policy gate · commitment ledger · audit chain
Atlas has three on-chain primitives. A commitment ledger records bounded authority. A policy gate decides whether an action may execute. An audit chain proves what happened after execution.
Three primitives. Eight policy predicates. One execution path. Nothing more than enforcement requires.
Atlas sits below wallets, accounts, applications, and emerging agent standards. It does not replace account abstraction, delegation frameworks, identity systems, payment standards, or commerce protocols. It gives them an enforcement floor.
| Layer | Role |
|---|---|
| Existing standards | Accounts, delegations, identity, commerce, payment, execution, tokenized-asset compliance (ERC-3643) |
| Atlas capabilities | Envelopes, policy gate, audit chain, bridges |
| Cryptographic substrate | Commitment ledger and deterministic enforcement on Base L2 |
Authority anchors at the substrate. Capabilities are constructed in the middle. Existing standards compose above.
The substrate carries authority for autonomous agents across the surfaces institutions already touch — payments, exchange flow, prime brokerage, custody, DeFi, treasury, and settlement. The category claim is not payments-narrow.
The envelope is the smallest unit of bounded authority. It is a cryptographically signed typed-data object that pins what an agent may do.
An envelope can bind:
The envelope does not advise the agent. It constrains the action.
Substituting any field changes the digest and fails the signature check. Replay is separated by chain, verifying contract, and principal nonce.
An agent may carry the envelope. It cannot exceed it.
Full envelope shape and EIP-712 typed-data definitions live in the developer documentation, available under access agreement.
A predicate is the smallest unit of policy an envelope can enforce. Atlas ships eight predicate primitives:
| Predicate | Enforces |
|---|---|
Amount cap | Value ≤ cap |
Amount minimum | Value ≥ minimum |
Recipient (exact) | One pinned counterparty |
Recipient allowlist | Approved recipient set |
Expiry | Action before settlement-window close |
Not-before | Action after activation time |
Rate limit | Count or budget within a period |
Balance floor | Post-action balance stays above threshold |
Composition semantics: AND-only, monotone lattice, first-failure short-circuit. Every predicate must pass. Evaluation halts on the first failing predicate. The failing reason is recoverable from the gate's revert.
This is intentionally narrow. No natural-language policy. No runtime interpretation. No model judgment. No second path.
Property-based testing demonstrates that the gate decision function matches the bounded-authority specification predicate across all sampled inputs. 42 property tests. More than 7,000 sampled inputs. Zero failures. This is not a closed-form proof — SMT-backed verification remains on the roadmap. Under sampled adversarial input distributions, the gate is observationally indistinguishable from the spec.
Every Atlas execution follows the same path.
First, a principal signs an envelope. The commitment ledger verifies the signature, domain, nonce, structure, validity window, and any upstream capability-proof commitment. If the envelope is valid, it is registered. If not, the call reverts with a typed reason.
Then, an agent or keeper submits an intent against the committed envelope. The policy gate loads the envelope, verifies the agent, evaluates the predicates against the intent and current chain state, and forwards the intent to the adapter only if every predicate passes. If any predicate fails, execution stops.
The gate is the only path. There is no bypass route, no alternate execution surface, and no privileged second lane.
After successful execution, the audit chain emits a receipt — a cryptographic commitment to the envelope, intent, block, gas, and outcome. The receipt becomes part of a verifiable chain.
principal signs → ledger commits → gate evaluates → adapter executes → receipt accumulates
Atlas runs beneath the emerging agent stack.
Identity systems can identify the principal. Delegation standards can express who may act. Payment and execution standards can define how value moves. Atlas defines what the action is allowed to be.
Bridges translate upstream authorization standards into the Atlas envelope shape. That lets existing credentials, delegations, and permissions terminate in deterministic on-chain enforcement.
Two bridge primitives ship today. Bridges for emerging agent-authorization standards are in active development with design partners.
Atlas is an open trust network. Any attestor — scheme operators, KYB providers, identity issuers — can publish trust signals; the substrate composes them per transaction. This is the structural answer to scale: trust graphs become composable rather than vendor-locked. Adding a merchant or revoking an attestor is one on-chain transaction, not a vendor onboarding pipeline.
The compositional payoff is simple: one verifier surface gates both registration-time authorization and per-execution enforcement. One deployment, two surfaces. A standard can originate authority upstream. Atlas binds it at execution.
What an engineer needs to know before integrating.
The policy gate is non-upgradeable. The audit chain is non-upgradeable. The commitment ledger is non-upgradeable at the verifier boundary; the verifier slot is owner-settable during a finite enablement window, then transitions immutable on production deploy. No proxy patterns. No diamond facets. No delegatecall in any primitive.
EIP-712 domain separator includes name, version, chain ID, and verifying contract. Cross-chain replay is prevented by chain ID. Cross-deployment replay by verifying contract. Principal nonces are monotonic — each registered envelope consumes one nonce slot. Upstream capability-proof commitments are part of the signed digest; substituting any without re-signing fails verification.
Internal review is complete on the shipped contract set. External third-party audit is sequenced with the institutional design-partner cohort and is not yet complete. Code is externally unaudited at publication. Property-based testing demonstrates kernel-spec equivalence across the sampled input distribution; formal verification remains future work. A bug bounty opens with mainnet deployment.
Specific attack-surface coverage is documented in the Atlas Attack Matrix: sixteen attack vectors mapped across four ERC layer categories, each landing as a real Base Sepolia transaction that reverts with a substrate-named Atlas error. The matrix is the structural-coverage counterpart to the property-test equivalence claim above.
This page does not claim audit completeness it does not have. If a deal hinges on external audit completion, talk to us before integrating.
The audit chain is compatible with a zero-knowledge compliance circuit that proves public predicates over a rolling receipt chain. That lets an institution publish a compliance attestation without revealing the underlying flow.
The ZK circuit is not load-bearing for enforcement. Enforcement happens earlier, at the gate. The circuit's role is auditability: making compliance cheap to prove, selective to disclose, and verifiable by third parties.
Atlas separates the two: the gate enforces. The circuit attests.
The architecture is small. Three primitives. Eight predicates. Two bridges. One gate. Nothing more than what enforcement actually requires.
That smallness is the point. Surface area is attack surface. Atlas trades expressiveness in favor of enforced expressiveness — the predicates the gate demonstrates equivalent to spec under property testing are the predicates we ship.
Enforce at the gate, or enforce nowhere — the gap grows with every rule.
The agent can be wrong. The bound stays right.