Execution & Safety
Two halves of "act safely": execution that knows which authority it acts under, and a boundary that ensures only a real, reasoned action reaches the executor.
The agent_authority execution block
Every execution surfaces a non-secret block telling any consumer which authority is active and how it will sign:
{
"agent_authority": {
"authoritySource": "provider_managed | virtuals_linked | external_imported",
"walletProvider": "privy | virtuals | external",
"walletAddress": "0x…",
"virtualsAgentId": "id | null",
"proofState": "verified | unverified | pending | not_applicable",
"signerStatus": "ready | required | pending | unsupported",
"executionRoute": "provider_agent_wallet | virtuals_acp_sidecar | venue_local_signer | unsupported",
"executionSupported": true,
"blockers": []
}
}
Never include private keys, API-wallet secrets, bearer tokens, CLOB secret material, or signer key references.
Authority → route mapping
| Active authority | Condition | executionRoute | supported |
|---|---|---|---|
Mode A (privy) | venue supports provider signing | provider_agent_wallet | ✅ |
Mode B (virtuals, verified) | venue wired for ACP sidecar | virtuals_acp_sidecar | ✅ supported venues only |
Mode B (virtuals, verified) | venue not wired | unsupported | ❌ virtuals_authority_execution_not_supported_for_venue |
Mode B (virtuals, unverified) | — | unsupported | ❌ virtuals_authority_not_verified |
| none | no profile | unsupported | ❌ agent_wallet_required |
If Mode B execution isn't wired for a venue, OAW blocks precisely — it never quietly signs with the provider wallet. It also never auto-creates Mode A when the active authority is Mode B.
The gated pipeline (execution-capable, never prepare-only)
executeOrPlan(action, execute):
preflight (always): resolve agent_authority + binding + funding + plan
if !execute: return "planned" — SIGN NOTHING, MOVE NOTHING, no receipt
if execute:
check executionSupported → else exact blocker
check VenuePolicy + global caps
check funding
check live flag → else ready_but_live_locked, executionPerformed=false
if approval required → requires_approval
create durable spend intent → execute via adapter → write receipt + audit
ready_but_live_locked with executionPerformed: false is the canonical "correct but the
live flag is off" state. Flip the flag (after a canary) and the same path executes.
Reference adapters set referenceAdapter: true and emit a ref_-prefixed receipt, so a
reference run is never mistaken for a live trade.
The brain/executor security boundary
prompt injection / casual question
→ intent classifier: not a confident action → never dispatched
→ even if mis-classified, the executor's policy + funding + live-flag + authority gates block it
Two independent gates, neither of which is the LLM holding a key. See Security & boundaries and the Intent classifier.