Signed intent the agent stack can't bypass.
IntentGuard turns agent constraints into onchain enforcement. Prompt injection, malicious tools, and policy drift cannot override what was signed.
MCP-compatible. Drops into MetaMask Delegation (ERC-7710/7715), CoinFello, and other agentic-execution stacks.
Three failure modes the Execution Gap creates for autonomous execution.
Tool-level guards run inside the trust boundary
Allowlists, output validators, and policy engines that live inside the agent process can be reasoned around by a successfully injected prompt. The model decides what the policy means in context. The chain does not.
Signed but unbroadcast is the attack surface
Between agent decision, signature, and inclusion, transactions sit exposed to public mempool inspection, MEV searchers, and sandwich bots. The constraints the agent reasoned over no longer hold.
A correct policy is not a correct outcome
The agent's policy declares what the transaction should achieve. Execution clears at whatever the chain state allows. The two diverge silently, and the agent's logs say everything went fine.
Four steps. Zero replacement of orchestration, planning, or memory layers.
Sign
Agent signer · session key · ERC-7710 delegationThe agent signs the transaction with whatever signer authority it already holds. No new key material. No replacement of the delegation framework.
Submit
IntentGuard RPCRoute through the IntentGuard RPC instead of a generic provider. The transaction is held privately, off the public mempool, until a Protection Transaction is matched.
Constrain
Protection Transaction · MCP tool · ERC-7715 policyDeclare the outcome the transaction must satisfy: recipient set, output bounds, balance deltas, allowed call targets. The constraint is signed by the same authority as the original transaction.
Settle
Onchain enforcementExecution is validated atomically against the declared constraints. If the outcome diverges, neither transaction is included. No partial fill, no consumed nonce, no broadcast trail.
Injected prompt redirects a swap to an attacker address.
- Injection rewrites the swap parameters during tool selection.
- Tool-level allowlist passes — recipient is in the allowed-contract set.
- Transaction signs and broadcasts to public mempool.
- Settles. Funds go to the attacker. Policy log reads "ok."
- Agent signs both the swap and a Protection Transaction declaring valid recipients and minimum output.
- Injection still rewrites the swap parameters at tool-call time.
- Validation diverges from the declared constraint set.
- Neither transaction is included. No broadcast, no funds moved, nonce reusable.
Public RPC. SDK. MCP server.
Public IntentGuard RPC. SDK for transaction construction and constraint declaration. MCP server reference implementation. Suitable for prototype agents and individual builders.
Read the SDK guide →Dedicated RPC endpoints. Higher throughput. Custom constraint templates. Policy-library integration with delegation frameworks. Co-engineering for agent platforms shipping at production scale.
Talk to engineering →Same enforcement primitive, different audiences.
Onchain vaults or curated yield? Cascade losses and MEV extraction enforced at the chain level.
DAO, foundation, or project ops? Plain-language protection for payroll, grants, and multisig transfers.
Mandate-driven institutional capital? Custody-stack integration and audit-ready records.
Drop chain-level enforcement into your agent.
The SDK and MCP server are public. The RPC is live on mainnet. Build today.