Security & Boundaries
OAW sits on the path of autonomous money movement, so it is designed fail-closed by default. The boundaries below are structural, not advisory.
Threat model
| Threat | Defense |
|---|---|
| Prompt injection moving money | The brain proposes; the backend executor is the sole signer and policy authority. The LLM never holds a key. Intent is classified by reasoning and executed deterministically — two independent non-LLM gates. |
| Wrong-authority signing | Every execution surfaces a non-secret agent_authority block; Mode B (linked Virtuals) never silently falls back to Mode A. |
| Secret leakage | No secrets in return values, logs, tests, or fixtures; an assertNoSecrets guard enforces this in the reference. |
| Unintended live execution | All money movement is off by default behind explicit flags + policy + approval; unsupported paths return precise blockers. |
| Fake "it traded" signals | Reference adapters set referenceAdapter: true and emit ref_-prefixed receipts; a receipt exists only when execution actually happened. |
| Settlement-proof forgery | Durable, attributable spend-intent → receipt → audit chain; provider-signed receipts are a proposed hardening. |
The two gates
prompt injection / casual question
→ Gate 1 (intent): not a confident action → never dispatched
→ Gate 2 (executor): even if mis-classified, policy + funding + live-flag + authority
checks block it before any signature
Neither gate is the LLM holding a key. A reasoned, allowed action must pass both.
No-secrets rule
The serialized AgentAuthority, the agent_authority execution block, venue bindings,
funding plans, and receipts are all non-secret. Venue-local secrets (CLOB credentials,
API-wallet keys) stay server-side and appear only as opaque references.
Fail-closed defaults
Every money-moving capability is off by default behind an explicit config flag and acts
only when all of: live flag on, policy passes, funding present, approval present (where
required), authority verified. When a flag is off, OAW returns ready_but_live_locked with
executionPerformed: false — it does not degrade to a fake prepare-only product and
does not silently skip the action.
The reference adapters make no live calls, so the security of a production integration depends on how you wire the real signing surfaces (Privy, ACP, venue APIs). Follow the fail-closed defaults and never hand a raw key to the LLM layer.