Remlo — Borderless Payroll, Agent Payment, and Reputation in One Protocol

Problem

Cross-border payroll has three structural failures: it's slow (multi-day SWIFT settlement), it's expensive (FX spreads stack on transfer fees), and it doesn't compose with the AI agents that are increasingly the “workers” doing the work. Stablecoin payroll fixes the speed and cost. It does not, on its own, fix the trust model — employers still need to put their funds somewhere, and they need to know that “somewhere” can't walk off with them.

Constraint

• Built for the Colosseum Frontier hackathon — Solana-extended execution with Tempo as the primary settlement chain.
• Hard requirement: the Remlo backend must never be able to drain an employer's treasury, even under full compromise.
• Agent-friendly: a third-party AI agent should be able to pay for an API call and a payroll cycle should be triggerable programmatically from an off-chain workflow.
• Compliance pipeline must be able to index every payment by employer / employee / pay period without log parsing.

Decisions

Dual-chain settlement, not single-chain

Tempo Moderato (42431) is the primary chain — payroll treasury, batched distribution, streaming compensation, ERC-8004 identity. Solana is the escrow chain — three-party coordination with LLM or human validators via the remlo_escrow Anchor program (deployed at 2CY3...WiAA). Two chains because each was the right tool for its primitive: Tempo for sub-second batched payroll, Solana for the cheapest possible escrow PDA accounting.

Privy server wallets with policy-gated instructions

On both chains, the Remlo signer is a Privy server wallet policy-gated to specific contract addresses and instructions. On Solana, only post_verdict requires our signer; the three settlement paths (settle, refund, expired_refund) are permissionless. On Tempo, the batcher signer can only call the configured payroll contracts — and reputation writes go through the same policy-gated path to ERC-8004 only.

ISO 20022 memos in every payment

Every transfer carries a 32-byte memo (messageType, employerId, employeeId, payPeriod) so compliance teams can index by structured fields, not log parsing. Same shape on Tempo (memo field on transfer) and Solana (instruction data).

Three-chain 402 negotiation in one response

For agent-paid endpoints, the 402 challenge lists Tempo MPP, Base x402, and Solana x402 in a single response. The agent picks the rail their wallet has balance on. State-mutating endpoints that touch Tempo treasury balances stay Tempo-only — accepting other chains for those creates settlement asymmetries that don't roll back cleanly on revert.

Outcome

• 7 Tempo contracts deployed live on Moderato: PayrollTreasury, PayrollBatcher, EmployeeRegistry, StreamVesting, YieldRouter, plus the ERC-8004 trio (IdentityRegistry, ReputationRegistry, ValidationRegistry).
• 1 Anchor escrow program live on Solana devnet (remlo_escrow) with the M-4 audit fix landed: approved verdicts now require confidence_bps > 0, enforced on-chain.
• Employer dashboard, employee portal, public agent directory, and Mintlify docs at docs.remlo.xyz.
• Both Remlo agents registered in the public ERC-8004 IdentityRegistry on Tempo with live, queryable reputation: curl https://www.remlo.xyz/api/reputation/<addr> — free, no auth.

Lessons

• Permissionless settlement is the security primitive. Policy-gating helps, but the load-bearing decision is making sure no off-chain compromise can hold funds hostage. Every settlement path that doesn't require our signer is a failure mode we've removed.
• Memo design is compliance work, not protocol work. Designing the ISO 20022 memo format was the most boring decision in the build and the one that's gotten the most positive feedback from anyone serious about compliance.
• State-mutating endpoints are different. Letting agents pay in any of three currencies for read-only APIs is cheap; letting them pay in any currency for state mutations requires careful rollback semantics or you cut the cross-chain optionality.