Deep Dive

How ATF Works

Architecture, threat model, enforcement details, and operational signals. Everything you need to evaluate ATF before integrating.

← Back to home

The Problem

Autonomous AI agents are executing financial transactions with increasing frequency and complexity. Current infrastructure assumes human oversight at critical decision points, an assumption that breaks down when agents operate independently at machine speed.

Without an enforcement boundary, agents can exceed authorized parameters, interact with unapproved protocols, and produce no auditable record of their behavior. The result is uncontrolled capital exposure and zero accountability.

The core issue is that AI cannot be fully trusted. Models hallucinate, drift, and behave unpredictably under novel conditions. Capital preservation is uncertain when the system making decisions has no hard-coded boundaries. Risk reduction requires an external enforcement layer that constrains what agents can do before transactions ever reach the chain.

On-chain environments are adversarial by nature. MEV bots, sandwich attacks, and front-runners actively exploit unprotected transactions. Agents operating without pre-flight simulation, slippage caps, and protocol allowlists are easy targets. ATF provides the enforcement boundary that stands between autonomous agents and these external threats.

Threat Model

ATF is designed to mitigate the following categories of risk in agent-driven financial systems.

Unbounded execution

Agent submits transactions outside approved parameters, draining capital.

Protocol drift

Agent interacts with unapproved or compromised contracts without restriction.

Slippage exploitation

Adverse fills and MEV extraction erode portfolio value during autonomous trades.

Authorization creep

Over-permissioned agents accumulate access rights beyond original scope.

Audit opacity

No verifiable trail of what was checked, approved, or rejected at execution time.

Adversary and MEV exploitation

MEV bots, sandwich attacks, and adversarial actors extract value from agent transactions that lack pre-flight protection and slippage enforcement.

ATF vs LLM Firewalls

LLM firewalls

Prompt boundary protection
Input and output filtering
Data leakage prevention controls

ATF

Pre-execution economic invariants
Deterministic decisioning
Receipts for verification

Architecture Overview

ATF is composed of four coordinated layers that enforce policy from intent through settlement.

Policy Engine

Declarative rule definitions evaluated against every transaction before submission. Supports allowlists, rate limits, slippage bounds, and multi-sig requirements.

Permit Gateway

Scoped, time-bound authorization tokens grant agents minimal execution rights. Permits expire automatically and cannot be escalated.

Execution Validator

Pre-flight simulation and constraint verification ensure transactions conform to policy before touching the chain. Fail-closed by default.

Receipt Ledger

Cryptographic receipts capture every policy evaluation, approval, rejection, and settlement event for tamper-evident post-trade audit.

Architecture Diagram

Four coordinated layers enforce policy from intent through settlement. Each layer is fail-closed by default.

Execution Flow

Every agent transaction follows a deterministic five-step path from intent to verifiable receipt.

1
Agent proposes intent
The AI agent submits its intended action (e.g., swap, lend) to the ATF pipeline.
2
Policy evaluation
The Policy Engine evaluates intent against configured rules and constructs constraints.
3
Permit issued
The Permit Gateway issues a signed, time-bound permit with TTL + nonce.
4
Bounded execution
The Executor performs the transaction within permit bounds (e.g., Jupiter swap, Solend deposit, Kamino supply, Orca route).
5
Receipt emitted
A cryptographic receipt is generated (hashes, policy ID, outcome) and stored.

Hard Invariants

Non-negotiable constraints enforced on every transaction. These cannot be bypassed, overridden, or weakened at runtime.

Spend cap

Maximum value per transaction and per rolling time window. Exceeding either limit blocks execution.

Protocol allowlist

Pre-approved programs only. Jupiter, Orca, and Raydium (swaps). Solend, Marginfi, and Kamino (lending). Perps adapters (Drift v2, Mango v4, Hyperliquid) are feature-gated, off by default. All other program IDs are rejected.

Slippage max

Price deviation hard-capped (e.g., ≤ 30 bps) with enforced minimum output amount.

