🎥 Pitch video: https://canva.link/jngo3hdi9lbpwk5

🎬 Demo video: https://canva.link/jbaoh2gtpmuil8c

💻 GitHub: https://github.com/charlesms1246/Frost

🌐 Website: https://xfrost.vercel.app

Frost

Frost is an agentic web3 automation desktop app. You describe an automated on-chain workflow in plain English — "watch this pool, and when the price crosses X, swap up to 500 USDC for WETH across whichever DEX gives the best rate, but ask me first if any single trade exceeds 150 USDC" — and Frost turns that sentence into a running, autonomous, fully-bounded agent. You sign once with your own MetaMask; from then on the agent works on your behalf, inside limits you set, until you revoke it.

The core idea: instead of handing an AI agent a private key and hoping, Frost compiles your intent into a signed authority spec with explicit, on-chain-enforceable rules.

The agent can only ever do what that spec permits — and you can pull the plug at any moment.

How it works

1. Describe — You write the workflow in natural language in the Frost desktop app.

2. Compile — A master agent (general LLM-driven, not a fixed script) parses your intent and compiles it into a structured mandate: a set of caveats (spend caps, per-call limits, slippage bounds, rate limits, allowed targets, human-in-the-loop thresholds, expiry).

3. Sign once — You review the compiled authority in a plain-language preview and grant it through MetaMask using ERC-7715 advanced permissions. One signature. No seed phrase ever leaves your wallet, no key is handed to the agent.

4. Run — The agent executes the workflow autonomously within those bounds, spawning specialist sub-agents on demand and escalating anything high-stakes back to you.

5. Revoke — At any time, one action revokes the mandate; revocation cascades on-chain to every sub-agent it ever delegated to.

Key features

Plain-English → signed authority

A natural-language workflow is compiled into a precise, machine-checkable mandate. The compiler coerces and validates every field, enforces floors (e.g. minimum sub-mandate counts), and rejects anything that can't be safely expressed — so a vague sentence never becomes an unbounded agent.

Dynamic, multi-agent execution

The master agent doesn't run a fixed set of helpers. It reasons at runtime about which specialists each task needs and spawns them dynamically:

- Pricer sub-agents — fetch live quotes across DEXs (Uniswap v3 via batched RPC, plus keyless aggregators like Paraswap) and surface the best route.

- Monitor sub-agents — watch on-chain conditions and events, firing the workflow when conditions are met.

- Executor sub-agents — submit the actual transactions, setting slippage floors from live pre-trade quotes and cross-checking prices across multiple independent RPCs before committing.

- Comms sub-agents — send notifications bound to the exact approved message template. A live runtime visualizer shows the whole mandate tree and event stream as it happens — you watch the agent think, spawn, price, and execute in real time.

Bounded authority via redelegation

Built on MetaMask Smart Accounts + ERC-7710 redelegation + ERC-7715 advanced permissions. The master agent can issue sub-mandates to its sub-agents, but a sub-mandate can only ever be narrower than its parent — it can tighten limits, never loosen them. Depth, fan-out, aggregate budget, and per-node spend are all capped at the contract level.

Pay-per-call inference in USDC — no API keys

Frost's defining thesis is no API keys anywhere. Instead of holding provider credentials, the agent pays for each AI inference call in stablecoin over the x402 payment protocol: an unpaid request gets a 402 Payment Required, the agent signs a USDC payment, settlement lands on-chain, and the completion comes back. This is proven live end-to-end with real on-chain USDC settlement on Base. A budget guard and kill switch bound total spend.

Human-in-the-loop where it matters

High-stakes actions (above a threshold you set) pause for your approval via native desktop notifications — not a buried dialog. Approvals are rate-limited per session and cryptographically bound to the specific action, so a prompt can't be reused or spoofed.

Refillable mandates

For ongoing workflows, a refillable mandate auto-replenishes its budget on your terms (total cap, per-refill amount, threshold, minimum interval) — minting a fresh mandate each cycle. Refills are refused unless the active mandate is genuinely depleted and the interval has elapsed.

Verifiable audit trail

Every session produces a tamper-evident log of all decisions, sub-mandates, settlements, and approvals, committed on-chain as a Merkle root and co-signed by you. Anyone can later prove any single action belongs to that session.

