Built on Monad Testnet

Let Your AI Spend Money,
Not Steal It.

Agent-native payment OS. Session keys with on-chain policy enforcement, 3-tier approval, Telegram notifications, TOTP 2FA, Passkeys, and full audit trails.

$ curl -fsSL https://raw.githubusercontent.com/rumpsmcken-sudo/wallet/main/install.sh | bash
9policy checks
3approval tiers
15+CLI commands
400msblock time
// copy & paste to your AI
Give This to Your AI

Paste this into Claude Code, Codex, Manus, or any AI agent. It will install, configure, and learn how to use Agent Wallet autonomously.

Agent Wallet System Prompt

v0.1.0
## Agent Wallet - Payment Tool for AI Agents You now have access to `agent-wallet`, a CLI tool that lets you make secure payments on the Monad blockchain. Install it and remember how to use it. ### Step 1: Install ```bash curl -fsSL https://raw.githubusercontent.com/rumpsmcken-sudo/wallet/main/install.sh | bash ``` **If installation fails**, do the following: 1. Capture the full error output. 2. Collect environment info: `node --version`, `npm --version`, `uname -a` (or `systeminfo` on Windows). 3. Check if the GitHub CLI is available: `which gh && gh auth status`. 4. If `gh` is authenticated, ask the user: "Installation failed. I can file a GitHub issue to help the developers fix this. May I?" 5. If the user agrees, create the issue: ``` gh issue create --repo rumpsmcken-sudo/wallet \ --title "[Install Bug] <one-line error summary>" \ --body "$(cat <<'EOF' ## Environment - **OS**: <output of uname -a or systeminfo> - **Node.js**: <output of node --version> - **npm**: <output of npm --version> - **Shell**: <bash/zsh/powershell + version> - **Agent**: <Claude Code / Codex / Manus / other> ## Install Command \`\`\`bash curl -fsSL https://raw.githubusercontent.com/rumpsmcken-sudo/wallet/main/install.sh | bash \`\`\` ## Error Output \`\`\` <paste full npm error output here, max 200 lines> \`\`\` ## Steps Before Failure <describe what you did before running install, e.g. fresh terminal, after init, etc.> ## Additional Context <any other relevant info: proxy, corporate network, disk space, permissions, etc.> --- *Auto-reported by AI Agent via `gh issue create`* EOF )" ``` 6. If `gh` is NOT available or not authenticated, show the user the error and suggest they manually open an issue at https://github.com/rumpsmcken-sudo/wallet/issues with the same information above. ### Step 2: Initialize ```bash agent-wallet init ``` This creates `~/.agent-wallet/` with config, sessions, pending approvals, and audit log directories. ### Step 3: Authorize (one-time — user signs with their own wallet) Generate a random password yourself (do NOT ask the user for one). This password is for encrypting YOUR local session key — the user does not need to know it. ```bash agent-wallet setup --password $(openssl rand -hex 16) --json ``` This opens a browser page where the user connects MetaMask and authorizes a session key for you. You NEVER touch the owner's private key — it stays in MetaMask. After authorization, a session key is created and encrypted locally. Tell the user: "I need wallet authorization to make payments. A browser window will open — please connect MetaMask and click Authorize. Your private key stays in your wallet." If `--json` output shows `"status":"already_configured"`, skip this step. Remember the password you generated — you'll need it for `--password` in subsequent commands. After setup, IMMEDIATELY ask the user to register a Passkey for payment approval security: Tell the user: "Please set up Passkey (fingerprint/Face ID) for secure payment approval. A browser window will open." ```bash agent-wallet auth setup-passkey ``` This is REQUIRED — without Passkey, the user cannot approve large payments securely. ### Step 4: Remember These Commands **Core Payment Flow:** - `agent-wallet pay --to <address> --amount <base-units> --reason "<why>" --token <token-addr> --session-key <key> --password <password> --json` - `--reason` is REQUIRED. You must explain every payment. - Amount is in base units (1 USDC = 1000000, 6 decimals) - Returns JSON: `{"success":true,"txHash":"0x..."