Cooldown period

Minimum interval between high-risk actions prevents rapid-fire exploitation.

Permit TTL + nonce

Permits expire (e.g., 60 s) and carry single-use nonces to prevent replay.

Domain separation

Each permit is scoped to TruCore ATF + a specific environment. Cross-domain reuse is invalid.

Permit Example

A minimal, illustrative permit payload. Real permits are signed and carry additional metadata. No secrets are shown here.

{
  "subject": "agent:0xA1B2...C3D4",
  "scope": "swap",
  "constraints": {
    "maxSpend": "500 USDC",
    "slippageBps": 30,
    "minOut": "0.95 SOL"
  },
  "programAllowlist": [
    "JUP6LkbZbjS1jKKwapdHNy74zcZ3tLUZoi5QNyVTaV4",
    "So1endDq2YkqhipRh3WViPa8hdiSpxWy6z3Z6tMCpAo"
  ],
  "chain": "solana:mainnet-beta",
  "expiresAt": "2026-02-19T12:01:00Z",
  "nonce": "a7f3e1c9-...-4b2d",
  "signature": "<Ed25519 signature placeholder>"
}

Built for trading bots

ATF evaluates and enforces your risk limits before any transaction is signed or broadcast, so your bot stays inside its authorized parameters at every tick.

✓
Perps leverage caps
Hard ceiling on position size relative to collateral, enforced pre-execution. Feature-gated, off by default.
✓
Market allowlists
Only approved perps venues and markets can be traded against. Feature-gated, off by default.
✓
Slippage ceilings
Max slippage and minimum-out checks on every swap, not just at config time.
✓
Notional limits
Per-transaction and rolling-window USD notional caps keep exposure bounded.
✓
Fail-closed on unknowns
Any operation not covered by an explicit policy rule is rejected by default.
✓
Deterministic receipts
Every decision produces a cryptographic receipt, giving you an auditable trail of what was enforced and when.

Example policy (framework-agnostic)

policy:
  perps_leverage_max: "3x"
  markets_allowlist:
    - SOL-PERP
    - BTC-PERP
  slippage_max_bps: 50
  notional_limit_usd: 10000
  fail_closed: true
  receipts: deterministic

See recommended guardrails

Capabilities

Guardrails across every execution path

Deterministic enforcement, fail-closed by default. Every decision produces a verifiable receipt.

Swap Guardrails

Pre-flight slippage caps, protocol allowlists, and minimum-out checks on every swap. Jupiter enforced natively.

Policy docs →

Lending Guardrails

Collateral limits and risk parameter enforcement for Solend and Kamino (feature-gated). Unauthorized programs are blocked.

Policy docs →

Perps Enforcement

Feature-gated

Adapters implemented. OFF by default. Fail-closed on unknown operations.

Hyperliquid (Perps)
Drift v2 (Solana Perps)
Mango v4 (Solana Perps)

Perps enforcement docs →

Solana DEX Guardrails

Slippage caps, allowlists, unverified route deny. Deterministic receipts for every swap decision.

DEX guardrails docs →

Deterministic Receipts

Cryptographic receipts for every policy evaluation, approval, rejection, and settlement event. Tamper-evident and auditable post-trade.

View example receipts →

Designed For

ATF is built for teams that need provable, deterministic controls around autonomous on-chain execution.

Autonomous Trading Agents

Enforce slippage, spend caps, and protocol allowlists before every transaction.
Operate continuously without human approval loops while staying within hard boundaries.
Generate tamper-evident receipts for every policy evaluation and execution outcome.
Bot-ready JSON output with machine_summary and suggested_action for seamless automation.

Quant Funds Running Agent Infrastructure

Layer deterministic risk controls over any agent framework or model pipeline.
Define portfolio-level invariants that no single agent can override.
Maintain auditable, verifiable execution records across all agent activity.
Dual-surface outputs: clear operator dashboards and structured signals for automation.

