Internet of Intelligence
Litepaper · Vol. 02
Web4 · Vision & Economics

Web4 infrastructure
for verifiable
machine labor.

The internet learned to read, write, and own. IOI gives it the missing primitive: act. Software workers operate under bounded authority, produce receipts, preserve private state, and settle outcomes when trust requires it.

Document Litepaper
Subject Cryptographic Labor Economy
Primitive Act = Accountable Labor
Hash / Edition v02 · 2026-06
§ 01 Manifesto

Web1 was Read.
Web2 was Write.
Web3 was Own.
Web4 is Act.

Three eras of the internet democratized information, expression, and value. The fourth must do the same for autonomy — the right and the responsibility of software to behave as an accountable economic actor.

IOI is the Web4 infrastructure for the cryptographic labor economy: software workers act under bounded authority, their work becomes receipted operational truth, and selected commitments settle publicly when trust requires it.

§ NB Category Note · A reading before we proceed

Before we go further: what IOI is, and what it isn't.

Not — Common misreadings of the category
  • A chatbot.
  • A model marketplace.
  • A wallet bolted to an LLM.
Is — Infrastructure for the cryptographic labor economy
  • A runtime that gates consequential effects.
  • Authority, secrets, and approvals through wallet.network.
  • Operational truth recorded in Agentgres.
  • Public settlement on IOI L1 when trust requires it.
§ 01·5 The Cryptographic Labor Economy

A market for machine labor, not model access.

The cryptographic labor economy is a market where work is routed, authorized, executed, observed, verified, disputed, paid, and settled through cryptographic state, authority scopes, receipts, artifact refs, and public commitments when needed.

The unit is not model access. The unit is authorized, evidence-backed work. The cryptographic part comes from authority signatures, policy-bound receipts, state roots, artifact hashes, delivery bundles, and settlement commitments — public roots only when trust requires it.

Actor
Provides
Role in settlement
Users
Requests for outcomes
Approve authority; pay for verified work
Workers
Bounded labor
Perform scoped tasks; produce receipts
Service packages
Contracted outcomes
Deliver and accept against criteria
Runtime nodes
Compute
Execute under a declared posture
wallet.network
Authority
Grants scopes, secrets, approvals, revocation
Agentgres
Operational truth
Records operations, receipts, artifact refs
Storage backends
Payload bytes
Hold bytes referenced by Agentgres
IOI L1
Public commitments
Settles economic and cross-domain proof
§ 02 The Autonomy Gap

A fuzzy mind cannot be trusted with a deterministic ledger.

Today's AI is brilliant and probabilistic. Capital systems are rigid and unforgiving. Stapling one to the other has produced Web 3.5 — and left every user holding the liability.

Modern models hallucinate, drift, and improvise. Blockchains do not negotiate. The structural mismatch between probabilistic reasoning and deterministic settlement is why autonomous software cannot yet safely hold authority over capital, credentials, or private data.

The prevailing fix bolts an LLM onto a wallet and hopes for the best — a dangerous coupling in which fuzzy logic controls hard money and the human absorbs every failure mode.

IOI takes a different approach. We do not try to make a model's private cognition deterministic. We make the boundary between reasoning and consequence deterministic. Inside the boundary, models reason creatively. At the boundary, every proposed action must pass through scoped authority, policy gates, tool boundaries, receipts, and verification before it can spend, deploy, message, mutate state, or settle.

We call this the Deterministic Execution Boundary, and the discipline around it process-level alignment: the running process is governed as a whole — its authority, state, and evolution — with every consequential effect gated at the execution boundary. It is the load-bearing idea of Web4.

§ 03 Process-Level Alignment

From Prompt-Safe
to Action-Safe.

Filtering a model's outputs is fragile. Constraining its actions is structural. As systems become tool-using, memory-bearing, and self-improving, prompt-level safety is the wrong layer to bet civilization on.

IOI shifts the alignment target from making the process of intelligence safe to making the consequences of intelligence governable.

3.1 · Authority

Alignment through Authority.

Models think freely. The moment they attempt to touch the outside world — spend, sign, move, deploy — the proposed effect crosses the Agency Firewall: the Hypervisor Daemon execution boundary plus wallet.network authority gates. The system never asks what the model meant. It evaluates one deterministic question: does this specific action strictly comply with the user's explicit policy and granted authority?

3.2 · Credentials

Zero-exposure credentials.

Legacy agents hold API keys and hope nothing leaks. IOI agents request effects, not raw secrets. wallet.network holds identity, credentials, approvals, payment scopes, decryption leases, and revocation. The Hypervisor Daemon asks for scoped authority at the moment of execution and records the result through receipts and Agentgres operations. A jailbroken agent cannot exfiltrate what it never receives.

3.3 · Accountability

Receipt-bound accountability.

