intentOS

intentOS is an EIP-7702 guarded-execution layer for AI-agent trading, designed to solve the trust gap between "approve every trade manually" and "hand an AI agent full wallet authority."

Onchain opportunities do not wait for a human to wake up, but giving an autonomous agent unrestricted access to a wallet is too dangerous. intentOS creates a middle layer where the Owner describes a natural-language trading intent, the Executor Agent searches for opportunities inside that intent, and the Owner's own EOA enforces the final boundary through delegated account code.

The core idea is that the Agent can request execution, but it never receives custody of funds. Funds remain in the Owner's EOA, while an EIP-7702 ExecutionContract attached to that EOA checks every typed ExecutionRequest against hard guardrails such as token pair, amount cap, slippage cap, expiry, nonce, target, selector, and freeze state. If a request is inside the limits, it executes; if it is outside, it reverts. This makes IntentOS a self-custody execution protocol for AI agents: the Agent can act while the Owner is offline, but it cannot leave the Owner-defined boundary.

intentOS also introduces a second layer of protection through a Watcher Agent. Some risks are too semantic to enforce synchronously onchain, such as stale quotes, unnatural routes, weak simulations, or execution that no longer matches the Owner's intent. The Watcher Agent reads execution evidence after the fact and can only tighten or freeze future authority. It cannot loosen policy or access funds. In the MVP, IntentOS focuses on USDC <-> WETH trading on Base mainnet, with a single Watcher quorum and tiny bounded execution, demonstrating how AI agents can become useful onchain actors without becoming custodians.

intentOS is built as a layered guarded-execution system. The Owner starts by connecting a wallet, proving personhood, and describing a trading goal to the IntentBuilder. The IntentBuilder compiles that natural intent into an Agent Package containing the Executor Agent's behavior, tool policy, memory policy, evidence policy, stop conditions, semantic guardrails, and CONSTRAINTS.json hard guardrails. The package hash is bound to an Agent NFT, so the NFT represents the Agent identity, runtime access right, delegated-account access context, and the manifest it must obey. Importantly, transferring or owning the NFT never transfers custody of the Owner's funds.

The Executor Agent runs inside an OpenClaw Runtime Capsule on Cloud Run. This gives the Agent an isolated always-on execution environment that keeps ticking even when the Owner's laptop is asleep. The Runtime can observe market state, portfolio state, current guardrails, Uniswap quotes, simulations, and evidence, then choose actions such as BUY, SELL, HOLD, or RECOVER. However, OpenClaw is intentionally not trusted with onchain authority. It cannot export a private key, generate arbitrary calldata, call arbitrary contracts, loosen policy, or move funds directly. It can only call intentOS typed tools that produce bounded ExecutionRequests.

The most important technical split is between reasoning, signing, sending, and authority. OpenClaw reasons about what it wants to do; the intentOS adapter quotes, simulates, type-checks, and assembles a bounded ExecutionRequest; a GCP KMS-backed SessionKey signs only that request digest; and the intentOS Relayer submits it to the Owner's EIP-7702 ExecutionContract on Base. The ExecutionContract is the final authority. It ignores the Agent's reasoning and mechanically checks whether the request fits the hard guardrails before moving any Owner funds.

Gas is handled through an ExecutionGasVault lane inside the delegated account. The Relayer fronts transaction gas, and after a successful guarded execution, the contract reimburses it up to a configured gas cap from the Owner-funded vault lane. This separates the signer, sender, gas budget, and fund custody into distinct roles. A notable hack in the project is using EIP-7702 as the "guarded operating system" for an AI agent: the Agent gets a cloud runtime and a request capability, while the Owner's EOA itself becomes the policy-enforcing account that decides what can actually happen onchain.

For monitoring, a Watcher Agent can be minted as a separate Agent NFT with its own OpenClaw Runtime. The Watcher reads EvidenceCommitted events, quote hashes, simulation hashes, reasoning hashes, transaction results, and the Executor's package context. If it detects that execution is drifting away from the Owner's semantic intent, it can submit a report or vote that tightens or freezes future execution. This creates a two-stage guard model: hard guardrails stop invalid requests before execution, and semantic guardrails reduce future authority after suspicious behavior is observed.