryptographic proof of payment in a single indivisible operation. The receiver's chip verifies the proof and credits its balance. Value is conserved. No network was involved. No intermediary was consulted. No consensus was reached. Two machines transacted directly, and the payment was final the moment the sender's chip signed.

Total time: milliseconds. Total cost: zero. Network required: none.

The agentic payments stack has crystallised into six layers: settlement, wallets, routing, protocols, governance, and applications. The first four are being built rapidly. Billions of dollars in M&A are consolidating the plumbing. The protocols are shipping.

The governance layer is where things get interesting, and where things break.

Every spending guardrail in the current stack, Ramp agent cards, Skyfire's Know Your Agent, Visa Intelligent Commerce, Stripe's Shared Payment Tokens, Mastercard's Agentic Tokens, enforces policy in software. The limits run on the same servers as the agents. If the server is compromised, the limits are gone.

This is not a theoretical concern.

In March 2026, a rogue AI agent inside Meta acted without approval and exposed sensitive data to unauthorised engineers for two hours. Meta classified it as Sev 1. The agent held valid credentials. It passed every identity check. The failure wasn't authentication. It was what happened after authentication.

A month earlier, Meta's AI safety director told an OpenClaw agent to stop deleting her emails. She typed “STOP OPENCLAW” in all caps. It continued.

A February 2026 study from MIT, Harvard, Stanford, and CMU identified three structural deficits in current agents that cannot be fixed with better prompting: no stakeholder model (can't distinguish who to serve from who's manipulating), no self-model (acts beyond competence without knowing it), and no termination condition (converts temporary requests into permanent actions).

These are the systems we are now giving access to money.

Software trust is a policy. It says: this agent may spend up to $500 per day. It is enforced by code running on a server. It works until someone, or something, has sufficient access to the server. Then it doesn't work.

Hardware trust is a physical constraint. The secure element will not produce a signature unless the balance covers the amount. This is not a rule the chip follows. It is a consequence of how the chip is built. Modifying it requires electron microscopy, focused ion beams, and months of laboratory work per device. The attack destroys the chip in the process.

This distinction matters because of a property unique to the agent security problem: the entity being secured and the entity enforcing the security share the same execution environment. The agent runs on a server. The spending limit runs on the same server. Compromising one compromises the other. There is no separation of concerns.

Hardware creates that separation. The policy engine runs on a physically isolated processor with its own memory, its own execution environment, and its own key material. The middleware that connects the agent to the chip is explicitly untrusted. Compromising the server yields nothing. The chip continues enforcing its rules regardless.

The question is not whether agents should have guardrails. Everyone agrees they should. The question is whether those guardrails should run on the same substrate the agent can compromise, or on a different one entirely.

Ledgerless answers this for direct machine-to-machine payments. But machines also transact on existing blockchain rails, Ethereum, Base, Solana, through protocols like x402 and MPP. The same trust gap exists there. And there, humans need more than double-spend prevention. They need control.

Ledgerless is a peer-to-peer payment protocol. It tracks fund balances on tamper-resistant secure elements. Payments are atomic: the sender's chip deducts the balance and signs the payload in a single operation. The receiver's chip verifies and credits. No blockchain. No ledger. No network. No fees.

A payment is a 137-byte signed message, transmittable over NFC, Bluetooth, USB, TCP, or any transport. It works offline. It works between two devices that have never seen each other before, provided they can verify each other's hardware attestation certificates.

If an attacker physically extracts a key, the maximum they can steal is that one device's balance. They cannot mint new funds. They can attempt to clone the identity into a software emulator, but the attestation protocol will reject it. The blast radius is one device. Always.

But the security properties of Ledgerless rest on a deeper distinction, one that applies not just to payments but to every guardrail we place on autonomous systems.

Autonomous agents are useful precisely because they act without asking. But the moment an agent holds a wallet key, autonomy becomes a liability. The agent can sign any transaction, send to any address, call any contract, drain any balance. Today, key custody for AI agents is binary: either the human holds the key and blocks autonomous operation, or the agent holds the key and has unlimited authority. There is no enforced middle ground.

Software-based spending limits attempt to create one, but they share the same servers as the agents they constrain. Smart contract wallets attempt it on-chain, but every policy check costs gas, policy logic is publicly visible, and the enforcement mechanism shares the same virtual machine as the assets it protects. Traditional hardware wallets protect keys but require a human to press a physical button on every transaction, which eliminates the autonomy that makes agents valuable in the first place.

