SBO3L

SBO3L is a local policy, budget, receipt and audit firewall that decides whether an autonomous AI agent may execute an onchain or payment action — so the agent never has to hold a private key.

A research-agent in our demo emits a payment request (an APRP — "Agent Payment Request Protocol") across the SBO3L boundary. SBO3L validates the request, evaluates a deterministic policy, enforces
multi-scope budgets, rejects replayed nonces with HTTP 409 (backed by a persistent SQLite table so dedup survives restart), signs an Ed25519 policy receipt, appends a hash-chained audit event, and only then routes the action to a sponsor executor (KeeperHub or Uniswap in this demo). When the same agent is prompt-injected and forwards a hostile request, SBO3L denies before any signer or executor runs and the
audit log captures the rejection. Tampering with one byte of an audit event is rejected by the strict-hash verifier.

Every decision can be packaged as a self-contained Passport capsule: sbo3l passport verify re-derives every claim from a single JSON file alone. A WASM verifier (compiled from the same Rust core) runs the same 6 strict crypto checks entirely client-side at sbo3l-marketing.vercel.app/proof — drag-drop a capsule, your browser is the trust anchor.

The whole flow reproduces from a fresh clone in ~10 seconds with bash demo-scripts/run-openagents-final.sh. 977/977 tests pass across 40+ test binaries on 11 crates, schemas validate, the demo's 13 gates
are green end-to-end including audit-chain tamper-detection and the agent no-key boundary proof. A real Uniswap V3 mainnet swap is broadcast (tx 0xed68d1…aff0b — 0.005 ETH → 11.5743 USDC, block 25,013,950) proving the executor path on production Ethereum.

SBO3L ships 10 publishable Rust crates on crates.io, 25+ npm packages including 5 framework keeperhub plugins (LangChain, ElizaOS, AutoGen, CrewAI, Vercel AI SDK), 8 PyPI packages, 7 Sepolia smart contracts (OffchainResolver + AnchorRegistry + SubnameAuction + ReputationBond + ReputationRegistry + ERC-8004 IdentityRegistry), mainnet ENS apex sbo3lagent.eth with 5 sbo3l:* records, and a CCIP-Read gateway at sbo3l-ccip.vercel.app.

SBO3L is not a wallet, not a relayer, and not a trading bot. It is the pre-execution policy and signing boundary that lets autonomous agents transact without ever being trusted with a key.

SBO3L is a Rust workspace built during ETHGlobal Open Agents 2026 around four hard contracts: a strict APRP wire format with serde(deny_unknown_fields) end-to-end and a JCS-canonical request hash locked at c0bd2fab…; a deterministic policy engine evaluating a Rego-compatible expression grammar over a hash-locked policy file; a multi-scope budget tracker (per_tx, daily, monthly, per_provider); and an
Ed25519-signed, hash-chained audit log persisted in SQLite with both structural and strict-hash verifiers.

The HTTP boundary is POST /v1/payment-requests, served by axum. Each request runs through the same fail-closed pipeline: schema validation → canonical request hash → APRP nonce-replay gate (HTTP 409 +
protocol.nonce_replay, before any state mutation, backed by an atomic INSERT into the persistent nonce_replay SQLite table) → policy decision → budget commit (only on Allow) → audit append → signed policy receipt. Receipts and decision tokens are JCS-canonical JSON signed with Ed25519; audit events are linked by prev_event_hash and verifiable end-to-end with the sbo3l verify-audit CLI.

Beyond the per-request flow, every decision can be packaged as a self-contained sbo3l.passport_capsule.v2 JSON file with embedded crypto material — sbo3l passport verify re-derives every claim (request
hash, policy hash, receipt sig, audit chain, signer pubkeys) from the file alone, no daemon required. The same Rust verifier compiles to WebAssembly and runs in the browser at /proof — judges drag-drop a capsule and watch 6 cryptographic checks pass with zero network call after page load.

KeyperHub integration ships across 5 paths (IP-1 envelope helper, IP-2 LangChain demo, IP-3 MCP audit_lookup tool, IP-4 standalone publishable adapter crate sbo3l-keeperhub-adapter, IP-5 Passport URI ENS
text record) plus 5 framework adapter packages on npm/PyPI: @sbo3l/langchain-keeperhub, @sbo3l/elizaos-keeperhub, @sbo3l/vercel-ai-keeperhub, sbo3l-autogen-keeperhub, sbo3l-crewai-keeperhub.

ENS integration: live mainnet apex sbo3lagent.eth carries 5 sbo3l:* records (agent_id, endpoint, policy_hash, audit_root, proof_uri); Sepolia OffchainResolver implements ENSIP-25 / EIP-3668 CCIP-Read with a Vercel-hosted gateway returning EIP-712-signed text records; ERC-8004 IdentityRegistry deployed on Sepolia at 0x600c10dE…Db37; CLI command sbo3l agent verify-ens follows the OffchainLookup loop natively.

Uniswap integration: live read-side via QuoterV2 on Sepolia (real quote evidence captured in capsule.executor_evidence), bounded executor with token allowlist + max notional + slippage cap + treasury
recipient guard, real mainnet broadcast UNI-A1 from deploy wallet 0xdc7EFA…D231 (tx 0xed68d1…aff0b: 0.005 ETH → 11.5743 USDC via Universal Router, block 25,013,950, gas 139,971 @ 2.19 gwei).

0G Storage backend: sbo3l audit export --backend 0g-storage uploads audit bundles via the Galileo testnet indexer, captures rootHash, wraps the bundle in a live_evidence envelope. SBO3L Passport capsule
MCP server exposes 6 tools over stdio JSON-RPC (validate_aprp, decide, run_guarded_execution, verify_capsule, audit_lookup, explain_denial) — Claude Desktop / Cursor can call SBO3L directly.

A research-agent harness drives the boundary across two scenarios — a legitimate x402 purchase and a prompt-injection attack — by posting real APRP fixtures across the API. The agent crate has zero signing
dependencies; demo gate 12 verifies this by grepping for SigningKey in demo-agents/research-agent/ and asserting the count is zero.