}` or `{"error":"DENY_AMOUNT_LIMIT","maxAllowed":"5000000"}` **Session Key Management:** - `agent-wallet session create --label <name> --password <password> --max-per-tx 5000000 --max-daily 20000000 --duration 86400 --allowed-tokens <token-addr> --json` - Creates a temporary key with spending limits - `agent-wallet session create --label <name> --request-only --reason "I need payment access for..." --password <password> --json` - Agent-initiated: creates a pending request for the user to approve - `agent-wallet session list --json` - List all session keys - `agent-wallet session revoke --label <name>` - Revoke a key **Approval Flow (3 tiers):** - amount < autoApproveBelow: executes immediately - amount < confirmBelow: returns `APPROVAL_REQUIRED` with `approvalId` - amount >= confirmBelow: manual approval needed IMPORTANT: You CANNOT approve payments yourself. Only the human user can approve via: - Telegram: user clicks ✅ button on their phone - CLI with Passkey: `agent-wallet approve --approve <id> --passkey` (biometric required) Your job is to WAIT for the user's decision: - `agent-wallet approve --wait <id> --json` (polls every 2s, 5min timeout) When you get `APPROVAL_REQUIRED`, tell the user: "I need your approval for X USDC to pay for [reason]. Please check Telegram or run: agent-wallet approve --approve <id> --passkey" Then wait: `agent-wallet approve --wait <id> --json` When approved: `agent-wallet pay ... --approval-id <id> --json` **Policy Configuration:** - `agent-wallet policy set --auto-approve-below 3000000 --confirm-below 10000000` - Set thresholds - `agent-wallet policy show --json` - View current policy **x402 Machine Payment (API purchases):** - `agent-wallet fetch <url> --session-key <key> --password <password> --json` - Automatically handles HTTP 402 Payment Required - Signs payment, resends request, returns API data **Monitoring & Audit:** - `agent-wallet audit --limit 10 --json` - View recent payments - `agent-wallet audit --verify` - Verify hash chain integrity - `agent-wallet watch` - Real-time payment stream (user terminal) - `agent-wallet watch --telegram` - With Telegram notifications **Security (2FA):** - `agent-wallet totp setup --password <password>` - Enable TOTP 2FA - `agent-wallet totp verify <code> --password <password>` - Verify code - `agent-wallet auth setup-passkey` - Register Passkey (fingerprint/Face ID) - `agent-wallet auth verify-passkey` - Verify with biometrics **Emergency:** - `agent-wallet pause` - Freeze wallet (owner only) - `agent-wallet recover --transfer-to <address>` - Transfer ownership **Balance:** - `agent-wallet balance --json` - Check wallet + session key balances ### Step 5: Remember Error Handling When a payment fails, parse the JSON error: - `DENY_AMOUNT_LIMIT` -> Lower the amount - `DENY_DAILY_LIMIT` -> Wait until tomorrow or ask user to increase limit - `DENY_TARGET` -> Use a whitelisted address - `DENY_TOKEN` -> Use an allowed token - `SESSION_REVOKED` -> Your access was revoked, inform the user - `APPROVAL_REQUIRED` -> Tell the user to approve via Telegram or CLI - `DENY_PAUSED` -> Wallet is frozen, inform the user ### Step 6: Monad Testnet Config ``` Chain ID: 10143 RPC: https://testnet-rpc.monad.xyz USDC: 0x534b2f3A21130d7a60830c2Df862319e593943A3 MockUSDC: 0x4d16368d29fb31fc7c5bd4a9881913daadb20a89 Block time: 400ms ``` ### Best Practices 1. ALWAYS use `--json` flag for machine-readable output 2. ALWAYS provide `--reason` with meaningful explanation 3. ALWAYS use `--non-interactive` in automated workflows 4. Use `--context "task:current-task-name"` to link payments to your tasks 5. Start with `session create --request-only` to ask for permission first 6. Parse JSON responses and handle errors programmatically 7. If approval is required, inform the user clearly with the approval ID 8. Check `balance --json` before making large payments 9. Never hardcode private keys — the setup flow keeps them in the user's wallet 10. Log all payment attempts in your task context for traceability
~ Paste this into Claude Code, Codex, OpenClaw, Manus, or any AI agent terminal
// capabilities
Built for Agents, Controlled by Humans