Your wallet, your keys

You bring your own MetaMask browser extension — no embedded/custodial wallet vendor, no migrating funds. Because a desktop app can't reach the browser extension directly, Frost uses a hosted wallet bridge (xfrost.vercel.app/connect/): the app opens your system browser, MetaMask does the signing there, and the signed result is posted back to the app over a one-time secure challenge — the same pattern used by tools like the GitHub and Stripe CLIs. The bridge source is public so anyone can verify or self-host it.

Security-first by design

A documented threat model drives the architecture: private-mempool transaction submission for the executor, paranoid-default caveats (deny unless explicitly permitted), revocation grace handling at settlement, prompt-injection guards on the planner, and provider allow-listing. Smart contracts ship with property-based tests on the critical caveat-intersection rules.

Tech at a glance

- Desktop app: Tauri 2 + Svelte 5 (runes) + shadcn-svelte

- Wallet bridge: Next.js + React, hosted at xfrost.vercel.app/connect/

- Smart contracts: Solidity (Foundry), deployed on Base Sepolia — mandates, redelegation registry, revocation, settlement, refillable mandates, provider registry, and an

on-chain audit anchor

- Web3: viem, @metamask/smart-accounts-kit, 1Shot API (server wallets for execution), x402 facilitator (USDC settlement)

- AI: Venice powered general LLM-driven planning, served through an x402-paid inference rail; read-side blockchain and RPC via Venice.

### Architecture & specs

- Locked the full four-layer architecture across six docs (product vision, contract architecture, threat model, wallet-bridge spec, hackathon plan, handoff) — including the canonical caveat schema, the load-bearing spec.
- Threat model with 28+ threats; security decisions cross-referenced throughout.
- Ran the **10 Day-1 verification spikes** (mempool semantics, RPC rate limits, x402 client compat, Tauri↔MetaMask round-trip, ERC-7715 end-to-end, CORS) before locking architecture.

### Smart contracts — deployed & locked on Base Sepolia

- All **6 contracts live**: `DelegationRegistry`, `Revocation`, `Mandate`, `ProviderRegistry`, `Settlement`, `RefillableMandate` (+ `AuditRegistry`).
- One-time admin wiring executed and **permanently locked**; USDC hardcoded immutably in `Settlement`.
- Property-based tests on caveat intersection rules (incl. the critical `max(parent, sub)` HITL_THRESHOLD direction); `maxSubMandates` floor enforced in the compiler.

### Agent runtime

- General **LLM-driven master agent**: compiles plain-English → signed authority spec, then **dynamically spawns** sub-agents (no fixed set, no pattern-matched fallback)
- Live pricers (batched RPC + keyless Paraswap aggregator), event-driven runtime visualizer, closed-loop executor with live QuoterV2 slippage floors + 4-RPC cross-check.
- HITL hardening (per-session prompt rate-limit, approvalId binding); audit co-sign flow.
- **234 agent tests** green; tsc clean.

### The "no API keys" thesis — proven LIVE

- Self-deployed x402 inference gateway for testing: unpaid POST → real `402 PAYMENT-REQUIRED` → sign EIP-3009 → settle real USDC on Base → completion proxied to OpenRouter (default) + Grok (fallback).
- **On-chain settlement confirmed** (payer USDC balance ticked down per call).
- `RefillableMandate` exercised live (create / revoke / refill-refusal property).

### Desktop app + wallet bridge

- Tauri 2 + Svelte 5 (runes) + shadcn-svelte app: `/runtime`, `/wallet`, editable `/settings`, signing-wallet provisioning.
- `/runtime` runs **fully live on Base Sepolia** with demo creds (live mandate issuance → 1Shot WETH→USDC swap → HITL gate → audit commit → revoke cascade); safely simulated without creds.
- Hosted Next.js / React wallet bridge at `xfrost.vercel.app/connect/`; **ERC-7715 grant unblocked** (periodic + BigInt fix); ERC-7710 delegation x402 rail spiked and integrated.
- **116 frost tests** green; `svelte-check` clean (2 pre-existing cosmetic).

### CI / release

- GitHub Actions Tauri release build (Windows / macOS Apple-Silicon / Linux), `sdk → agent → frost` build order; lockfiles committed and fixed.

NIL