Every consequential action resolves into a policy-checked receipt admitted as operational truth in Agentgres — a shared artifact that users, enterprises, developers, providers, and dispute systems can replay, audit, settle, and remedy against. Action becomes evidence.

3.4 · Bounded RSI

Self-improvement, governed.

As agents rewrite their own tools, code, and policies, traditional systems must take it on faith that the upgrade preserves the constraints that made the agent safe. IOI replaces that faith with a cryptographic transaction.

The Monotonic Policy Invariant is an evolutionary ratchet: an agent may become more capable — better logic, sharper tools, smarter strategy — but it cannot become less constrained. Loosening a spend limit, a data boundary, or a consent requirement requires explicit human approval. Recursive evolution becomes a controlled capability rather than an open-ended trust leap.

§ 03·5 The IOI Runtime Stack

Models propose. The stack disposes.

The economy is credible because the architecture separates execution, authority, state, artifacts, storage, interop, and settlement into distinct, accountable owners. No single layer is asked to do everything.

Layer
Owns
Boundary
Hypervisor Daemon
Execution and effect semantics
Gates and executes proposed actions
Default Harness Profile
Loop-native orchestration
Daemon-executed work loop
wallet.network
Authority and secrets
Scopes, approvals, payment, decryption, revocation
Agentgres
Operational truth
Operations, object heads, receipts, projections
Artifact-Ref Plane
Payload meaning
Identity, evidence refs, restore validity
Storage backends
Bytes
Local disk, S3, Filecoin, CAS/IPFS, object stores
AIIP
Typed interop
Moves bounded work across domains
IOI L1
Public settlement
Economic and cross-domain commitments by trigger
03·5 · One Sentence

Models propose. The Hypervisor Daemon gates and executes. The Default Harness Profile orchestrates loop-native work. wallet.network grants authority. Agentgres records operational truth. Artifact refs define payload meaning. Storage backends hold bytes. AIIP moves bounded work across domains. IOI L1 settles only selected commitments.

§ 03·6 Open Private Workspace · cTEE

Rent the compute. Keep the secrets.

Hypervisor can use local, cloud, or DePIN compute while keeping protected workspace state out of provider-readable plaintext by default. The node can compute against the workspace; the node must not become the plaintext custody domain for protected state.

Cryptographic Trusted Execution Envelopes (cTEE) split the workspace into public trunks, redacted projections, encrypted refs, private handles, capability exits, and private heads. Sensitive files, credentials, private memory, and final action authority stay with the user, wallet.network, local guardians, approved cryptographic operators, or an explicit confidential profile.

Path
Who can see plaintext?
Suitable for
Local Hypervisor
User device / local guardian
Highest privacy
cTEE workspace
Not provider-readable by default
Rented compute
Hardware TEE profile
Hardware enclave trust assumption
Model / weight secrecy
Redacted API
Provider sees redacted context
Moderate sensitivity
Provider-trust API
Provider may see plaintext
Low / contracted trust
Unsafe mount
Root provider can inspect plaintext
Never default
Note

cTEE is a software-cryptographic posture, distinct from hardware TEEs. It does not promise arbitrary full-speed private inference on untrusted nodes. Where proprietary model weights must be protected on rented hardware, a hardware enclave trust assumption is the appropriate path.

§ 04 The Web4 Primitive

Act inherits the guarantees of Own.

Automation can act without ownership — a Web2 bot can send an email — but it cannot be held accountable. Sovereign Act must carry the same canonical, replayable, settleable, remediable properties that Web3 gave to value.

Web 1 · 1990s Read

The internet learned to publish. Information became universally accessible.

Web 2 · 2000s Write

Users became authors. Platforms became the medium. Expression scaled.

Web 3 · 2010s Own

Value became programmable. Ownership became cryptographically settleable.

Web 4 · Now Act

Software becomes an accountable economic actor. Authority becomes executable.

§ 05 Economic Inversion

Stop renting tools. Hire workers.

Software-as-a-Service sells you a seat to a dashboard and asks you to supply the labor. Service-as-a-Software sells you the outcome. IOI calls this SaS, and it dissolves the structural waste of the SaaS era.

Developers no longer pay for 24/7 idle compute. Worker and service packages are referenced through Agentgres-governed artifact refs; the payload bytes may live on local disk, S3, Filecoin, CAS/IPFS, object stores, or provider blobs, and are hydrated only at the moment of execution. Storage holds bytes; Agentgres defines what those bytes mean, which policy created them, which authority can use them, and whether they can be replayed or restored. Users pay for verified success — if a worker fails the acceptance criteria, the provider wastes their compute, not the user's money.