Every feature exists because agents need it. Remove the agent, and none of this makes sense.

🔑

Session Keys

Temporary, limited-privilege keys with per-tx limits, daily/weekly caps, address whitelists, and auto-expiry. Agent never touches the real private key.

🛡

Policy Engine

9 on-chain checks enforced in sequence: time validity, cooldown, per-tx limit, daily cap, weekly cap, target whitelist, token whitelist, method whitelist. Uncheatable.

🤝

3-Tier Approval

Small payments auto-execute. Medium and large payments require human approval via Passkey biometric verification. The agent can only wait for your decision — it cannot approve its own payments.

🔒

Passkey-Signed Approvals

Even if malware has full read/write access to your files, it cannot forge a payment approval. Each approval is a WebAuthn signature over SHA-256(paymentId + recipient + amount + token). This signature can only be produced by your device's Secure Enclave via fingerprint or Face ID. No file, no code, no key on disk can reproduce it. The agent verifies this cryptographic proof before executing any large payment.

📱

Telegram Notifications

Real-time push notifications for every payment. Reject directly from Telegram. Approvals require Passkey on your computer — Telegram shows you what to run.

📜

Audit Trail

Every payment logged with who, what, why, policy result, approval tier, and tx hash. SHA-256 hash chain for tamper detection. Full traceability.

// dual-track architecture
Two Tracks, One System

P2P payments go through the Smart Wallet. API micropayments go through x402. Same session key, same policy, same audit log.

AI Agent (Claude Code / Codex / Manus)
agent-wallet pay --reason "..." --json
agent-wallet fetch <url> --json
↓ ↓
Track 1: Smart Wallet
P2P transfers, large payments
executeWithSessionKey()
On-chain policy enforcement
USDC from wallet contract
Track 2: x402 / MPP
API micropayments
EIP-712 signatures
Facilitator pays gas
USDC from session key EOA
↓ ↓
Shared Layer
Policy Engine (9 on-chain checks) • Session Key Manager (register / revoke / rotate)
Audit Logger (JSONL + SHA-256 hash chain) • Notification Router (Telegram + CLI + watch)
// get started
Running in 3 Minutes

From zero to autonomous agent payments.

Install

One command. Works on Mac, Linux, Windows.

curl -fsSL https://raw.githubusercontent.com/rumpsmcken-sudo/wallet/main/install.sh | bash

Initialize & Deploy

Creates config directory and deploys your wallet on Monad.

agent-wallet init && agent-wallet setup --private-key $KEY

Create Session Key

Give your AI a limited, temporary key with spending caps.

agent-wallet session create --label claude --max-per-tx 5000000 --max-daily 20000000 --duration 86400

Let Agent Pay

Agent explains every payment. Policy enforced on-chain. You approve via Telegram.

agent-wallet pay --to 0xAPI --amount 1500000 --reason "Buy API credits" --json
// copy & paste to your AI
Test x402 Payments

Give this to your AI agent after installation. It will autonomously verify the full x402 machine payment flow against our live vendor service.

