Four guarantees. Each one is code, not policy.
Every rail is a program constraint. Nothing depends on us staying honest. The source and on-chain config for any gate are open. Read them.
Program guarantees.
payTo = split_config_pdaVault is program-owned
USDC lands in a program-controlled vault, not the merchant. They can never divert the referrer or protocol share because they never hold it.
distribute(amount, has_referrer)Distribute is permissionless
Any bot can crank it. If our operator goes down, yours still works. The vault holds the funds, not us.
protocol_bps >= 150Protocol fee is hardcoded
Enforced by the Anchor program, not by a billing layer. We can't cheat it down or up.
replay_window <= 60sAttribution is replay-safe
One-minute window, cold-wallet payout bound at request time. Headers cannot be reused or rewritten in transit.
Every call splits three ways.
Same block.
USDC lands in a program-owned vault. One Anchor instruction fans it out to three wallets. The splits are encoded on-chain. Nothing we invoice. Nothing we can cheat up or down.
The provider keeps the majority. You set the referrer share. The merchant cut is fixed by the deployment and the program will not pay out less.
Whoever published the skill or MCP that routed the call. The cut lands in their wallet, same block as the merchant.
A constant inside the Anchor program. Not a fee we invoice. Enforced by code, can't be cheated up or down.
Worked example for a $1.00 call. Enforced by the chest_splitter Anchor program.