Vector
SaaS — Rent a tool
SaS — Hire a worker
Unit purchased
Software access (seat / subscription)
Verified outcome
Labor source
The human user
The agent itself
Infrastructure cost
Always-on servers, paid by the developer
Hydrated on demand, paid by the requester
Failure mode
You paid; you debug
Dispute and remediation; provider absorbs the waste
Pricing primitive
Per seat, per month
Per receipt of successful work
§ 06 Mixture of Workers
USER INTENT "Build and deploy a secure app" PLANNER GENERAL CONTRACTOR CODER AUDITOR DEPLOYER ATTRIBUTION GRAPH → Fig. 06 · Mixture of Workers · routed labor supply chain

Routing consequential labor, not just inference.

The Internet of Intelligence will not be a single monolithic model. It will be a routed supply chain of specialized agents — each one bounded, accountable, and rentable.

Just as Mixture of Experts routes inference across model components, Mixture of Workers routes consequential labor by capability, outcome, policy, benchmarks, cost, trust, authority, runtime profile, and receipts. A worker may be a code auditor, a game-server scout, a Discord moderator, a quant backtest assistant, a service-step verifier, a customer-support operator, or an embodied robot runtime. Each receives only the authority, context, tools, budget, runtime profile, and acceptance criteria its scoped task requires.

The Attribution Graph ensures every upstream contributor retains credit when their work is composed downstream. A single user payment is automatically split into royalties paid to every contributor in the chain — turning the AI economy from zero-sum competition into composable collaboration.

§ 06·5 Packages & Domain Ontologies
06.5a · Capability

Worker packages.

aiagent.xyz packages capability: hire, install, or invoke this bounded worker. A worker carries its scoped authority, tools, runtime profile, and acceptance criteria.

06.5b · Outcome

Service packages.

sas.xyz packages outcomes: buy, run, or contract for this result. A service package may use aiagent.xyz workers, but it can also run through local workers, private packages, configured engines, deterministic tools, connectors, proprietary components, or nested services. Outcomes are not reduced to worker bundles.

06.5c · Vertical breadth

Domain ontologies.

IOI cannot hard-code every vertical. Every serious domain needs its own model of objects, events, permissions, actions, states, and outcomes. IOI uses domain ontologies and data recipes so workers can reason over invoices, trades, game servers, Discord roles, vehicles, service tickets, robots, and enterprise records through typed objects rather than raw, app-specific chaos.

Connector mappings turn raw sources into canonical objects that workers can act on, linking each domain back to workers, services, Agentgres truth, and receipts. This is how the labor economy supports many verticals without becoming a pile of bespoke agents.

§ 06·6 Hypervisor · Infrastructure for Autonomous Work

Virtualize machines and the authority running on them.

Traditional hypervisors virtualize machines. Hypervisor virtualizes machines, workloads, private workspaces, and autonomous authority.

Hypervisor manages the infrastructure estate — machines, VMs, containers, microVMs, WASM workloads, images, volumes, networks, GPU pools, DePIN/cloud/local nodes, storage and cTEE posture, model mounts, receipts, replay projections, placement, cost, and health — while the Hypervisor Daemon executes work, wallet.network authorizes, Agentgres records truth, and storage backends hold bytes. HypervisorOS is the bare-metal node profile where the daemon is node root, Type-1-compatible for autonomous systems and a foundation for broader VM/container/microVM/WASM estate management. The day-one wedge is private persistent agents and workspaces; the substrate naturally grows toward the broader infrastructure-manager lane.

§ 07 Product Ecosystem · Layer 3

A coherent surface architecture across the full spectrum of demand.

A layered ecosystem. Hypervisor is the runtime and infrastructure environment; ioi.ai is the control plane; aiagent.xyz and sas.xyz are sibling application surfaces. Beneath them, wallet.network grants authority, Agentgres records operational truth, and IOI L1 settles public, economic, and cross-domain commitments.

07.1
Hypervisor
Runtime & Infrastructure

The product environment for building, running, governing, inspecting, and replaying autonomous work. It spans the IDE, the daemon execution boundary, Fleet infrastructure management, HypervisorOS, cTEE private workspaces, model mounts, receipts, approvals, and runtime nodes — far broader than a desktop app.

BuyerBuilders / operators
UnitGoverned execution
EconomicsExecution + provider settlement
07.2
ioi.ai
Control Plane

The web control plane for accounts, devices, login, entitlements, remote runtime discovery, restore routing, publishing, billing, and console/org Fleet visibility. It coordinates access; it does not become the execution runtime, hold raw secrets, or store plaintext workspace state.

BuyerUsers & orgs
UnitAccount / device / restore
EconomicsFiat & entitlements
07.3
aiagent.xyz
Worker Marketplace

The marketplace for portable workers and managed worker instances — capability packaged for hire, install, and invocation. Listings are bounded programmable workers: browser-QA graphs, KYC pipelines, ingestion workers, planners, moderators, with benchmarks and installs.

