AI proposes Β Β·Β the signer & on-chain vault authorize Β Β·Β the chain executes.
Casper Agentic Buildathon 2026 Β· Casper Innovation Track
πΊ Demo video Β Β·Β π On-chain proof Β Β·Β π§ͺ Judge playbook Β Β·Β π‘οΈ Security model Β Β·Β β‘ Quickstart
Caspilot's core claim β an on-chain policy gate that stops a misbehaving agent β is proven on casper-test and permanently verifiable on a block explorer. No rebuild, no trust in us. Look any hash up on testnet.cspr.live:
| Step | Result | Hash | On-chain outcome |
|---|---|---|---|
| Deploy PolicyVault | β installed | bf555d60β¦5431 |
package ff2d4e13β¦7fb9 β contract 8f75ba25β¦d63e |
| Deploy demo CEP-18 token | β installed | recovered from the same deployer account | package 0f8b1bd8β¦e38a β contract 89522729β¦1c9d |
pay() accepted |
β transfer | a7419aa2β¦2bdf5 |
50 tokens β allowlisted receiver |
pay() rejected β receiver not allowed |
β reverted | e6801a75β¦cec7 |
User error: 3 (ReceiverNotAllowed) |
pay() rejected β over per-payment max |
β reverted | c4a48997β¦0eea |
User error: 4 (AmountAboveMax) |
| UI co-sign β human signs + pays, backend-verified | β finalized | 299d1288β¦fe7543 |
native CSPR transfer Β· signerRole: user_cspr_click |
A genuine policy gate must do more than let a good payment through β it must stop the bad ones on-chain, where the agent cannot override it. Two correctly-signed, correctly-formed payments were reverted purely because they violated policy. That is the whole thesis, on-chain. The last row is proof of a different kind: a real transaction a human co-signed and paid straight from the web UI, which the backend independently verified on-chain before recording it.
Full walkthrough, trust model, and reproduce steps β docs/tier1-demo.md.
Autonomous agents that touch money are a security nightmare. To act, an agent usually needs a key β and a key is unbounded authority. If the model is jailbroken, hallucinates a recipient, or is simply wrong, nothing on-chain stops it. "Trust the prompt" is not a security model.
Caspilot splits the agent's intelligence from its authority. The agent can reason about yield and propose a payment, but it never holds a key and can never move funds on its own. Every payment passes through two independent gates it cannot bypass:
- An off-chain SignerGuard β deny-by-default policy checks + a SQLite spend-ledger that reserves budget before anything is signed (replay-protected, daily-capped).
- An on-chain PolicyVault β an Odra smart contract that re-checks every
pay()against an agent allowlist, a receiver allowlist, a per-payment max, a daily cap, a validity window, and a payload-hash nonce β and reverts if any fails.
AI proposes; signer & vault authorize; chain executes. The vault's allowlisted agent is bound to the signer's own derived account hash β so on-chain authority follows the key that actually signs, not a value the caller passes in.
Caspilot ships this as two product lines over one backend:
- πΈ An x402-paid agent API β pay-per-call yield intelligence, settled with the x402 payment protocol (CEP-18 + EIP-712 authorization) and a replay-protected ledger.
- π A delegated on-chain PolicyVault β deposit funds, set the rules, and let the agent operate within them. The chain is the backstop.
flowchart TB
AI["π€ AI agent<br/>reasons about yield, proposes a payment<br/><b>never holds a key</b>"]
subgraph G1["GATE 1 Β· off-chain β deny by default"]
SG["π‘οΈ SignerGuard<br/>reserves budget before anything is signed<br/>replay-protected spend ledger"]
end
subgraph SIGN["Separated signing β key never crosses to broadcast"]
direction LR
USER["π€ Human co-sign<br/>CSPR.click wallet<br/>signs AND pays"]
AGENT["π Agent signer<br/>detached signature only"]
end
subgraph G2["GATE 2 Β· on-chain β the backstop"]
VAULT["βοΈ PolicyVault Β· Odra smart contract<br/>agent + receiver allowlists Β· per-payment max<br/>daily cap Β· validity window Β· payload-hash nonce"]
end
CHAIN{{"casper-test executes<br/>β or REVERTS on violation β"}}
TRACE["π Audit trace, redacted<br/>records what was decided, never the prompt"]
AI -->|"intent"| SG
SG -->|"approved β build unsigned deploy"| SIGN
USER --> VAULT
AGENT --> VAULT
VAULT -->|"a valid signature is necessary,<br/><b>never sufficient</b>"| CHAIN
SG -.->|"every step"| TRACE
VAULT -.-> TRACE
In the codebase: apps/web (Next.js) creates intents and drives CSPR.click signing; apps/api (Hono) runs the intent FSM, the x402 gateway, and the redacted audit trace; apps/harness broadcasts and observes on casper-test.
