Skip to main content
WalletSuite LogoWalletSuite
Trading desks · market makers

Governed agent wallets for trading desks

Your strategy agents get read and prepare. Operators own broadcast. Keys stay on your infrastructure.

Book 20 minRead the security model
Strategy agent · .mcp.json
read + prepare
{
  "mcpServers": {
    "walletsuite": {
      "command": "walletsuite-mcp",
      "env": {
        "WALLETSUITE_API_KEY": "$WALLETSUITE_API_KEY",
        "MCP_BANDS": "read,prepare"
      }
    }
  }
}
Operator workstation · .mcp.json
full + OWS
{
  "mcpServers": {
    "walletsuite": {
      "command": "walletsuite-mcp",
      "env": {
        "WALLETSUITE_API_KEY": "$WALLETSUITE_API_KEY",
        "MCP_BANDS": "full",
        "OWS_ENABLED": "true",
        "OWS_AUTH_MODE": "owner",
        "OWS_PASSPHRASE": "$OWS_PASSPHRASE",
        "OWS_ETHEREUM_RPC_URL": "https://eth.rpc.internal"
      }
    }
  }
}
§ 01Problem

Research, execution, and the wallet boundary

Algorithmic trading firms already separate alpha research from live execution. The strategy module is one process; the execution stack is another. The boundary is real — but at the wallet layer it is usually an SRE convention, not a hard guarantee.

Band filtering formalizes that split at the wallet layer. A strategy agent configured with read and prepare bands can query chain state and construct unsigned transactions. The tools to sign or broadcast are not registered in its MCP session — they do not exist at the tool-registry level. A prompt-injected agent cannot call what it cannot see.

The broadcast surface lives on operator infrastructure under a different band cap and a different credential. 24/7 bot infrastructure with an LLM reasoning layer above it: the LLM proposes, the operator signs. Keys stay on your infrastructure, not behind a vendor API.

§ 02Pattern

Two configs, one invariant

The strategy agent runs with MCP_BANDS=read,prepare and no OWS — its tool registry contains research and unsigned-tx construction only. The operator workstation runs with MCP_BANDS=full, OWS owner mode, and the passphrase. Band enforcement happens at server startup: the tool registry is capped before the MCP client ever connects, not at request-time.

Invariant
A strategy agent cannot invent a broadcast tool that does not exist in its session. The operator co-signs every broadcast with local key material — WalletSuite never holds, transmits, or proxies it. The operator process writes canonical JSONL audit events to its host disk; the strategy agent’s output is the prepared payload itself — a structured artifact the operator reviews before co-signing.
§ 03What this unblocks

Three properties that drop out of the pattern.

  1. 01
    Operators co-sign every broadcast. No model autonomy on the wire.
  2. 02
    Prompt injection in the strategy layer cannot mint a broadcast tool that was never registered.
  3. 03
    Every sign and broadcast event lands in a hash-chained JSONL audit trail on operator disk, exportable per-agent.
Design partner program

Now reviewing a limited number of design partners.

Book 20 minOr email us
See all use cases