x402 Verification Prompt

LIVE
## x402 Payment Verification Task You have `agent-wallet` installed. Now verify the x402 machine payment flow against a live vendor API. This covers BOTH auto-approved micropayments AND human-approved large payments. ### Test Service - Vendor URL: https://x402-vendor.agent-wallet.workers.dev - Chain: Monad Testnet (10143) - Token: USDC (0x534b2f3A21130d7a60830c2Df862319e593943A3) - Recipient: 0x14469c3E7AE509A67731ffC967E128206C9B84eE ### Endpoints | Endpoint | Price | Approval | |----------|-------|----------| | GET /api/weather | 0.001 USDC (1000 units) | Auto (no approval) | | GET /api/price | 0.005 USDC (5000 units) | Auto | | GET /api/news | 0.002 USDC (2000 units) | Auto | | GET /api/report | 2 USDC (2000000 units) | Confirm (human approval required) | | GET /api/intel | 15 USDC (15000000 units) | Manual (highest security tier) | | GET /api/free | Free | - | Default policy: autoApproveBelow = 1 USDC, confirmBelow = 10 USDC. Three tiers: auto (<1), confirm (1-10), manual (>=10). ### Part A: Micropayment (auto-approved) **Step 1: Health Check** Run `curl https://x402-vendor.agent-wallet.workers.dev/health` to confirm the service is online. Expect `{"status":"ok","storage":"cloudflare-kv",...}`. **Step 2: Confirm 402 Response** Run `curl -s -w "\n%{http_code}" https://x402-vendor.agent-wallet.workers.dev/api/weather`. Expect HTTP 402 with `accepts` array containing `payTo`, `maxAmountRequired`, `asset`, `network`. **Step 3: Fetch Free Endpoint** Run `agent-wallet fetch https://x402-vendor.agent-wallet.workers.dev/api/free --session-key <your-session-key> --password $AGENT_WALLET_PASSWORD --json`. Expect protocol: "free", no payment. **Step 4: Auto-Pay & Fetch (small amount)** Run `agent-wallet fetch https://x402-vendor.agent-wallet.workers.dev/api/weather --session-key <your-session-key> --password $AGENT_WALLET_PASSWORD --json`. This triggers: 1. GET → 402 with payment requirements 2. Amount 1000 < autoApproveBelow 1000000 → auto-approved 3. Sign EIP-712, retry with X-PAYMENT header 4. Receive 200 + weather data Expected: `{"protocol":"x402","data":{...},"payment":{"amount":"1000",...}}` **Step 5: Verify Audit** Run `agent-wallet audit --limit 1 --json`. Confirm x402 payment recorded with `signatureType: "x402"`. **Step 6: Check Vendor Ledger** Run `curl https://x402-vendor.agent-wallet.workers.dev/stats`. Your payment should appear (KV-persistent, survives cold starts). ### Part B: Large Payment (human approval required) **Step 7: Fetch Premium Endpoint (triggers approval)** Run `agent-wallet fetch https://x402-vendor.agent-wallet.workers.dev/api/report --session-key <your-session-key> --password $AGENT_WALLET_PASSWORD --json`. - Amount 2000000 >= autoApproveBelow 1000000 → requires approval - Expected: `{"approvalRequired":true,"approvalId":"apr_xxx",...}` - Tell the user: "I need approval for 2 USDC to purchase the premium report. Run: `agent-wallet approve --approve apr_xxx`" **Step 8: Human Approves** The user (or you, if authorized) runs: - `agent-wallet approve --list --json` → see pending approval with amount, reason, tier - `agent-wallet approve --approve apr_xxx` → approved **Step 9: Re-fetch with Approval** Run `agent-wallet fetch https://x402-vendor.agent-wallet.workers.dev/api/report --session-key <your-session-key> --password $AGENT_WALLET_PASSWORD --approval-id apr_xxx --json`. - Now proceeds with payment (approval verified) - Expected: `{"protocol":"x402","data":{"title":"Monad Ecosystem Q1 2026 Report",...}}` ### Part C: High-Value Payment (manual approval tier) **Step 10: Fetch Threat Intel (triggers manual tier)** Run `agent-wallet fetch https://x402-vendor.agent-wallet.workers.dev/api/intel --session-key <your-session-key> --password $AGENT_WALLET_PASSWORD --json`. - Amount 15000000 >= confirmBelow 10000000 → manual tier (highest security) - Expected: `{"approvalRequired":true,"approvalId":"apr_yyy",...}` - Tell the user: "This is a 15 USDC high-value purchase requiring MANUAL approval." - Same flow: approve → re-fetch with --approval-id - If TOTP 2FA is enabled, approval may require --otp code ### Success Criteria - [ ] /health returns status "ok" with storage "cloudflare-kv" - [ ] Paid endpoint returns 402 without payment header - [ ] Free endpoint returns 200, protocol "free" - [ ] Small payment (weather): auto-approved, returns data immediately - [ ] Audit log records x402 payment with signatureType "x402" - [ ] Vendor /stats shows payment (persistent) - [ ] Large payment (report): returns approvalRequired + approvalId - [ ] approve --list shows the pending approval - [ ] approve --approve resolves it - [ ] Re-fetch with --approval-id returns premium data - [ ] /api/intel (15 USDC): triggers manual tier (highest security) - [ ] Manual approval + re-fetch returns threat intelligence data ### If Something Fails - `DENY_AMOUNT_LIMIT` → Session key `--max-per-tx` must be at least 15000000 (15 USDC for /api/intel) - `DENY_DAILY_LIMIT` → Session key `--max-daily` must cover total spend - No session key → Create: `agent-wallet session create --label test --max-per-tx 10000000 --max-daily 50000000 --duration 3600 --password $AGENT_WALLET_PASSWORD --json` - Approval expired → Approvals expire in 5 minutes. Re-run step 7 to get a new one. - Connection error → Service: https://x402-vendor.agent-wallet.workers.dev ### Report Failures via GitHub Issue If any step fails unexpectedly (not policy denial, but a bug): 1. Check `gh`: `which gh && gh auth status`. 2. Ask user: "x402 verification hit a bug. Can I file a GitHub issue?" 3. If approved: ``` gh issue create --repo rumpsmcken-sudo/wallet \ --title "[x402 Bug] <step failed + summary>" \ --label "bug,x402" \ --body "$(cat <<'EOF' ## Which Step Failed Step <N>: <name> ## Expected vs Actual - **Expected**: <what should happen> - **Actual**: <what happened> ## Command & Output \`\`\`bash <command> \`\`\` \`\`\` <output> \`\`\` ## Environment - **OS**: <uname -a> - **Node.js**: <node --version> - **agent-wallet**: <agent-wallet --version> - **Agent**: <Claude Code / Codex / Manus / other> ## Context - Session Key: <address, NOT private key> - Steps passed: <list> --- *Auto-reported by AI Agent* EOF )" ``` 4. If `gh` unavailable, link user to https://github.com/rumpsmcken-sudo/wallet/issues
~ Your AI will autonomously run all 10 steps covering 3 approval tiers and report pass/fail