Don't give your agent a wallet. Give it a mandate.

SBO3L policy gate An AI agent's intent passes through the SBO3L boundary, emerging as a signed passport capsule that routes to either an executor or a deny path. AGENT SBO3L BOUNDARY EXECUTOR agent.eth intent swap 50K USDC → ETH no key policy · spec · sign · audit 3 capsule signed allow → keeperhub.exec deny sponsor not called

SBO3L is the cryptographically verifiable trust layer for autonomous AI agents. Every action your agent takes — pay, swap, store, compute, coordinate — passes through SBO3L's policy boundary first. Output: a self-contained Passport capsule anyone can verify offline.

Start in 5 minutes Try in browser View source

🌐 Live on Ethereum mainnet — UNI-A1 broadcast tx 0xed68d1…aff0b · 0.005 ETH → 11.5743 USDC via Universal Router · block 25,013,950 · gas $0.71 @ 2.19 gwei

Scenario: swap $50,000 → DENY · policy.deny_amount_too_large

Three ways to interact

Tier 1 ▶ Watch the cinematic 30-second motion-graphic walkthrough. Zero code, zero install. Already playing above. Tier 2 ✏️ Edit a policy (mock) Browser-side TypeScript reimplementation. Edit + decide instantly. Capsules are mock-signed — for understanding, not auditable evidence. Tier 3 🌐 Run on real daemon Real Vercel-hosted sbo3l-server. Real Ed25519-signed capsules, audit chain anchored to Sepolia.

Live sponsor integrations

Each track has a working production-shape integration with signed receipts. Click through for the per-track submission narrative + live URLs.

Where the keys live. Agent intent passes through SBO3L's 6-step boundary — parse, policy, spec, sign, audit, link — and routes to the executor or a fail-closed deny path. The signing key never leaves the boundary; the agent never holds it.
SBO3L Key Flow Agent intent passes through SBO3L's 6-step boundary — parse, policy, spec, sign, audit, link — and routes to executor or deny. AGENT SBO3L BOUNDARY EXECUTOR agent.eth INTENT swap 50K USDC → ETH on sepolia PIPELINE 01 parse validate request 02 policy match rule 03 spec build capsule 04 sign ed25519 05 audit merkle append 06 link executor route allow keeperhub.exec deny not called 3 CAPSULE
881/881 Rust tests passing
13/13 demo gates green
6/6 Sepolia contracts deployed
3 sponsor live paths verified end-to-end

What SBO3L is

A Rust workspace implementing a local policy + budget + receipt + audit firewall for AI agents. Every POST /v1/payment-requests goes through:

  1. Schema validation (serde(deny_unknown_fields))
  2. JCS-canonical request hashing
  3. APRP nonce-replay gate (HTTP 409 on reuse)
  4. Deterministic policy decision
  5. Multi-scope budget commit
  6. Hash-chained audit append
  7. Ed25519-signed PolicyReceipt back to agent

Allow → routes to sponsor executor (KeeperHub, Uniswap). Deny → executor never called. Every decision can be wrapped in a Passport capsule that anyone can verify offline against the agent's published Ed25519 pubkey alone.

What SBO3L blocks

Every input below is rejected fail-closed by the daemon, with the exact error code SBO3L returns:

Live integration evidence (2026-04-30)

Real outputs from running the corresponding live smoke against real infrastructure during the submission window. Independently re-verifiable by anyone with public RPC access.

ENS mainnet — sbo3lagent.eth

agent_id:    research-agent-01
endpoint:    http://127.0.0.1:8730/v1
policy_hash: e044f13c5acb792dd3109f1be3a98536168b0990e25595b3cedc131d02e666cf  ← matches offline fixture exactly
audit_root:  0x0000000000000000000000000000000000000000000000000000000000000000  ← canonical genesis
proof_uri:   https://b2jk-industry.github.io/SBO3L-ethglobal-openagents-2026/capsule.json

Uniswap Sepolia QuoterV2 — 0xEd1f6473345F45b75F8179591dd5bA1888cf2FB3

quote_source:            uniswap-v3-quoter-sepolia-0xed1f6473345f45b75f8179591dd5ba1888cf2fb3
route_tokens:            [WETH 0xfff9…, USDC 0x1c7D4B19…]
quote_timestamp_unix:    1777572056
sqrt_price_x96_after:    863470429016487749123863152837655
quote_freshness_seconds: 30

KeeperHub workflow — m4t4cnpmhv8qquce3bv3c

sponsor:        keeperhub
mock:           false
execution_ref:  kh-172o77rxov7mhwvpssc3x   ← KH-issued executionId, not a ULID

Architecture

The agent never holds a key. SBO3L decides, signs, audits, and routes — in that order. Deny blocks every downstream sponsor call.

Agent constellation 5 named + 60 fleet · sbo3lagent.eth subnames research-01 trader-02 auditor-03 indexer-04 router-05 SBO3L daemon schema · policy · budget audit · sign · route deny_unknown_fields JCS-canonical hash nonce-replay gate deterministic policy multi-scope budget hash-chain audit Ed25519 receipt Passport capsule v2 embedded snapshot + segment offline-verifiable "agent never holds the signing key" ENS apex sbo3lagent.eth sbo3l:pubkey sbo3l:endpoint sbo3l:audit_root + … CCIP gateway ENSIP-25 · off-chain text-record signer sbo3l-ccip.vercel.app Uniswap UR Universal Router + per-step policy gate guarded execute() deny → tx never broadcast T-5-2 · #171 APRP intent publish records off-chain records if allow → guarded signed receipt

Reproduce yourself

Every claim above is reproducible from a fresh clone. Public RPCs work — no API keys required for read paths. 

git clone https://github.com/B2JK-Industry/SBO3L-ethglobal-openagents-2026
cd SBO3L-ethglobal-openagents-2026

# Full vertical demo (13 gates, ~10 seconds)
bash demo-scripts/run-openagents-final.sh

# Production-shaped runner (26 real / 0 mock / 1 skipped)
bash demo-scripts/run-production-shaped-mock.sh

# Live ENS smoke (mainnet)
SBO3L_ENS_RPC_URL=https://ethereum-rpc.publicnode.com \
  cargo run -p sbo3l-identity --example ens_live_smoke

# Live Uniswap Sepolia smoke
SBO3L_UNISWAP_RPC_URL=https://ethereum-sepolia-rpc.publicnode.com \
SBO3L_UNISWAP_TOKEN_OUT=0x1c7D4B196Cb0C7B01d743Fbc6116a902379C7238 \
  cargo run -p sbo3l-execution --example uniswap_live_smoke

Resources