Policy & Approvals
The boundary between your agent and your keys: the policy file, approval cards, risk tiers, and receipts.
The model: ask → policy → sign#
Every on-chain action in DAEMON follows the same path, whether it comes from ARIA, a Cursor or Claude Code agent over the bridge, or you.
- Ask. The agent requests an action: a swap, a transfer, a token launch, a program write. It never touches a key; it submits a request.
- Policy. DAEMON checks the request against your policy: spend caps, allowlists, cluster rules. Within policy, it auto-approves and the agent keeps moving. Outside policy, you get an approval card with a simulation diff. Unknown programs are blocked outright.
- Sign. Approved actions are signed locally from the OS-encrypted vault and receipted. Keys never serialize across the boundary, not to the agent, not to us.
The point of the design: the asking can be a policy, not a click. You define the rules once, and the interruptions shrink to the actions that genuinely need a human.
The policy file#
Policy is code you can read. A minimal policy looks like this:
allow: swap, transfer
max_per_tx: 0.5 SOL
cluster: devnet -> auto
mainnet -> require approval
unknown_program -> block- allow - the action types your agent may request at all.
- max_per_tx - a hard spend cap per transaction. Requests above it always produce a card.
- cluster rules - devnet can run fully automatic while mainnet requires approval, so agents iterate freely where mistakes are free.
- unknown_program - writes to programs outside your allowlist are blocked, not queued. This is the rule that stops a malicious skill cold.
Approval cards#
When a request lands outside policy, DAEMON shows a card with everything needed for one decision: the action and its parameters, the cluster, and a simulation diff of what your balances look like before and after. Mainnet actions carry a [MAINNET] banner and re-validate the cluster at execution time.
One tap approves or denies. Nothing signs while a card is waiting.
Risk tiers#
Every tool an agent can call is classified before it ships:
| Tier | Examples | Gate |
|---|---|---|
| Read | balances, prices, transaction history | Runs automatically |
| Write | swaps, transfers, launches, deploys | Policy check; card when outside policy |
| Sensitive | key exports, policy edits, wallet creation | Typed confirmation, always |
Receipts#
Every executed action records what was requested, which policy rule approved it, and the resulting signature, verifiable against the chain. Receipts are the audit trail for everything your agent does: you can prove what it did, and what it didn't.
Agent Economy#
DAEMON v4.6 extends the same boundary to paid off-chain work. Agent Economy lets you create a profile for an agent, set USDC spend limits, allowlist paid resource domains and payees, check x402 resources before execution, and store the receipt after a call settles.
Use it when an agent needs to pay for APIs, compute, data, or another agent's service. Passing policy only moves a call to ready; execution still requires approval and the signed payment payload.