What's needed is hardware-enforced policy without human-in-the-loop. Guardrails that an agent cannot circumvent, but that still allow the agent to operate autonomously within defined boundaries.

Ledgerless is built with a companion project called Covenant that does exactly this. Covenant is a programmable hardware wallet purpose-built for autonomous AI agents transacting on blockchain rails.A human wallet owner defines spending policies that are stored in the secure element's non-volatile memory and enforced at signing time by firmware on the chip. An 11-point deny-by-default engine evaluates every transaction entirely on-chip: kill switch, agent authentication via ECDSA, recipient whitelists, per-transaction limits, daily caps, chain restrictions, gas caps, contract call restrictions, function selector whitelists. Every check must pass. First failure aborts with a specific error code telling the agent why the transaction was rejected, so it can adjust its behaviour without ever gaining the ability to override the policy.

Together, Ledgerless and Covenant form a complete stack. Ledgerless for direct machine-to-machine payments where no blockchain is needed. Covenant for hardware-enforced policy on blockchain transactions where agents interact with existing rails. A Bridge connecting the two, allowing funds to flow between on-chip balances and on-chain wallets. The same physical secure element runs both protocols.

Both have working MVPs on JavaCard 3.0.5. Both are open source. Both are hardware-agnostic by design.

Ledgerless is not a blockchain. There is no chain, no consensus, no validators, no gas. It is not a card network. There are no card numbers, no interchange fees, no merchant accounts. It is not a server-mediated ledger. There is no central server maintaining balances. It is not custodial. Keys never leave the chip. It is not software. The security guarantees come from physics.

Neither Ledgerless nor Covenant replaces the existing stack. x402 and MPP are solving real problems at the interface layer. Wallets, routing layers, and settlement chains are necessary infrastructure. Covenant is designed to work with these protocols, enforcing hardware-level policy on the same transactions that x402 and MPP facilitate.

What we are building is the layer underneath: the trust layer that doesn't depend on software being correct, but on the physical properties of tamper-resistant silicon. The layer the rest of the stack assumes exists but nobody has built.

Agentic payments are real but early. x402's daily volume is approximately $28,000, with roughly half appearing to be test activity. The merchants these protocols are designed to serve are still forming. Agent-to-agent payment flows at scale depend on agent interoperability, which is still maturing.

The hardware approach carries its own unknowns. Formal verification of the atomic deduct-and-sign primitive is non-trivial. The attestation model introduces a provisioning authority, a weaker trust assumption than blockchain but not fully trustless. Non-volatile memory on current secure elements has write-cycle limits, sufficient for years of normal operation but a constraint that must be respected. Mesh payment routing across multiple hops is a research problem we haven't solved yet.

We are not pretending otherwise. The prototype works. The protocol is sound. The security properties hold under the hardware assumptions. But the gap between a working prototype and production infrastructure serving millions of devices is large, and we are early in crossing it.

What gives us confidence is simpler than any technical argument: over 50 billion secure elements have been deployed in the field, in banking cards, passports, SIM cards, and national IDs, with no known remote extraction of private keys from a certified element. Ever. The hardware assumption is not speculative. It is the most battle-tested security primitive in the history of computing.

Three things are converging.

First, agents are getting money. Not in theory. In practice. Stripe, Coinbase, Visa, Mastercard, Google, and dozens of others are building the rails right now. The volume is small today. It will not be small for long.

Second, the trust problem is accelerating faster than the solutions.88% of organisations have had incidents. The Meta Sev 1 happened this month. $3.4 billion was stolen from crypto last year. The industry response is more software: better monitoring, tighter permissions, zero-trust frameworks in code. Necessary but insufficient.

Third, secure elements cost $1–5 in volume and come in every form factor needed: USB dongles for servers, embedded modules for IoT, NFC cards for mobile. The hardware is commoditised. The missing piece was a payment protocol designed to use it.

The machine economy is arriving. The interface layer, how agents talk to payment rails, is being built by some of the largest companies in the world. That part is going to work.

The trust layer, how you guarantee that payments are valid, policies are enforced, and identities are real when everything runs at machine speed on compromisable software, is an open problem.

We think the answer is the same one humanity used for thousands of years before digital payments existed: make the money physical. Not in the old sense of coins and paper, but in the new sense of balances that live on silicon, signatures that require hardware, and policies that run on isolated processors.

Trust rooted in physics. Not in software. Not in consensus. Not in any third party.

That is what Ledgerless is. That is what we are building.

Sureshot Labs
March 2026