agentpay-sdk
Summary
ExpandThe agentpay-sdk is a multi-language cryptocurrency wallet management platform that enables policy-gated cryptographic signing for agent-initiated blockchain transactions. The architecture spans a Rust daemon layer (`vault-cli-daemon`, `vault-cli-agent`, `vault-cli-admin`) responsible for key management, spending policy enforcement, and Secure Enclave/TPM-backed signing; a TypeScript CLI and library layer that orchestrates daemon installation, wallet lifecycle operations, and third-party integrations; a Hono-based relay API that brokers encrypted approval updates between daemons and human operators; and a Next.js approval console where operators authorize signing requests via one-time capability tokens with client-side X25519 + XChaCha20-Poly1305 encryption. Supporting packages provide Redis-backed relay caching with claim-based leasing, filesystem-hardened configuration management, RPC URL validation, and a shared React UI component library. The codebase totals approximately 28,000 lines across Rust, TypeScript, and JavaScript, with the Rust components handling all cryptographic signing and policy evaluation while the TypeScript layer manages orchestration, credential delivery, and user interaction.
The security mechanisms observed across the codebase reflect deliberate, layered threat modeling. Secret lifecycle management is handled consistently through the `zeroize` crate in Rust and controlled delivery channels in TypeScript — inline CLI flags for vault passwords and auth tokens are explicitly blocked, forcing users to stdin pipes, TTY prompts, or macOS Keychain-backed alternatives. Filesystem operations throughout both language layers implement defense-in-depth protections including `O_NOFOLLOW` to prevent symlink following, `O_EXCL` for exclusive creation, ancestor directory ownership and permission validation with sticky-bit awareness, and atomic writes via temp-file-then-rename patterns. The policy engine operates as a stateless, `forbid(unsafe_code)` computation layer that evaluates spending limits with `checked_add` overflow protection and fail-closed defaults, while the relay API enforces role-based access across admin, daemon, and public tiers using timing-safe token comparison, strict Zod schema validation with regex constraints on all cryptographic parameters, and rate-limited one-time capability token consumption for browser-initiated approvals.
The audit identified zero vulnerabilities across approximately 28,000 lines of security-critical code spanning wallet key management, policy enforcement, encrypted relay communication, and browser-based approval flows. This result reflects a codebase with exceptionally strong security engineering fundamentals — the consistent application of symlink-safe file I/O, secret zeroization, array-based process spawning to eliminate command injection, cryptographically secure token generation via `crypto.randomBytes(32)`, and AES-256-GCM wallet backups with scrypt key derivation demonstrates that security was treated as a first-class design constraint rather than an afterthought. The primary areas warranting ongoing attention are the cross-boundary trust assumptions between the TypeScript orchestration layer and the Rust daemon binaries, and the non-atomic Redis lock patterns in the cache service's claim operations, which rely on secondary claimToken guards for correctness under concurrency rather than atomic Lua scripts.
Findings
No issues identified
Conclusion
ExpandThe agentpay-sdk codebase demonstrates a level of security maturity that is uncommon for projects at this stage, particularly in its consistent application of defense-in-depth across language boundaries. The Rust components exhibit rigorous memory safety practices — forbid(unsafe_code) directives, exhaustive match arms, explicit integer overflow handling with fail-closed semantics — while the TypeScript layer mirrors these protections with equivalent filesystem trust verification, controlled secret delivery paths, and comprehensive input validation at every CLI and API boundary. The separation of concerns between the stateless policy engine, the signing daemon with UID-based socket access control, and the encrypted relay communication layer reflects careful architectural threat modeling that correctly isolates cryptographic material from network-facing surfaces.
No exploitable security vulnerabilities were identified across any section of the audit. The codebase’s most security-sensitive operations — vault password handling, private key backup encryption, daemon-to-relay encrypted synchronization via X25519 + XChaCha20-Poly1305, and browser-based approval flows with capability token authorization — all implement established cryptographic patterns with appropriate primitive choices and proper key material cleanup. The relay API’s layered authorization model correctly maps trust tiers to access scopes, and the approval console’s client-side encryption design ensures vault passwords never transit the relay in plaintext, meaningfully reducing the blast radius of a relay compromise.
The agentpay-sdk is deployment-ready from a security perspective. The recommended next steps are to verify through integration-level security testing that the cross-boundary trust assumptions hold end-to-end — specifically that spend history provided to the policy engine is complete and accurate, that daemon socket authentication cannot be bypassed, and that approval capability tokens are never exposed through API responses to unauthorized consumers. Additionally, replacing the non-atomic Redis delete-then-set-NX sequences in the cache service with atomic Lua scripts would eliminate a theoretical concurrency window, and ongoing dependency scanning should monitor the supply chain for the cryptographic libraries (@noble/curves, @noble/ciphers, viem) that underpin the platform’s signing and encryption operations.
Legal Disclaimer: This report covers the code submitted for analysis. It does not account for infrastructure, deployment configuration, third-party dependencies, or changes made after the audit date. Automated analysis may produce false positives or miss context-dependent vulnerabilities. audited.xyz provides this report “as is” without warranty of any kind.