CMSP: Bounded-Consent Primitive for Non-Custodial Recurring Payments (Design Proposal)

This post introduces CMSP (Capped Mandate Subscription Protocol), a design-complete primitive for non-custodial recurring payments, shared for technical feedback within the Cosmos ecosystem.

CMSP models recurring transfers as explicit, bounded mandates enforced by smart contracts (CosmWasm). The focus is on deterministic risk bounds, explicit consent, and safe failure modes.

This is not a product, not an on-chain governance proposal yet, and does not assume execution guarantees.

Motivation

Many subscription-like patterns in Cosmos still use custodial escrow contracts or rely on off-chain automation with unbounded risk.

CMSP avoids:

• pooled custody,
• unlimited approvals,
• implicit trust in execution.

Key Properties

• Zero custody — contracts never hold user value long-term
• Mandatory expiration — no indefinite mandates
• Hard per-period caps — explicit worst-case loss
• Permissionless execution — executor authority not required

CosmWasm Considerations

The reference implementation uses:

• message atomicity
• CW20 transfers
• signature-bound nonces

No pooled balances and clean failure semantics.

Reference

• Repository: GitHub - CleanSky-labs/cmsp-protocol: CMSP: Capped Mandate Subscription Protocol. An open, non-custodial standard for recurring payments. Bounded risk through time-limited and amount-capped mandates across EVM, Solana, and Cosmos.

Published under CleanSky-Research as a primitive open for critique.

Feedback Requested

Looking for:

• CosmWasm execution edge cases
• CW20 semantics and allowance/transfer nuances
• Mandate replay protection
• Worker execution models

Critical feedback is welcome.