Skip to main content
WalletSuite LogoWalletSuite
Market makers · autonomous execution

Governed agent wallets for autonomous execution

Human-in-loop doesn’t scale at market-making volume. Policy gates at the signing layer do. Every attempt — approved or denied — is hash-chain audit evidence.

Book 20 minRead the security model
Execution agent · .mcp.json
full + OWS agent + policy
{
  "mcpServers": {
    "walletsuite": {
      "command": "walletsuite-mcp",
      "env": {
        "WALLETSUITE_API_KEY": "$WALLETSUITE_API_KEY",
        "MCP_BANDS": "full",
        "OWS_ENABLED": "true",
        "OWS_AUTH_MODE": "agent",
        "OWS_AGENT_TOKEN": "$EXEC_AGENT_TOKEN",
        "OWS_ETHEREUM_RPC_URL": "https://eth.rpc.internal"
      }
    }
  }
}
§ 01Problem

Trust doesn’t scale; policy does

Market makers and HF desks run 24/7 autonomous bots. At transaction volume, human co-sign is not an option — the governance pattern today is “trust the operator who deployed it, hope it doesn’t drift, review P&L post-hoc.” That’s not governance. That’s hope.

Policy gates at the signing layer make autonomy auditable. Every signing request is evaluated before the OWS vault decrypts: chain allowlist, expiry, per-transaction spend limit, daily aggregate cap. Out-of-policy requests never touch key material — they fail with a structured error and land in the audit trail as denied events. Approved requests land as signed events in the same hash-chained JSONL. Compliance becomes “here’s the mathematical proof of what the bot did and did not do” — not “here’s our process for watching it.”

§ 02Pattern

Full band, policy-bound agent token

One MCP server, MCP_BANDS=full, OWS agent mode. A senior operator bootstraps the vault once and issues a scoped agent token. The agent token is bound to a policy at issuance time — allowed chains, expiry, spend limits — the policy lives in the vault, not in the process environment. The bot runs with that token; the vault passphrase is not present in the runtime. Policy rotation is a new token, not a redeploy: issue, revoke, vault and keys untouched.

Invariant
The agent signs and broadcasts. Policy decides what’s allowed. The audit trail records every attempt. A compromised or runaway bot cannot exceed the envelope — the vault never decrypts for an out-of-policy request.
§ 03What this unblocks

Four properties that drop out of the pattern.

  1. 01
    24/7 autonomous execution with hard limits enforced below the agent layer — no per-tx human review required.
  2. 02
    Policy rotation by token, not by redeploy — revoking a token is deleting a file.
  3. 03
    Post-hoc audit reviewers don’t have to take your word for it — hash-chained JSONL on operator disk, exportable per-agent, per-period.
  4. 04
    Compromised bot = bounded damage. Policy holds even under prompt injection because the signing decision is made in OWS, not in the LLM.
Design partner program

Now reviewing a limited number of design partners.

Book 20 minOr email us
See all use cases