Skip to main content
Trading desks · market makers

Governed agent wallets for trading desks

Your strategy agents get read and prepare. Operators own broadcast. Keys stay on your infrastructure.

Strategy agent · .mcp.json
read + prepare
{
"mcpServers": {
"walletsuite": {
"command": "walletsuite-mcp",
"env": {
"WALLETSUITE_API_KEY": "$WALLETSUITE_API_KEY",
"MCP_BANDS": "read,prepare"
}
}
}
}
Operator workstation · .mcp.json
full + OWS
{
"mcpServers": {
"walletsuite": {
"command": "walletsuite-mcp",
"env": {
"WALLETSUITE_API_KEY": "$WALLETSUITE_API_KEY",
"MCP_BANDS": "full",
"OWS_ENABLED": "true",
"OWS_AUTH_MODE": "owner",
"OWS_PASSPHRASE": "$OWS_PASSPHRASE",
"OWS_ETHEREUM_RPC_URL": "https://eth.rpc.internal"
}
}
}
}

§ 01Problem

Research, execution, and the wallet boundary

Algorithmic trading firms already separate alpha research from live execution. The strategy module is one process; the execution stack is another. The boundary is real — but at the wallet layer it is usually an SRE convention, not a hard guarantee.

Band filtering formalizes that split at the wallet layer. A strategy agent configured with read and prepare bands can query chain state and construct unsigned transactions. The tools to sign or broadcast are not registered in its MCP session — they do not exist at the tool-registry level. A prompt-injected agent cannot call what it cannot see.

The broadcast surface lives on operator infrastructure under a different band cap and a different credential. 24/7 bot infrastructure with an LLM reasoning layer above it: the LLM proposes, the operator signs. Keys stay on your infrastructure, not behind a vendor API.


§ 02Pattern

Two configs, one invariant

The strategy agent runs with MCP_BANDS=read,prepare and no OWS — its tool registry contains research and unsigned-tx construction only. The operator workstation runs with MCP_BANDS=full, OWS owner mode, and the passphrase. Band enforcement happens at server startup: the tool registry is capped before the MCP client ever connects, not at request-time.

Invariant
A strategy agent cannot invent a broadcast tool that does not exist in its session. The operator co-signs every broadcast with local key material — WalletSuite never holds, transmits, or proxies it. The operator process writes canonical JSONL audit events to its host disk; the strategy agent’s output is the prepared payload itself — a structured artifact the operator reviews before co-signing.

§ 03What this unblocks

Three properties that drop out of the pattern.

  1. 01
    Operators co-sign every broadcast. No model autonomy on the wire.
  2. 02
    Prompt injection in the strategy layer cannot mint a broadcast tool that was never registered.
  3. 03
    Every sign and broadcast event lands in a hash-chained JSONL audit trail on operator disk, exportable per-agent.

Design partner program

Now reviewing a limited number of design partners.


See all use cases