Skip to main content
WalletSuite Logo
Market makers · autonomous execution

Governed agent wallets for autonomous execution

SDK on the bot's hot path. MCP for the operator console. Signing decisions are gated by policy, not by the LLM.

Book 20 minRead the security model
Bot hot path · SDK
deterministic + policy-gated signing
import { WalletSuite } from "@walletsuite/wallet-sdk";
 
// Hot path: deterministic strategy code, policy-gated signing, no LLM.
// MPC by default; OWS opt-out for sub-millisecond local signing.
const ws = new WalletSuite({
  apiKey: "<WALLETSUITE_API_KEY>",
  agentToken: "<POLICY_BOUND_AGENT_TOKEN>",
});
 
// Policy lives in the signing service. Out-of-policy requests
// never produce a signature.
await ws.send(/* prepared tx */);
Operator console · .mcp.json
read-only MCP
{
  "mcpServers": {
    "walletsuite": {
      "command": "walletsuite-mcp",
      "env": {
        "WALLETSUITE_API_KEY": "$WALLETSUITE_API_KEY",
        "MCP_BANDS": "read"
      }
    }
  }
}
§ 01Problem

Trust doesn’t scale; policy does

Market makers and HF desks run 24/7 autonomous bots. At transaction volume, human co-sign is not an option — the governance pattern today is “trust the operator who deployed it, hope it doesn’t drift, review P&L post-hoc.” That’s not governance. That’s hope.

Policy gates at the signing layer make autonomy auditable. Every signing request is evaluated before any signature is produced: chain allowlist, expiry, per-transaction spend limit, daily aggregate cap. Out-of-policy requests never produce a signature — they fail with a structured error and land in the audit trail as denied events. Approved requests land as signed events in the same hash-chained JSONL. Compliance becomes “here’s the mathematical proof of what the bot did and did not do” — not “here’s our process for watching it.”

§ 02Pattern

Two surfaces, one policy

The bot’s hot path runs deterministic strategy code through our SDK — policy-gated signing with no LLM in the loop. MPC by default; OWS opt-out for sub-millisecond local signing on latency-critical bots. The operator console is a separate MCP session running MCP_BANDS=read, used by traders and ops to query state, inspect denied events, and rotate tokens from Claude Desktop or any MCP client. A senior operator bootstraps the signing setup once and issues a policy-bound agent token to the bot. The token is bound at issuance time — allowed chains, expiry, per-tx and daily spend caps — and the policy lives in the signing service, not in the process environment. Policy rotation is a new token, not a redeploy.

Invariant
The bot signs and broadcasts via SDK; the operator queries and reviews via MCP. Policy decides what’s allowed in either path. No signature is produced for an out-of-policy request — whether the request comes from a deterministic bot, a runaway strategy, or a prompt-injected MCP session.
§ 03What this unblocks

Four properties that drop out of the pattern.

  1. 01
    24/7 autonomous execution with hard limits enforced below the agent layer — no per-tx human review required.
  2. 02
    Policy rotation by token, not by redeploy — revoking a token is deleting a file.
  3. 03
    Post-hoc audit reviewers don’t have to take your word for it — hash-chained JSONL on operator disk, exportable per-agent, per-period.
  4. 04
    Compromised code = bounded damage. Policy holds whether the calling process is a deterministic bot, an operator MCP session, or anything else — the signing decision is gated by policy, not by the LLM.
Design partner program

Now reviewing a limited number of design partners.

Book 20 minOr email us
See all use cases