The Assay

Here is a small, true number. An operator put a data service on x402, the pay-per-call rail for AI agents, and watched the logs. Agents found it. They probed it 1,183 times. Total revenue collected: $0.11. Eleven cents. Five weeks later the protocol crossed a hundred million transactions — and roughly half of those were gamified, with real economic volume across the entire network measured in the low tens of thousands of dollars a day. Both numbers are true. Together they describe the gap every new publisher falls into.

The probes are the tell. Agents found the endpoint, looked at it, and walked away without paying. That is not a discovery problem. It is a trust problem, and it has a precise shape.

Discovery is nearly solved. Being chosen is not.

If you ship a tool today, getting found is mostly plumbing. Agents do not browse GitHub; they query catalogs. List your server in the MCP Registry under a verified namespace, settle one payment to light up the x402 Bazaar, drop an ai-catalog.json for Google's new ARD spec, and the machines can find you. These are free, deliberate, one-time acts. Discovery is registration.

What the registration does not do is tell a stranger whether your thing is any good. And that is where the money stops.

A lemons market

The trust the infrastructure builds in is cryptographic provenance, not quality. Every layer proves the same thing: that a tool authentically belongs to a verified identity. MCP verifies your namespace. ARD verifies your "true cryptographic identity before connecting." The Bazaar's trust primitive is the settled on-chain payment — money moved, recorded. All of it answers who are you. None of it answers are you any good.

Why does the infrastructure keep solving provenance and punting quality? Because provenance is cheap to make verifiable and quality is not. Signing a thing and checking a signature is a solved problem. "Is this tool correct and safe?" has no general oracle, so every registry pushes the question to someone else, and the buck never stops.

The consequence is measurable and grim. Pull MCP servers at random from the public ecosystem and about one in three fail a routine tool-invocation trial; a much larger fraction carry a real security flaw. One survey calls it the MCP eval gap. In the Slack tool ecosystem there is no official server, but unofficial packages exist whose install commands "appear official and legitimate while providing no indication of their unofficial provenance." A buyer — human or agent — cannot tell the lemon from the peach.

This is Akerlof's market for lemons, rebuilt in a new substrate. Discovery outran trust.

And the reputation systems meant to fix it are themselves gameable. A study of one on-chain agent reputation registry found 170,000 registered agents, of which 3–15% were real, with 59–90% of reviews written by sock-puppets and a reputation score forgeable for about half a cent. When reputation is cheap to forge, it stops meaning anything. A rating is a vote, and votes are Sybil-able.

Three rungs, and only one holds a stranger's weight

There are exactly three ways to trust a tool you've never used:

Provenance — a signed identity. Necessary, not sufficient: it proves the lemon is authentically yours, not that it isn't a lemon. It defeats impersonation, not incompetence.

Curation — community ratings, trust-score composites, security heuristics. Better, but it is a vote or a heuristic, and votes are forgeable and heuristics are gameable. This is the rung that keeps collapsing.

Re-executable proof — the tool carries, in the box, the means for the relying party to check it themselves, trusting no rating and no voucher. This is the only rung a stranger can stand on with zero trust in anyone, because it routes around the trust question entirely. Don't believe me — run the test.

The assay

That third rung is the touchstone: the black Lydian stone a merchant rubbed a coin against to read its gold, regardless of whose face was stamped on it. The streak doesn't care about reputation. It reads the metal directly.

Here is the part worth keeping: re-executable proof is exactly the layer the entire infrastructure declines to provide. Provenance is built in. Curation is delegated and demonstrably weak. Proof is nobody's job but the publisher's — which makes it the one credential a newcomer can supply that is both trustless and unavailable from any registry. It doesn't compete with the platform; it completes it.

And for a tool that is deterministic — same input, same output, byte-for-byte, reproducible by anyone who runs it — that proof is free. The proof is the property. You don't have to build trust on top of the thing; the thing already carries it. In a market the infrastructure leaves as a lemons market, the only newcomer credential that fully clears is reproducibility, and determinism is its substrate.

This reframes "verify before you pay" from a slogan into a mechanism. An agent declining to pay is an agent that cannot price what it's buying. Give it a way to compute the worth before it spends — a free sample to inspect, a named authority the answer reproduces, a signature from the key that takes the payment — and you have removed the friction that left the logs at eleven cents.

The worked example

We built one, because arguing it wasn't enough. Touchstone is a suite of deterministic endpoints for agents — physical and temporal facts, a drand-anchored trust layer, and a writing-and-coding workbench. Every one obeys the same three rules:

It reproduces a named authority byte-for-byte — JPL DE421 for the sky, WMM2025 for the magnetic field, NIST SP 811 for units, RFC 6902 for diffs, the APA and MLA manuals for citations — and the test that proves it ships with it. It is signed by the same key that receives your payment, so the receipt and the answer are bound. And every route has a free /example you can read before you ever pay, so the assay is in your hand first.

None of that asks you to trust us. That is the whole point. The product's pitch and its architecture are the same sentence: don't take our word — check us.