Architecture

OAW is a stack of five layers. Each is independently testable; each maps to a concrete module in the reference SDK.

L5  INTENT SAFETY     reasoning classifier → deterministic, policy-gated execution
L4  EXECUTION         agent_authority block · spend-intents · receipts · policy
L3  FUNDING           CAIP-2 chain map · deposit-address / bridge / swap routing
L2  VENUE BINDING     capability registry · universal pre-bind gate · venue adapters
L1  AGENT AUTHORITY   AgentAuthority + provider adapters (Privy / Virtuals / external)

The agent brain (any LLM runtime) sits above L5 on the chat surface. It is a client of this stack, not a layer in it, and it never holds keys.

The object model

User
 └─ Agent (brain)
     └─ AgentAuthority            (1 active authority; provider adapter resolves it)
         ├─ VenueBinding[polymarket]   ─ FundingPlan ─ SpendIntent ─ ExecutionReceipt
         ├─ VenueBinding[hyperliquid]  ─ FundingPlan ─ SpendIntent ─ ExecutionReceipt
         └─ VenueBinding[…]

AgentAuthority — the single parent authority (Agent authority).
VenueBinding — a child per venue (Venue binding).
VenueCapabilityContract — declarative registry entry per venue.
FundingPlan / FundingReceipt — cross-chain funding records.
SpendIntent / ExecutionReceipt — durable economic-action records.

The brain/executor split

This split is a security boundary, not an accident:

Prompt injection cannot move money. A poisoned input can at most make the brain propose an action; the backend independently checks policy, limits, funding, live flags, and ownership before it signs.
The LLM is replaceable. Any model is a client of the same executor; the executor's guarantees don't depend on the model.
Determinism where it matters. Recognition is fuzzy (a model); execution is deterministic and gated.

See Security & boundaries for the threat model.

The object model​

The brain/executor split​

The object model

The brain/executor split