Policy-first · Verified semantics · Multi-chain

Safe execution
for onchain agents.

Envoy gives AI agents controlled wallet access, simulation-aware protocol actions, and blockchain-native tools across Tezos, Solana, Etherlink, and EVM. The wedge is not more connectors. It is policy and wallet control that can survive production.

See the wedge Why verified policy matters

Positioning

Not another toolkit. A control plane for agent wallets.

Most adjacent products sell wallet infrastructure, generic MCP breadth, or broad agent tooling. Envoy is sharper: policy-first wallet control, simulation-aware execution, and a path to higher-assurance policy enforcement. It is built for teams putting real agents in front of real wallets and real protocol actions.

Without a control plane

The agent has keys, broad tools, and a prompt. It can transfer, swap, stake, or route through MCP tools faster than a human can react. When it is wrong, the mistake is already onchain.

With Envoy: rejected before signing — policy violation, delegated-scope mismatch, or failed simulation.

“Envoy sits between agent intent and chain execution.”

Product

Policy and wallet control for AI agents.

🛡

Policy-first execution

Limits, allowlists, delegated scope, and fail-closed rejection semantics sit in front of every onchain action instead of being buried in prompts.

🔐

Wallet-control native

Designed for server wallets, delegated sessions, and governed execution rather than raw signer access with a nicer wrapper.

∿

Simulation-aware protocol actions

Vault previews, protocol guards, and state-aware preflight checks help stop unsafe DeFi actions before they become writes.

⌘

Blockchain-native MCP

Expose onchain tools with typed inputs, normalized errors, and chain-aware control boundaries instead of generic connector sprawl.

⛓

Multi-chain adapters

Tezos, Etherlink, Solana, and EVM adapters stay isolated underneath one control surface, so safety logic is not scattered per chain.

🧾

Decision-grade audit trail

Every allowed or blocked action yields machine-readable reasons, which is what operators actually need for trust, review, and debugging.

Tezosstable

Etherlinkstable

Solanastable

EVMstable

Quickstart

Policy and execution in one surface.

# Install npm install @envoy/core @envoy/tezos # policy.yaml version: 1 limits: daily_max_xtz: 500 per_tx_max_xtz: 100 allowlist: - tz1ops... - tz1treasury... audit: true # agent.ts import { TezosAdapter } from '@envoy/tezos' import { PolicyEngine } from '@envoy/core' const agent = new PolicyEngine({ adapter: new TezosAdapter({ rpc: 'https://rpc.tezos.example' }), policy: './policy.yaml' }) await agent.transfer({ to: 'tz1ops...', amount: 100 }) // ✓ allowed await agent.transfer({ to: 'tz1unknown', amount: 50000 }) // ✗ blocked before signing

Verified Policy

A policy layer you can reason about.

Envoy’s policy semantics are the right place to invest in formal methods because they are stable, declarative, and central to the product wedge. The current direction assumes Quint-modeled semantics, conformance testing between model and runtime, and a longer-term path to a narrow high-assurance policy kernel.

✓

Quint-modeled semantics

Critical properties such as fail-closed evaluation and non-escalation can be checked explicitly instead of being left as prompt discipline.

↔

Runtime conformance tests

Generated traces are replayed against the implementation so the TypeScript runtime stays aligned with the modeled policy behavior.

△

Narrower, stronger claim

The promise is verified policy for onchain agents, not a vague claim that every adapter and protocol integration is fully proven.

The claim is narrow on purpose: verified policy, governed execution, and a safer path from agent intent to chain action.

Roadmap

From modeled policy to deeper assurance.

The near-term path is practical: keep the runtime in TypeScript, keep the control plane usable, and harden policy semantics with modeling and conformance tests. The longer-term path is narrower and higher-assurance: move the policy kernel toward a Rust/WASM boundary and explore Lean or Rocq only where theorem-level guarantees are worth the cost.

Now

Policy-first wallet control, blockchain-native MCP tooling, and simulation-aware protocol actions.

Expand Quint-modeled semantics and trace replay so implementation and spec stay aligned as the surface grows.

Later

Move the policy kernel toward Rust/WASM and explore Lean or Rocq for narrower proof-oriented work where stronger guarantees matter.

Envoy — Safe Execution Layer for Onchain Agents

Overview

Envoy is an open-source policy-first execution layer for onchain agents. It is designed for teams that want agents to touch wallets, DeFi protocols, and chain operations without treating safety as prompt discipline.

