Signet Guardian
Payment guard middleware for AI agents. Use whenever any skill is about to initiate a payment. Runs a preflight check against the user's policy (payments enabled, per-transaction limit, monthly cap).
Description
name: signet-guardian description: "Payment guard middleware for AI agents. Use whenever any skill is about to initiate a payment. Runs a preflight check against the user's policy (payments enabled, per-transaction limit, monthly cap). Returns ALLOW, DENY, or CONFIRM_REQUIRED. Other payment-capable skills must call signet-preflight before proceeding and signet-record after a successful payment." metadata: {"openclaw":{"emoji":"🛡️","homepage":"https://getsignet.xyz"}}
Signet Guardian — Payment Guard Middleware
Overview
Signet Guardian is a policy firewall for money actions. It does not intercept payments at runtime by itself; payment-capable skills must route through it by contract:
- Before any payment: call signet-preflight (amount, currency, payee, purpose).
- If result is ALLOW or CONFIRM_REQUIRED (and user has confirmed): the skill may proceed.
- If result is DENY: do not proceed; tell the user the reason.
- After a successful payment: call signet-record to append to the ledger.
This gives one place to enforce: master switch (payments on/off), max per transaction (e.g. £20), max per month (e.g. £500), and optional confirmation above a threshold (e.g. £5).
Concurrency: Preflight is advisory (no lock). Record enforces the monthly cap under a file lock ({baseDir}/references/.ledger.lock): it re-checks the cap before appending and refuses to record if the month would be exceeded. So the monthly limit is enforced at record time; idempotency and cap are both safe under concurrent calls. Preflight can still be used to fail fast; the definitive check is in record.
Currency: No FX conversion. The request currency must match the policy currency; otherwise preflight returns DENY. Conversion source/rules are not defined.
Policy (user configuration)
Source of truth: OpenClaw config first (signet.policy in the main config, e.g. editable in the Control UI if the extension is installed), then fallback to {baseDir}/references/policy.json. OpenClaw sets {baseDir} via OPENCLAW_SKILL_DIR or OPENCLAW_BASE_DIR.
| Field | Meaning |
|---|---|
paymentsEnabled |
Master switch. If false, all payments are denied. |
maxPerTransaction |
Max amount allowed for a single transaction (e.g. 20). |
maxPerMonth |
Max total spend in the current calendar month (e.g. 500). |
currency |
ISO currency code (e.g. GBP, USD). Request currency must match. |
requireConfirmationAbove |
Above this amount, return CONFIRM_REQUIRED so the user must explicitly confirm (e.g. 5). |
blockedMerchants |
Optional list of substrings; payee matching any is denied. |
allowedMerchants |
Optional; if non-empty, only payees matching one of these are allowed. |
version |
Optional number for future policy migrations. |
Default behaviour: If the policy file is missing or invalid, preflight returns DENY (default-deny).
Commands
signet-preflight
Run before initiating any payment. Validates: payments enabled, currency match, amount > 0 and ≤ max per transaction, (current month spend + amount) ≤ max per month, and optional merchant rules. Optionally requires explicit confirmation above a threshold. Amount must be greater than zero.
signet-preflight --amount 15 --currency GBP --payee "shop.example.com" --purpose "Subscription"
Optional:
--idempotency-key "unique-key"— Used when recording later to avoid duplicate ledger entries.--caller-skill "skill-name"— Name of the skill invoking the guard (for audit).
Output (JSON):
{ "result": "ALLOW", "reason": "Within policy" }— Proceed with the payment.{ "result": "CONFIRM_REQUIRED", "reason": "..." }— Ask the user for explicit confirmation; if they agree, proceed then call signet-record. (Confirmation is the caller’s responsibility.){ "result": "DENY", "reason": "..." }— Do not proceed. Notify the user.
Every DENY is logged to the audit trail.
Exit code: 0 for ALLOW or CONFIRM_REQUIRED, 1 for DENY.
signet-record
Call after a payment has successfully been made. Appends one line to the ledger (append-only). If an idempotency key was used in preflight, pass the same key here to avoid double-counting.
Record validation scope: signet-record re-checks only currency and monthly cap (under lock). It does not re-check paymentsEnabled or merchant allow/block lists. Policy enforcement (switch, merchants, per-tx limit) is done at preflight (and in an optional future authorize phase). Record is the post-success log; the cap check at record time prevents double-counting when concurrent preflights both allowed.
signet-record --amount 15 --currency GBP --payee "shop.example.com" --purpose "Subscription" --idempotency-key "sub-123"
Optional: --caller-skill "skill-name" for audit.
If the same idempotency-key was already recorded, the command is a no-op (idempotent).
signet-report
Shows spending and transaction history for the user.
signet-report --period today
signet-report --period month
signet-policy
Show, edit, or configure policy via wizard.
signet-policy --show # Print current policy (config, then file)
signet-policy --edit # Open policy.json in $EDITOR
signet-policy --wizard # Interactive step-by-step setup (no JSON)
signet-policy --migrate-file-to-config # One-time: copy file policy into OpenClaw config
Audit (ledger and deny log)
Ledger file: {baseDir}/references/ledger.jsonl. Format is strict JSONL: one JSON object per line, newline-separated (no space between entries). Each line contains:
- ts — Timestamp UTC (ISO 8601).
- callerSkill — Optional; skill that invoked preflight/record.
- idempotencyKey — Optional; dedupe key for record.
- status —
completedordenied. - reason — Decision reason (especially for denials).
- Plus: amount, currency, payee, purpose.
All preflight denials are appended to the same ledger with status: "denied" and a reason.
Critical Rules (for the agent)
- Never skip preflight — Any payment from any skill must go through
signet-preflightfirst. No exceptions. - Respect DENY — If preflight returns DENY, do not attempt the payment. Tell the user the reason.
- CONFIRM_REQUIRED — If preflight returns CONFIRM_REQUIRED, ask the user explicitly (“Allow this payment of £X to Y?”). Only proceed if they confirm, then call
signet-record. - Always record success — After a successful payment, call
signet-recordwith the same amount, currency, payee, purpose, and idempotency key (if used). - Idempotency — For critical flows, use a stable
--idempotency-key(e.g. order ID or request ID) so retries do not double-count in the monthly total. - Default-deny — If the policy file is missing or corrupt, the skill denies by default.
- Record is authoritative for cap only — The monthly cap is enforced when recording (under lock). If
signet-recordfails with a cap error, the payment already happened; do not retry without user confirmation. For cap-safe flows before payment, a future authorize (reservation under lock) then settle (convert reservation to completed) pattern can reserve budget before the payment is made.
First Run
On first use, the user must have a valid {baseDir}/references/policy.json. Run signet-policy --show to see current policy; if missing, create it (e.g. via signet-policy --edit) with at least:
paymentsEnabled: true/falsemaxPerTransaction: numbermaxPerMonth: numbercurrency: e.g. "GBP"requireConfirmationAbove: number (e.g. 5)
Ledger lives at {baseDir}/references/ledger.jsonl; no extra setup required.
Reviews (0)
No reviews yet. Be the first to review!
Comments (0)
No comments yet. Be the first to share your thoughts!