Suistody

Suistody is the first policy-based AI agent custody protocol on Sui. It solves a critical problem in the emerging AI agent economy: how do you let an AI agent transact autonomously without giving it your private keys?

Today, AI agents that need to execute DeFi trades, purchase resources, or manage funds face a binary choice: either the user hands over full private key access (dangerous — the agent can drain everything), or the user must manually approve every transaction (defeats the purpose of autonomy). EVM's approve/transferFrom model only controls spending amount — it cannot restrict what actions are allowed, how frequently the agent trades, or when permissions expire.

Suistody introduces on-chain Vaults with five-dimensional policy enforcement:

1. Max Budget — total cumulative spending cap
2. Max Per TX — ceiling on each individual transaction
3. Allowed Actions — whitelist of permitted operations (e.g., only swaps)
4. Cooldown — minimum time between consecutive transactions
5. Expiration — automatic permission revocation after a deadline

When a user creates a vault, they deposit SUI and configure these five policy dimensions. An AgentCap (a Move capability object) is minted and granted to the AI agent. The agent can only operate within these constraints — every withdrawal is validated atomically against all five dimensions by the Move smart contract. The vault owner can revoke the AgentCap instantly at any time.

The AI agent supports three LLM providers (OpenAI GPT-4o, Google Gemini 2.0 Flash, Anthropic Claude Sonnet) with automatic detection. It reads real-time order book data from DeepBook V3 (Sui's native CLOB DEX), makes trading decisions based on natural language strategies written by the user, and executes trades — all within the policy guardrails.

Security is enforced in two layers: an off-chain pre-check filters invalid requests before they hit the blockchain (saving gas), and the Move smart contract re-validates every rule on-chain (guaranteeing correctness). Even if the server is compromised, the contract is the final authority.

Users authenticate via Sui's native zkLogin (sign in with Google, no wallet extension needed), and all transactions are gas-sponsored (zero cost for both users and agents). A built-in Guardrail Stress Test runs five adversarial attack scenarios against the vault policy, and an on-chain audit trail provides full transaction transparency via SuiScan.

Suistody is not just a trading tool — it is infrastructure for AI agent permission management, extensible to NFT bidding, DAO treasury management, yield farming, and any scenario requiring limited, revocable AI authority on-chain.

Suistody is a full-stack application built by a solo developer over the course of the hackathon. The architecture spans three layers: a Sui Move smart contract, a Next.js 14 backend with API routes, and a React 18 frontend.

Smart Contract (Sui Move) The core contract (agent_vault.move) defines four on-chain structures: Vault (shared object holding Balance<SUI> and policy state), Policy (5-dimensional rule set), AgentCap (transferable capability object with key+store abilities), and OwnerCap. The agent_withdraw function validates all 9 assertions atomically — amount > 0, cap matches vault, cap is authorized, policy not expired, cooldown elapsed, amount within per-tx limit, amount within remaining budget, action whitelisted, and sufficient balance. I used Balance<SUI> instead of Coin<SUI> for storage, and overflow-safe arithmetic (subtraction: amount <= max

• spent) to prevent integer overflow attacks. 15 Move tests cover all happy paths and adversarial scenarios.

AI Agent Runtime (Next.js API Routes) The agent runtime is a 7-step pipeline: (1) fetch DeepBook V3 order book data via @mysten/deepbook-v3, (2) build a market snapshot prompt, (3) send to the configured LLM (OpenAI/Gemini/Anthropic — auto-detected from env vars), (4) parse the JSON response with Zod schema validation, (5) run off-chain policy pre-check against all 6 rules, (6) build a Programmable Transaction Block, (7) execute via dual-signature sponsored transaction.

The most notable hack: the entire withdraw-swap-transfer flow is composed into a single PTB. The transaction atomically calls agent_withdraw to extract a Coin<SUI> from the vault, pipes it into DeepBook V3's swapExactBaseForQuote (which is a curried function — dbClient.deepBook.swapExactBaseForQuote(params)(tx)), receives three result coins [base, quote, deep], and transfers all three to the owner. One transaction, one signature, one gas fee. On EVM this would require three separate transactions with race conditions between them.

DeepBook V3 Integration I integrated @mysten/[email protected] for real order book data. This required pinning @mysten/sui to exactly 1.38.0 — DeepBook has a hard dependency on this version, and any mismatch causes experimental_asClientExtension type errors. The swap methods are curried (a pattern unique to this SDK), and the three return values (baseCoin, quoteCoin, deepCoin) must all be explicitly transferred or the transaction fails.

zkLogin + Sponsored Transactions Authentication uses Sui's native zkLogin: Ed25519Keypair.generate() → generateNonce → Google OAuth 2.0 → JWT sent to Enoki prover (prover-dev.mystenlabs.com) for ZK proof generation → getZkLoginSignature. A critical lesson: Enoki's /v1/zklogin/zkp endpoint does NOT accept a salt parameter — it manages salts internally and returns an addressSeed that MUST be used as-is. Computing your own salt causes Groth16 verification failure. All transactions use sponsored execution with dual signatures (user zkLogin + sponsor keypair), so neither the vault owner nor the AI agent pays gas.

Frontend Built with Next.js 14 App Router, React 18, Tailwind CSS, and Zustand for state management. The "Vault Noir" design system uses custom CSS variables, glass-morphism cards, and terminal-style activity logging. The Guardrail Stress Test component runs 5 real adversarial scenarios (budget overflow, per-tx breach, cooldown bypass, unauthorized agent, expired policy) against the actual API — these are real on-chain policy checks, not simulations. Natural language strategy input supports 4 presets and custom strategies up to 500 characters. Auto-run mode enables autonomous trading at configurable intervals (30s/45s/60s/120s).

Testing 15/15 Move contract tests (sui move test) covering all policy enforcement paths. 20/20 Vitest unit tests covering intent parsing and policy checking. Zod validates all external inputs at system boundaries.

Tech Stack: Sui Move, Next.js 14, React 18, TypeScript, @mysten/[email protected], @mysten/[email protected], Tailwind CSS, Zustand, Zod, Vitest, OpenAI SDK, Google Generative AI SDK, Anthropic SDK.