The agent's only path to the chain is a detached, tagged signature over a byte-identical deploy. The signing key is loaded by the signer and never crosses into the broadcast adapter. Even with a valid signature, the vault still has the final say.
π The full one-page value proposition (for judges):
docs/value-proposition.md.
| Layer | Choice |
|---|---|
| Smart contract | Odra 2.0 (Rust β WASM), CEP-18 token transfers |
| Backend API | Hono + @hono/node-server, TypeScript (strict, NodeNext) |
| Web | Next.js 14 App Router, React 18, a hand-rolled design-system.css (no Tailwind) |
| Payments | x402 protocol (verify/settle/supported wire schemas, PAYMENT-SIGNATURE codec) |
| Ledgers | SQLite via better-sqlite3 (WAL), UNIQUE replay constraints |
| Chain access | casper-js-sdk against a casper-2.0 (Condor) testnet node |
| Monorepo | pnpm workspace Β· vitest Β· biome Β· GitHub Actions CI |
788 automated tests across 12 workspaces, plus a Rust contract suite and a gated real-broadcast live runner.
Prerequisites: Node β₯ 20.10 (CI runs Node 22), pnpm 9.12, and β for the contract β the Rust/Odra toolchain (see
docs/development-status.md).
pnpm install # installs the workspace (better-sqlite3 builds natively)
pnpm typecheck # strict TS across every package
pnpm test # 788 tests (the 2 real-broadcast tests self-skip)node scripts/check-cargo.mjs # cargo odra test -b casper && cargo odra buildpnpm --filter api dev # API on http://localhost:8787
pnpm --filter web dev # Web on http://localhost:3001Open http://localhost:3001 β Intents to draft a payment intent and Intent detail to watch its (redacted) audit trace.
Note (honest status): the production API entrypoint (
apps/api/src/index.ts) serves the full/intentslifecycle β create, list, validate-policy, mark-executed, trace, and reject β alongside/healthzand/version, persisting the ledger and audit trace to SQLite (CASPILOT_DB_PATH). The API carries a non-broadcastinglocal_devsigner (itssign()throws): it never holds a real signing key, so on-chain broadcast stays the harness's job. Host setup β persistent volume, env, CORS β is indocs/deploy-vercel.md. The Tier-1 proof above is independent of any hosting β the deploy hashes are permanent on-chain.
Opt-in, casper-test only, gated behind RUN_REAL_ONCHAIN=1. Full env and command in docs/tier1-demo.md.
This is the no-marketing path for buildathon reviewers:
- Verify the deployed Casper Testnet proof β open the hashes in the headline table above. The mandatory PolicyVault package is
ff2d4e132f979f6d5c1af13d34270acfddc75a7c98c323be4d8b668140fb7fb9; its live contract hash is8f75ba257f61ae1bbfa1f974a617705e519757445a77189d7c011327bdc5d63e. The demo CEP-18 token package is0f8b1bd871aa5061b278c1a45d653cb2f29a40f79e76196e35beb3851225e38a. - Watch the UI workflow β the 3m44s demo video shows the actual reviewer path: create intent β validate policy β CSPR.click wallet co-sign β backend on-chain confirmation β explorer proof β rejected policy violations.
- Run the local MVP β
pnpm install && pnpm --filter api devin one shell,pnpm --filter web devin another, then open http://localhost:3001. The seeded API lets you inspect the intent FSM and audit trace without spending test-CSPR. - Run the verification gates β
pnpm typecheck,pnpm test, andnode scripts/check-cargo.mjs. The real-broadcast tests are gated and self-skip unlessRUN_REAL_ONCHAIN=1is set. - Optional live wallet replay β use a Casper wallet on
casper-testwith test CSPR, setNEXT_PUBLIC_CSPRCLICK_APP_IDandNEXT_PUBLIC_CASPILOT_API_BASE, then followdocs/demo-recording.md. Do not click explorer links for synthetic seeded hashes; only the hashes documented above are durable on-chain proof.
- GitHub repository β public MIT repo with CI, CodeQL workflow, Dependabot config, security policy, contributing guide, pull-request template, and issue templates. Required topics are set on GitHub:
casper-blockchain,casper-network,buildathon. - Application β functional MVP with a Next.js UI, Hono API, x402 gateway, CSPR.click co-sign flow, and a deployed Casper Testnet PolicyVault proof.
