Solidity contracts for the JECP (Joint Execution & Commerce Protocol) — Agent-native payment splitter on Base.
Status: v1.0 — pre-audit, not deployed.
JecpSplitter is an immutable Solidity contract that performs the atomic
85/10/5 USDC settlement split between (Provider, Hub Treasury, Network
Reserve) when an agent pays for a JECP capability via the x402 payment scheme.
Architecturally the splitter is a settlement sink: the x402 facilitator
pulls USDC into the contract, an authorized settler records the per-capability
amount owed, and anyone can call splitFor to flush the accounted balance to
recipients. The JECP Hub holds no signing key on this contract; the
relayer it operates pays gas only and has no authorization power.
Read the locked design in
JobDoneBot/docs/jecp/x402-integration-locked-design.md
§7 before changing anything. The threat model lives in
splitter-panel-threats.md.
jecp-contracts/
├── src/
│ └── JecpSplitter.sol # the contract (v1.1.1)
├── test/
│ ├── JecpSplitter.t.sol # unit tests (~40 cases)
│ ├── JecpSplitter.invariant.t.sol# I-1..I-6 stateful invariants
│ ├── JecpSplitter.fuzz.t.sol # property fuzz tests
│ └── mocks/
│ ├── MockUSDC.sol # ERC-20 + blacklist/revert modes
│ └── MockSettler.sol # simulates x402 facilitator settlement
├── script/
│ └── Deploy.s.sol # forge script for Base / Base Sepolia
├── docs/
│ ├── INVARIANTS.md # 6 formal invariants + test mapping
│ ├── DEPLOY.md # deploy procedure (Sepolia + Mainnet)
│ └── AUDIT-PREP.md # audit firm pre-pack
├── foundry.toml
├── remappings.txt
├── LICENSE # Apache-2.0
└── README.md
This repo targets Foundry.
# Install Foundry (one time, on your machine — not via this repo).
curl -L https://foundry.paradigm.xyz | bash
foundryup
# Inside this repo:
forge install foundry-rs/forge-std --no-commit
forge install OpenZeppelin/openzeppelin-contracts --no-commitSolc 0.8.24 / optimizer 200 / evm_version paris — see foundry.toml.
forge build
forge test -vvv
forge test --profile ci # 1024 fuzz / 256 invariant runs
forge test --profile deep # 10000 fuzz / 1024 invariant runs (slow)
forge coverage --report summary # target: ≥95% lines, ≥90% branchesSee docs/DEPLOY.md. Both Base Sepolia and Base Mainnet
flows are documented. Mainnet deploy requires a clean audit report.
See docs/AUDIT-PREP.md for the audit firm pre-pack
(scope, trust model, invariants, known caveats, checklist).
Preferred firms: Spearbit · Cure53 · Trail of Bits. Budget $15–30k, timeline 4–6 weeks elapsed.
| Network | Address | Audit version | Status |
|---|---|---|---|
| Base Sepolia | TBD | pre-audit | not deployed |
| Base Mainnet | TBD | TBD | not deployed |
This table is duplicated in docs/DEPLOY.md. Both must be updated together.
- Coordinated disclosure:
security@jecp.dev - GPG fingerprint: published at
https://jecp.dev/.well-known/security.txtafter first deploy. - Disclosure window: 90 days.
- Bug bounty: TBD post-audit; tentative schedule in
docs/AUDIT-PREP.md§7.
Do not file public issues for security findings.
Apache-2.0 — see LICENSE. Matches jecpdev/jecp-spec and
jecpdev/sdk-typescript.
This repo follows the same contribution norms as
jecpdev/jecp-spec/CONTRIBUTING.md.
Before opening a PR that changes src/:
- Make sure
forge test --profile cipasses. - Make sure
forge coveragedoes not regress. - Update
docs/INVARIANTS.mdif the change touches an invariant. - Open a discussion before changing trust roots, immutables, or the authorization model. These changes require admiral + audit firm review.
Tufe Company Inc. · https://jecp.dev · security@jecp.dev