The numbers come from code, not words.
VaultBags reads the market, talks to agents and writes daily briefings. By design that language only ever explains a decision, it never sets one: the amounts, weights and destinations come from deterministic, bounded code. Below is how that separation is built, laid out as ten invariants. The ones that can be proven mechanically are re-checked on every build.
Live self-check
Every mechanical invariant passed on this build.
71/71
checks passing
The contract
Free text can never move a number
No headline, chat message, tool argument or model output can set an amount, destination, weight or approval. Every number comes from deterministic, bounded code (clamped and range-checked), not from language.
23/23 adversarial fixtures passing
Fund transfers are built server-side and hash-bound
Every transaction that moves value is constructed on the server, its destination derived from verified identity, and its exact message hashed and bound before the vault co-signs. A tampered instruction fails the hash and is rejected.
The AI layer only presents, never decides
The AI reads structured data the server already assembled and writes prose about it. Its output is never parsed back into an action, a number or a transaction.
Agent surfaces are read-only or go through the same guards as humans
Every agent-facing endpoint either returns public read-only data or passes the identical server-side policy checks a person would. Being an agent grants no shortcut.
6/6 adversarial fixtures passing
Payments are verified on-chain and single-use
Machine payments are checked on-chain server-side (amount, destination, finality) with single-use references. A receipt never grants more than the scope it paid for.
10/10 adversarial fixtures passing
Fixed schemas, no secrets, no dynamic dispatch
Agent responses are fixed schemas assembled server-side. Tool names are an allowlist and arguments are validated, so unknown tools and unknown arguments are rejected, not ignored. Secrets never transit an agent surface.
27/27 adversarial fixtures passing
Privileged actions stay signed and unreachable by agents
Admin and creator operations remain Ed25519-signed, session-gated and replay-guarded. No agent path can reach them.
Every module has a kill switch
Each capability sits behind its own feature flag. Flag off means the surface is gone (a 404, not a soft-disabled code path).
A lying pool cannot poison a price
Market prices are chosen by consensus, not by whoever claims the most liquidity: a pool quoting far from the median of its peers is excluded no matter how deep it claims to be, dust pools have their prices withheld instead of served, and the vault's own assets are priced by an oracle first with the DEX as fallback. Refusing a number is always preferred to repeating a lie.
5/5 adversarial fixtures passing
Addresses are imported, never retyped
Every on-chain identifier (mint, wallet, program, price feed) lives in a small set of owner files, each documenting the authoritative source it was verified against. Everything else imports it, and the build fails if an address is hand-typed anywhere else, so a mistyped or invented address cannot enter the codebase.
How to read this
Self-checked clauses are proven on every build by deterministic adversarial fixtures: hostile market signals, injection-shaped inputs and tampered decisions are fed to the real code, and the build fails if any of them changes an outcome.
Structural clauses are guaranteed by how the system is built (transactions constructed server-side and hash-bound, privileged actions signature-gated, every module behind its own kill switch) and verified by code review rather than a runtime fixture.
Embed the live badge
[](https://vaultbags.app/firewall)