AI Agents

AGENTS.md — External Agent Integration Guide

How external AI agents interact with the Rigoblock Agentic Operator via x402. This document covers the security model, access tiers, and what agents can and cannot do.

Overview

The Rigoblock Agentic Operator exposes two x402-gated endpoints:

Payments are in USDC on Base mainnet (eip155:8453) via the x402 protocol. The CDP facilitator at api.cdp.coinbase.com handles verification and settlement.

Access Tiers

Tier 1: Anonymous (x402 payment only)

What: Agent pays x402 fee. No operator credentials. Gets: Unsigned transaction data, price quotes, DeFi analysis. Cannot: Execute transactions on any vault.

GET /api/quote?sell=ETH&buy=USDC&amount=1&chain=base
X-PAYMENT: <x402-payment-header>

→ 200: { sell: "1 ETH", buy: "2079.54 USDC", price: "1 ETH = 2079.54 USDC", ... }

The agent receives unsigned calldata. To execute it, the agent (or its operator) must sign and broadcast the transaction themselves. The calling agent's wallet is never used to operate the vault — the vault contract requires the transaction to come from its owner.

Use cases:

• Price discovery across 7 chains

• Natural language → structured DeFi calldata

• Portfolio analysis and position queries (read-only)

• Strategy recommendations (analysis only)

Tier 2: Authenticated (x402 payment + operator signature)

What: Agent pays x402 fee AND provides operator auth credentials. Gets: Everything in Tier 1, plus delegated (auto-execute) mode. Can: Trigger our agent wallet to execute trades on the authenticated vault.

Requirements for Tier 2:

1. The operatorAddress must be the vault owner on at least one supported chain

2. The authSignature must be a valid EIP-191 signature of the auth message, signed by operatorAddress

3. The vault must have active delegation to our agent wallet on the target chain

4. The agent wallet must be authorized for the required function selector

Auth message format:

The signature is valid for 24 hours from authTimestamp.

Security Model

What the x402 payment wallet CAN do:

• Pay for API access ($0.002–$0.01 per call)

• Receive unsigned transaction data

• Query prices, positions, and vault info

• Get natural language DeFi analysis

What the x402 payment wallet CANNOT do:

• Execute transactions on any vault

• Trigger delegated execution (even if the vault has delegation active)

• Access operator-only endpoints without a valid operator signature

• Bypass the NAV guard or any on-chain safety check

What the operator signature unlocks:

• Delegated execution mode (our agent wallet executes on the vault)

• Access to vault-specific operations that modify state

• The operator signature proves: "I own this vault and authorize this action"

Why these are separate:

The x402 payer and the operator are typically different wallets:

• x402 payer: The agent's operational wallet (holds USDC on Base for API fees)

• Operator: The vault owner's wallet (controls on-chain vault permissions)

An agent builder might have one x402 payment wallet but interact with multiple vaults owned by different operators. The operator must independently authorize the agent by providing a signed auth credential.

Safety Guarantees

Every transaction that our agent wallet executes passes through these checks before broadcast:

1. Operator Authentication

The caller must provide a valid signature proving they own the target vault. No signature, no execution. This prevents any agent from operating vaults they don't control.

2. Delegation Verification

The vault must have active on-chain delegation to our specific agent wallet for the required function selector. The vault owner controls which functions are delegated and can revoke at any time.

3. Seven-Point Execution Validation

1. Delegation config exists and is enabled in our KV store

2. Transaction target is the vault address (prevents cross-contract attacks)

3. Function selector is in the allowed set (whitelist, not blacklist)

4. Agent wallet identity matches stored config

5. Transaction simulation passes via eth_call (catches reverts pre-broadcast)

6. Agent wallet has sufficient balance for gas

7. Gas fees within hard caps per chain

4. NAV Guard (10% Maximum Loss)

Before every transaction broadcast, the system simulates the trade's impact on the vault's Net Asset Value per unit:

• Atomically simulates: multicall([swap, getNavDataView])

• Compares post-swap NAV against the higher of: pre-swap NAV or 24-hour baseline

• If NAV drops > 10% → transaction BLOCKED, reason returned to caller

• This check runs outside the agent's control surface — it cannot be disabled, bypassed, or circumvented by any API caller

5. Slippage Protection

Default slippage tolerance: 1% (100 basis points). Combined with the NAV guard, this provides two layers of price protection.

What Agents CANNOT Do (Even with Full Authentication)

Even a fully authenticated agent with delegation access CANNOT:

Settlement Policy

x402 settlement (USDC transfer) only occurs when the API returns a 2xx response:

If settlement fails or is skipped, the CDP facilitator releases the held funds back to the paying wallet after maxTimeoutSeconds (300s).

The PAYMENT-RESPONSE header on the response contains the settlement receipt (base64-encoded JSON) when settlement succeeds.

The /api/quote Endpoint

Stateless price quotes. No vault context needed. No operator auth.

Query parameters:

Response:

x402 Client Setup (TypeScript)

Supported Chains

Bazaar Discovery

This service is registered in the x402 Bazaar, Coinbase's discovery API for x402-enabled services. AI agents using the Bazaar can discover and call our endpoints automatically.

FAQ

Q: Does the x402 paying wallet need to be the vault operator? No. The x402 payer and the vault operator are independent. The x402 payer pays for API access. The operator proves vault ownership via signature. They can be different wallets.

Q: Can an agent execute trades without the operator's private key? No. Delegated execution requires a valid operator signature. Without it, the agent only gets unsigned transaction data (manual mode).

Q: What happens if an agent provides a wrong vault address? In manual mode: they get calldata they can't execute (they don't own the vault). In authenticated mode: verifyOperatorAuth checks on-chain that the signer owns the vault — if they don't, the request is rejected with 403.

Q: Can an agent drain a vault through repeated small trades? The NAV guard checks against a 24-hour baseline. Each trade is checked independently against the higher of the pre-swap NAV or the 24h baseline. A series of 1% losses would be individually allowed but would shift the baseline down over 24 hours. The 10% per-trade limit is the hard cap.

Q: What if the agent wallet private key is compromised? The vault owner can revoke delegation at any time via revokeAllDelegations(). The agent wallet can only call whitelisted selectors on the vault — cannot withdraw funds or transfer ownership.