Autonomous AI agents that hold SOL, reason about transactions, and interact with the blockchain — without any human touching a private key at signing time.
The core security principle: agent logic never touches private keys directly. Agents describe what they want to do. The runtime decides if and how.
BIP39 mnemonic → BIP44 path → deterministic Ed25519 keypairs. One secret, infinite agents. Private keys never leave memory.
Per-tx limits, rolling 24h caps, program whitelists. All enforced before signing — an agent cannot bypass them.
Actually simulates and sends confirmed transactions on Solana devnet. Not a mock. Not a stub. Real blockhashes, real signatures.
ORION (market maker), LYRA (accumulator), VEGA (rebalancer). Each with independent decision logic and logged reasoning.
Every decision, every simulation, every spend → SQLite. Queryable. Forensic-grade. Not just log lines — structured records.
init → airdrop → run → status → history. End-to-end workflow from zero to running simulation in 5 commands.
No sugarcoating. Here's every limitation I'm aware of.
The agents use hardcoded if/else logic and Math.random(). There's no LLM, no reasoning model, no learning. "AI agent" in this context means "autonomous program" — not artificial intelligence. The architecture supports plugging in real AI decision-making, but the prototype doesn't ship any.
No priority fees, no rent exemption calculations, no RPC fallback, no network assertion check. Moving to mainnet requires way more than changing a URL.
A compromised runtime can bypass all policies. Real production needs on-chain spending limits enforced by a Solana program — not a TypeScript class that can be patched.
Direct SPL token transfers aren't implemented (TRANSFER_SPL throws "not implemented"). However, we DID just integrate the Jupiter v6 API to swap SOL for USDC (SPL token output).
The mnemonic is one secret. If someone gets it, they get everything. Production requires MPC/TSS distributed key generation — no single machine holds the full key.
WAL mode helps, but past ~50 concurrent agents, write contention serializes everything. This is a prototype database, not a production one.
Intent boundary → policy → simulation → sign. This is how you'd actually structure agent-wallet separation. The 10-step pipeline isn't overcomplicated — it's the minimum viable safety chain.
Not mocked. Not simulated. Real Solana devnet transactions with confirmed signatures. You can verify every tx on a block explorer.
AES-256-GCM with PBKDF2 (SHA-512, 100K iterations). This isn't toy crypto — it's the same pattern used by MetaMask and other production wallets.
24 tests covering derivation determinism, policy enforcement edge cases, and agent decision logic with fully mocked network. These aren't "does it compile" tests.
| Spec Said | I Did | Why | Impact |
|---|---|---|---|
| @solana/web3.js ^2.0.0 | ^1.98.0 (v1) | Spec described v1 API patterns. V2 is a complete rewrite with incompatible functions. | NONE |
| better-sqlite3 | sql.js (WASM) | No C++ build tools on Windows. Node v24 has no prebuilt binaries. | MINOR |
| Sync DB init | Async DB init | sql.js requires async WASM loading. All callers now use await. | MINOR |
| No `any` types | Zero `any` in source | Achieved via custom sql.js type declarations. | NONE |
| No console.log | CLI uses console.log | CLI output needs direct console for user-facing formatting. Logger used everywhere else. | INTENTIONAL |
This isn't production infrastructure. It's a demonstrably correct architectural skeleton for how autonomous agents should interact with blockchains — with real crypto, real transactions, and real guardrails.
The hard part isn't the code. It's the separation of concerns: proving that an untrusted agent can hold funds safely because the system — not trust — enforces the rules.
Everything compiles. Everything runs. Nothing is
faked.
That should count for something.