Protocol Teams Embedding Guardrails

Gate agent access to your protocol with scoped, time-bound permits.
Protect your liquidity pools from unbounded or malicious agent behavior.
Ship a trust layer without building custom enforcement from scratch.
Shareable receipts support proof and distribution workflows.

Deterministic Enforcement Proof

The same input consistently produces the same policy decision and receipt hash.

Request JSON

{
  "action": "swap",
  "token_in": "SOL",
  "token_out": "USDC",
  "amount": 10,
  "max_slippage_bps": 100,
  "ttl_seconds": 60
}

Result JSON

{
  "status": "allowed",
  "reason": "Request satisfies demo policy limits.",
  "invariant_checks": [
    "amount <= 1000: pass",
    "max_slippage_bps <= 300: pass",
    "ttl_seconds <= 300: pass"
  ],
  "receipt_hash": "9d9e34f2df6dd5ecf0988cb3af0ea4ab60431b64d7d5e3b35d0972ce4e4c986f"
}

Policy evaluated before execution.
Invariants checked deterministically.
Receipt hash generated for tamper evidence.
Receipts are shareable and verifiable via CLI or web.
Output includes both human share text and bot-friendly structured data.

Run this example in the Simulator Protect your first bot trade →

Risk Boundary

ATF enforces policy before execution. It does not custody funds, sign transactions, or hold user assets.

View Example Receipts View Demo Policy

Evidence & Operational Signals

Deterministic Enforcement Model

Invariant-based evaluation before execution

Simulator →

Public Simulator Availability

Open demo endpoint with documented rate limits

/status →

Transparent Versioning

Explicit versioning + CI enforcement

/security/overview →

Integrity Commitment

Signed whitepaper hash + public security disclosure

/atf/whitepaper →

Why ATF Is Not Just an API Gateway

Generic Middleware	ATF
Authenticates requests	Enforces signed permits
Logs events	Generates deterministic receipts
Post-execution audit	Pre-execution enforcement
Stateless filtering	Policy-bound invariant evaluation

Why Not Just an API Gateway?

API Gateway

Routes requests
Authenticates identity
Does not enforce economic invariants

ATF

Evaluates capital constraints
Enforces deterministic policy
Produces verifiable receipts

Read the ATF architecture rationale

Production Readiness

Deterministic Policy Enforcement

Policy rules evaluated before execution
Fail-closed architecture

Permit-Based Authorization

Explicit scopes
TTL + nonce enforcement

Execution Validation

Slippage bounds
Protocol allowlists
Invariant checks

Audit & Receipts

Tamper-evident logs
Admin audit trail
CSP monitoring

Live Operational Snapshot

Aggregated, non-identifiable metrics.

Simulator requests (24h)

Active partner keys

Total receipts generated

Preview mode enabled while metrics source is initializing.

Security Commitments

Public trust commitments for production deployment, communicated at a high level.

Fail-closed design

Scoped permits

Immutable audit trail

Versioned releases

See Security Overview and Responsible Disclosure.

Transparency Metrics

Visibility into operational safeguards that are active on this site today. No vanity numbers, just verifiable controls.

Security headers enforced

Yes

Strict CSP, HSTS, X-Frame-Options, and more on every response.

CSP violations logged

Active

Content Security Policy violations are reported and stored.

Admin audit logging

Enabled

Every admin action is recorded with timestamp and actor.

Health endpoint monitored

/api/health

Automated uptime checks run against a dedicated health route.

Design partner applications

Open

Accepting applications from teams building on Solana.

Enterprise Procurement Ready

Deterministic enforcement logs
Explicit policy documentation
Public security posture
Versioned release discipline

View Compliance Alignment →

Built for the Long Term

ATF is designed as durable enforcement infrastructure, not a short-term product experiment.

View Long-Term Direction →

Build With ATF

ATF is designed as an enforcement layer for AI agents and DeFi systems. Explore integration patterns and policy examples.

Build With ATF →