Envoy sits between agent intent and chain execution. Calls can be routed through policy evaluation, a blockchain-native MCP surface, or direct multi-chain adapters. Allowed actions proceed with typed boundaries; blocked actions fail closed with auditable reasons.

Unified adapter interface across Tezos, Etherlink, Solana, and EVM chains
Policy and wallet control for AI agents, including allowlists, limits, and structured rejection paths
Typed MCP tools for balances, transfers, staking, vaults, liquid staking, and signing flows
Simulation-aware protocol actions and a roadmap toward a narrower verified policy kernel
TypeScript-first, ESM-native packages with structured errors and audit-friendly execution
License: MIT — source at https://gitlab.com/MBourgoin/envoy

Installation

Install core plus the adapter or MCP package for your target workflow:

npm install @envoy/core @envoy/tezos
npm install @envoy/core @envoy/solana
npm install @envoy/core @envoy/evm
npm install @envoy/core @envoy/etherlink
npm install @envoy/mcp-server

All packages require Node.js 22+ and are ESM-native. Import with import { ... } from '@envoy/core' or run the MCP surface with npx @envoy/mcp-server.

Package Reference

@envoy/core: Core library. Exports shared types, policy primitives, structured errors, session-token utilities, and the policy/session building blocks used by the rest of the stack.
@envoy/tezos: Tezos L1 adapter. Supports XTZ and token transfers, delegation flows, QuipuSwap operations, and Tezos-specific policy/session integrations.
@envoy/etherlink: Etherlink adapter. Supports EVM-style execution on Etherlink, including ERC-4626 and Morpho-style vault flows on that network.
@envoy/solana: Solana adapter. Supports SOL and SPL operations, Jupiter-aware policy integrations, and liquid staking flows.
@envoy/evm: Generic EVM adapter. Supports transfers, typed data signing, ERC-1271 verification, session-key related flows, and generic ERC-4626 vault interactions.
@envoy/mcp-server: MCP server exposing typed Envoy tools for balances, transfers, staking, signing, vaults, and wallet-governed execution.

Verified Policy Direction

Envoy's strongest assurance claim is intentionally narrow: verified policy semantics for onchain agents. The current product direction assumes Quint-modeled policy behavior, model-to-runtime conformance testing, and a roadmap toward a smaller high-assurance policy kernel.

Fail-closed policy evaluation instead of "interrupted means pass"
Conformance checks between modeled traces and the TypeScript runtime
Roadmap toward Rust/WASM for the policy kernel and deeper proof-oriented work only where it is worth the cost

Execution Surface

Policy-first wallet control and delegated authorization boundaries
Blockchain-native MCP tools for agent frameworks and operators
Simulation-aware protocol actions for higher-risk DeFi execution paths
Typed errors and structured rejection reasons for safer automation

Policy YAML Schema

Create a policy.yaml file and pass its path to PolicyEngine. All fields are optional unless marked required.

# policy.yaml — full schema

kind: transfer          # required — identifies this as a transfer policy
version: "1"            # optional schema version

limits:
  daily_max_xtz: 500      # max XTZ transferable per 24h rolling window
  per_tx_max_xtz: 100     # max XTZ per single transaction
  daily_max_sol: 10       # max SOL per 24h (Solana adapter)
  per_tx_max_sol: 2       # max SOL per transaction
  daily_max_usd: 1000     # USD-equivalent cap (requires price oracle)

allowlist:              # optional — if present, only these recipients are allowed
  - tz1alice...         # Tezos addresses (tz1, tz2, tz3, KT1)
  - tz1bob...
  - 0xAbcd...           # EVM / Etherlink addresses
  - So1ana...           # Solana base58 pubkey

denylist:               # optional — these recipients are always blocked
  - tz1hacker...

rate_limit:
  max_tx_per_hour: 10   # max transactions per 60-minute rolling window
  max_tx_per_day: 50

time_window:            # optional — restrict to specific hours (UTC)
  allowed_hours:
    start: 8            # 08:00 UTC
    end: 22             # 22:00 UTC
  allowed_days:
    - monday
    - tuesday
    - wednesday
    - thursday
    - friday

require_confirmation: false   # if true, every tx requires out-of-band approval
audit_log: true               # default true — log all decisions to audit trail