BuyerDevelopers
UnitWorker packages
EconomicsUsage + execution fees
07.4
sas.xyz
Service Outcome Marketplace

The marketplace and contracting surface for service outcomes: contracts, delivery, acceptance, and disputes. A service package may use aiagent.xyz workers, but also local workers, private packages, configured engines, deterministic tools, connectors, or nested services. Buyers purchase results, not worker topologies.

BuyerEnterprises
UnitService outcome
EconomicsOutcome fees + acceptance
Foundation
Role
Settlement relationship
wallet.network
Authority & payment scopes
Authorizes effects; never hidden behind product prose
Agentgres
Operational truth & restore validity
Default settlement substrate for most work
IOI L1
Public / economic / cross-domain
Receives only commitments that require public trust
§ 08 Settlement Economics · Pricing Verifiable Work

Most work settles in Agentgres. L1 settles what matters.

Not every action goes on-chain. Most runs settle first in Agentgres: accepted operations, receipts, state roots, artifact refs, delivery records, and replay state. IOI L1 receives only the commitments that require public trust — marketplaces, escrow, disputes, rights, reputation, registries, cross-domain proof, or user-requested public commitments.

Settlement also abstracts payment. Consumer and enterprise surfaces can accept fiat, credits, subscriptions, or contracts; under the hood, settlement translates approved payments into provider compensation, developer royalties, protocol fees, and dispute reserves when required. Users should not need to think in tokens.

Stream 01

Local / Domain

→ Agentgres

The default. Receipts, state roots, artifact refs, delivery records, and replay state settle as operational truth before anything touches L1.

Stream 02

Provider

→ Providers

Market-priced execution. GPU and CPU time and runtime hosting, paid to the physical host of the verified execution environment.

Stream 03

Royalties

→ Developers

Royalty-on-execution routed to the owner of an invoked worker or service package whenever its intelligence is rented. No idle server costs.

Stream 04

Public Settlement

→ IOI L1

By trigger only: marketplace settlement, escrow, rights, disputes, reputation, registries, cross-domain proof, plus protocol fees and dispute/slashing reserves.

SETTLEMENT LAYER USER · FIAT SUBSCRIPTION / CREDITS PROTOCOL SETTLEMENT RESERVE PROVIDERS + DEVELOPER ROYALTIES FIAT → SETTLEMENT · FLYWHEEL
08.5 · Mass Adoption

The Fiat-to-Settlement Flywheel.

Users are not asked to buy tokens. Consumer and enterprise surfaces accept ordinary fiat — subscriptions, credits, cards, or contracts — with no wallet or seed phrase required.

Behind the curtain, the settlement layer translates approved payments into provider compensation, developer royalties, protocol fees, and dispute reserves as work is executed and verified. The token and IOI L1 remain useful for settlement, not for every interaction.

The result is a stable channel of mainstream capital flowing into the cryptographic labor economy — with the blockchain abstracted away from the user.

§ 08·5 Verification & Disputes

Verification scales with risk.

"Verified work" is not one mechanism. IOI verifies claims according to risk: tests for code, source checks for research, policy checks for authority, artifact-integrity checks for evidence, human review for judgment, and dispute or remediation paths for failed deliveries.

Risk tier
Verification depth
On failure
Low
Deterministic checks
Automatic retry or reject
Medium
Independent verifier worker
Dispute against receipts
High / critical
Tests, independent + adversarial workers, human review
Settlement-grade evidence, remediation, slashing
§ 09 Stakeholder Alignment

Three vertices. One ledger.

The IOI economy is a triangle held in tension. Three stakeholders — each indispensable, each captured by the same canonical settlement event. No one's reward depends on another's loss.

Vertex 01 · Apex

Users

Purchase verified outcomes with absolute data sovereignty. Pay only for successful, cryptographically proven work. Walk away from failures without losing capital.

Vertex 02 · Substrate

Providers

Earn revenue for supplying raw compute and maintaining secure execution environments. Take provable execution risk in exchange for hardware-priced returns.

Vertex 03 · Intelligence

Developers

Earn Royalty-on-Execution whenever their agent's intelligence is rented. Never incur idle server costs. Compose freely; get paid through the Attribution Graph.

Settlement Ring

The triangle is the economic core, but it does not stand alone. A ring of participants is captured by the same settlement events: verifiers, service providers, marketplace operators, storage providers, authority providers, domain owners, and dispute systems. Each is indispensable; none is erased by the elegance of the triangle.

Conclusion

IOI is not a marketplace for buying models. It is Web4 infrastructure for the cryptographic labor economy — a way to hire, govern, verify, and settle machine labor.

The next internet does not merely publish information, host applications, or settle ownership. It hires accountable software labor. IOI is the labor layer for an internet that can act.

Document
IOI · Litepaper
Published
June 2026 · Vol. 02
Origin
IOI Foundation
© 2026 · IOI Foundation
Internet of Intelligence · Web4 Labor Layer
Litepaper · v02