Eliro·
Enter
.001The System

Seven primitives.One discipline.

The reserve holds capital. The other six instruments compose the grammar of programmable custody. When an agent may spend, where it may spend, how much, and under what supervision. Each one is opt-in. Each one is enforced by the runtime.

Enter Eliro
Reserve·Lane·Governance·Roster·Hours·Replenish·Quorum·Reserve·Lane·Governance·Roster·Hours·Replenish·Quorum·
.01Programmable custody

Reserve.

One vault. No private key. Every move bound by code.

The reserve is a single program-derived address. A custody account that nobody can sign for, including you. Capital moves only when the program authorises it, against rules stored on the chain. The reserve is the spine; everything else is grammar around it.

Specification

  • PDA. Derived from authority
  • Anchor program · 0.32.1
  • USDC · SPL token
  • Verifiable bytecode

Each agent receives its own deterministic ledger.

Lanes are sub-accounts within the reserve, addressed by a deterministic derivation from the reserve and a label. They hold balance, count transactions, and carry their own constraint envelope. Lanes are sovereign. One agent cannot reach another's funds.

Specification

  • Deterministic PDA
  • Per-lane balance + counter
  • Pause / resume / close
  • Computable off-chain
.02Per-agent isolation

Lane.

.03Atomic spending rules

Governance.

Per-transaction maxima. Rolling daily caps. Atomic enforcement.

Every payment is verified against governance rules in a single instruction. Per-tx and rolling 24-hour caps are kept on-chain and reset by the Solana clock. Fail one. The entire transaction reverts. There is no partial spend, no race, no off-chain queue.

Specification

  • Max per transaction
  • Rolling 24h cap
  • Lifetime budget
  • Atomic revert on fail

An on-chain allowlist. Anything else is rejected.

Every outbound payment is checked against a roster of approved addresses, each entry tagged with a human-readable label. The roster is mutable, but only by the authority. A compromised agent literally cannot pay an unapproved address. The program will not sign.

Specification

  • On-chain entries
  • Labels per address
  • Mutable by authority
  • Checked atomically
.04Approved counterparties

Roster.

.05Time-bounded operation

Hours.

Draw the windows. The chain enforces them.

Time rules use Solana's on-chain clock as truth. Define windows in UTC. Weekdays 09–17, no weekends, whatever shape. And any transaction outside the window is rejected. Multiple windows compose. Even if the agent's server is offline, the clock still discipline applies.

Specification

  • UTC windows
  • Day-of-week filter
  • Solana Clock sysvar
  • Composable

Lanes refill themselves before they run dry.

Set a floor on any lane. When the balance crosses below, the program refills it from the reserve up to a target. Anyone can crank the instruction. The rules are on-chain. But only the program can move the funds. Agents never stop because they ran low.

Specification

  • Floor + target
  • Permissionless crank
  • Refilled from reserve
  • Zero downtime
.06Self-healing balances

Replenish.

.07Multi-signer threshold

Quorum.

High-value movements require m-of-n.

Above a threshold you define, payments need quorum approval. A proposal account is created on-chain, signers approve, and once the threshold is met anyone can execute. Proposals expire. Signer sets are stored on-chain. Not on a server, not in a database.

Specification

  • m-of-n approvals
  • On-chain proposal
  • TTL · expiring
  • Signer rotation
.002Postscript

Composition, not configuration.

Eliro does not ask you to choose a tier. It asks you to choose a posture. Compose the primitives. Strict or open, narrow or wide. Each lane has its own constitution. Each constitution can be amended. The chain remembers everything.

Enter EliroRead the manual