API Reference

PolicyEngine

import { PolicyEngine } from '@envoy/core'
import { TezosAdapter } from '@envoy/tezos'

const engine = new PolicyEngine({
  adapter: new TezosAdapter({ rpc: 'https://rpc.tezos.example' }),
  policy: './policy.yaml',           // path to YAML file, or inline object
  auditLog: true,                    // default true
})

engine.transfer(params)

Execute a transfer. Throws PolicyViolationError if blocked by policy.

await engine.transfer({
  to: 'tz1alice...',    // recipient address
  amount: 100,          // amount in chain-native unit (XTZ, SOL, etc.)
  token: 'XTZ',         // optional — default is native token
  memo: 'payment',      // optional
})

engine.check(params)

Dry-run policy check without executing the transaction. Returns { allowed: boolean, reasons: string[] }.

const result = await engine.check({
  to: 'tz1unknown...',
  amount: 50000,
})
// result.allowed === false
// result.reasons === ['exceeds daily_max_xtz (500)', 'recipient not in allowlist']

engine.getAuditLog()

Returns the audit log as an array of decision records.

const log = engine.getAuditLog()
// [{ timestamp, action: 'transfer', allowed: false, reasons: [...], params: {...} }, ...]

TezosAdapter

import { TezosAdapter } from '@envoy/tezos'

const adapter = new TezosAdapter({
  rpc: 'https://mainnet.api.tez.ie',   // Tezos RPC node URL
  signer: mySigner,                     // optional — Taquito InMemorySigner or similar
  network: 'mainnet',                   // 'mainnet' | 'ghostnet' | custom
})

SolanaAdapter

import { SolanaAdapter } from '@envoy/solana'

const adapter = new SolanaAdapter({
  rpc: 'https://api.mainnet-beta.solana.com',
  keypair: myKeypair,                   // @solana/web3.js Keypair
})

EvmAdapter

import { EvmAdapter } from '@envoy/evm'

const adapter = new EvmAdapter({
  rpc: 'https://mainnet.infura.io/v3/YOUR_KEY',
  privateKey: '0x...',                  // or use a Signer
  chainId: 1,                           // 1=Ethereum, 137=Polygon, etc.
})

PolicyViolationError

try {
  await engine.transfer({ to: 'tz1bad...', amount: 99999 })
} catch (err) {
  if (err instanceof PolicyViolationError) {
    console.log(err.reasons)  // string[] — why it was blocked
    console.log(err.action)   // 'transfer'
    console.log(err.params)   // original params
  }
}

Examples

Example 1: Balance check (read-only, no policy needed)

import { TezosAdapter } from '@envoy/tezos'
const adapter = new TezosAdapter({ rpc: 'https://mainnet.api.tez.ie' })
const balance = await adapter.getBalance('tz1alice...')
console.log(balance) // XTZ in mutez

Example 2: Policy-controlled transfer

import { PolicyEngine } from '@envoy/core'
import { TezosAdapter } from '@envoy/tezos'

const engine = new PolicyEngine({
  adapter: new TezosAdapter({ rpc: 'https://mainnet.api.tez.ie', signer }),
  policy: { limits: { daily_max_xtz: 500 }, allowlist: ['tz1alice...'] },
})

await engine.transfer({ to: 'tz1alice...', amount: 100 })   // OK
await engine.transfer({ to: 'tz1unknown...', amount: 100 }) // throws PolicyViolationError

Example 3: Solana SOL transfer with rate limiting

import { PolicyEngine } from '@envoy/core'
import { SolanaAdapter } from '@envoy/solana'
import { Keypair } from '@solana/web3.js'

const engine = new PolicyEngine({
  adapter: new SolanaAdapter({ rpc: 'https://api.mainnet-beta.solana.com', keypair }),
  policy: { limits: { per_tx_max_sol: 1 }, rate_limit: { max_tx_per_hour: 5 } },
})

await engine.transfer({ to: 'So1ana...', amount: 0.5 })  // OK

Supported Chains

Chain	Package	Status	Native token	Notes
Tezos	@envoy/tezos	stable	XTZ	FA1.2 and FA2 tokens supported
Etherlink	@envoy/etherlink	stable	XTZ (via EVM)	Tezos EVM L2
Solana	@envoy/solana	stable	SOL	SPL token support
EVM (generic)	@envoy/evm	stable	ETH/MATIC/etc.	Ethereum, Polygon, Arbitrum, Base, etc.

Safe executionfor onchain agents.

Safe execution
for onchain agents.