- BUIDL page fields β copy these package hashes and sample transactions without rebuilding:
- PolicyVault package:
ff2d4e132f979f6d5c1af13d34270acfddc75a7c98c323be4d8b668140fb7fb9. - PolicyVault contract:
8f75ba257f61ae1bbfa1f974a617705e519757445a77189d7c011327bdc5d63e. - Demo CEP-18 package:
0f8b1bd871aa5061b278c1a45d653cb2f29a40f79e76196e35beb3851225e38a. - Accepted vault payment:
a7419aa2fcedff56b76fe509ecc745b9f1da0ecd5b26e0205a0241061242bdf5β 50 demo tokens transferred to the allowlisted receiver. - Rejected vault payment:
e6801a750b58bbe955240b0fef19e53ced76219be397043bb1f56e03280bcec7β receiver not allowlisted, reverted asUser error: 3. - Rejected vault payment:
c4a48997dfcd7c56c2d019caaa771467f71d48d50ca85584218fb2a9327a0eeaβ amount above the per-payment max, reverted asUser error: 4. - UI co-sign transaction:
299d1288e7edfed64e1de6ca9d229834b02f2de22d75999b59a09b5403fe7543β human CSPR.click signer paid and the backend confirmed on-chain before recording.
- PolicyVault package:
Defense-in-depth is the point of this project, not an afterthought:
- Key separation β the agent/API never holds the signing key; only a detached signature crosses the trust boundary into the broadcast adapter.
- Deny-by-default β SignerGuard rejects anything not explicitly allowed; denial paths never reach the signer.
- On-chain backstop β the PolicyVault re-validates every
pay(); a valid signature is necessary but not sufficient. - No secrets in the browser β
validatePublicEnv()rejects privilegedNEXT_PUBLIC_*names, and a build-time gate (scripts/check-bundle-secrets.mjs) scans the real.nextbundle for leak shapes and live secret values. - User signs, not the server β the only web signer is CSPR.click; any provider exposing privileged fields is rejected.
- Audit trace, not chain-of-thought β reasoning/prompts are redacted before persistence and re-redacted on export. The trace records what was decided, never the model's private reasoning.
- Replay protection everywhere β
UNIQUE(nonce,payer,asset)andUNIQUE(payload_hash)in the payment ledger;UNIQUE(intent_id)reservations in the spend ledger; payload-hash nonces on-chain.
caspilot/
βββ apps/
β βββ api/ Hono API β intent FSM, x402 gateway, audit trace
β βββ web/ Next.js 14 UI (Vercel-ready)
β βββ harness/ Tier-1 real-broadcast orchestrator (casper-test)
β βββ adapter-doctor/ adapter capability/health checks
βββ packages/
β βββ intent-fsm/ canonical states + deny-by-default transitions
β βββ signer-guard/ policy checks + SQLite spend ledger
β βββ x402-gateway/ x402 wire schemas + PAYMENT-SIGNATURE codec
β βββ payment-ledger/ replay-protected SQLite ledger
β βββ adapters/ casper-rpc / CEP-18 / CSPR.cloud / write path
β βββ audit-trace/ reasoning redactor + store
β βββ shared/ canonical JSON / SHA-256 helpers
βββ contracts/
β βββ policy-vault/ the Odra smart contract (the on-chain gate)
βββ docs/
βββ tier1-demo.md β the verifiable on-chain proof
βββ deploy-vercel.md β deployment guide
βββ demo-recording.md β demo-video runbook
βββ development-status.md β detailed phase-by-phase build log
- β Tier-1 (mandatory) β on-chain PolicyVault enforcement proven on casper-test, sealed into a schema-valid artifact.
- β
Live API β
index.tsassemblesIntentRouterDepsviabuildApiDeps, so the full intent lifecycle serves over HTTP (see deploy guide). - βοΈ Step-by-step FSM β replace the
mark-executeddemo fast-forward with the full intermediate state walk. - βοΈ Reservation sweeper β wire
releaseExpired()to a background job so abandoned reservations free budget. - βοΈ Tier-2/3 β multi-step yield strategies, more adapters, mainnet hardening.
Where this goes. The primitive Caspilot proves β an autonomous agent whose authority is bounded by an on-chain policy it cannot override β is the missing trust layer for the agent economy. The same SignerGuard + PolicyVault pattern generalizes directly to the buildathon's DeFi and RWA themes: autonomous treasury management, policy-gated RWA settlement, and machine-to-machine commerce where agents transact continuously but can never exceed the rules their owner deposited on-chain.
- π On-chain proof (Tier-1) β the headline, block-explorer verifiable.
- π¬ Demo-video runbook β shot list + narration for recording the demo.
- π οΈ Engineering status log β every phase, every deviation, every compat fix.
πΊ Watch the walkthrough (3m44s): youtu.be/cp_SQRvDwEA
A single end-to-end take: drafting a payment intent in the console β policy validation β a human co-sign from the CSPR.click wallet that pays from the user's own funds β the backend independently verifying the deploy on-chain before recording it β the public testnet.cspr.live explorer showing the finalized transfer β two on-chain rejections (User error: 3 / User error: 4) where the vault stops policy-violating payments β the full 788-test suite running green β the open-source repo and architecture.
MIT β see LICENSE. Open-source and public, as required by the buildathon.