11 — Conformance
OAW is a standard, not just one codebase. An implementation "conforms" if its provider adapters and venue adapters uphold the guarantees below. The reference SDK ships machine-checkable conformance tests under test/conformance/ (provider.test.ts, venue.test.ts) — new adapters should extend them.
This is intentionally a contract, not a heavy framework. The rules are few, precise, and testable.
Provider adapter guarantees
A WalletProviderAdapter (Privy, Virtuals, external, …) MUST:
| # | Rule | Why |
|---|---|---|
| P1 | Idempotent ensure. ensureAgentWallet returns the same authority for the same user/env on repeated calls. | No duplicate wallets; safe to call from any write path. |
| P2 | Proof ≠ identity. Proving an agent exists (e.g. verify_identity) MUST NOT be treated as ownership. Active authority for a linked wallet requires verify_authority_proof. | Prevents hijacking a wallet you don't control. |
| P3 | No silent authority switch. A linking flow MUST NOT overwrite a ready Mode A authority unless ownership is verified and the switch is explicit. | The user's active signer never changes by accident. |
| P4 | Honest unsupported surfaces. Capabilities the provider does not (yet) expose MUST throw an explicit, named error — never fabricate. (e.g. Virtuals Mode C/D throw pending-upstream errors.) | No pretending headless create exists. |
| P5 | No secrets out. The serialized AgentAuthority / capability snapshot MUST contain no key material, tokens, or signer secrets. | Authority blocks travel to chat/logs. |
Venue adapter guarantees
A VenueAdapter (Polymarket, Hyperliquid, …) MUST:
| # | Rule | Why |
|---|---|---|
| V1 | Authority before setup. No venue-local signer/credential/deposit-wallet is created until the pre-bind gate resolves parent authority. | One authority, many bindings. |
| V2 | Preflight signs nothing. executeOrPlan(execute:false) returns a planned result, performs no signing, moves no funds, creates no receipt. | Safe to call from any preview. |
| V3 | Live-action gating. With execute:true, execution happens only when the route is supported and policy passes and the venue's live flag is on. Otherwise a precise status (ready_but_live_locked, requires_approval, blocked) with executionPerformed:false. | Money movement is opt-in and policy-bound. |
| V4 | No silent route fallback. If the active authority cannot execute on the venue (e.g. Mode B on a non-ACP venue), block with the exact blocker — never fall back to a different signer. | No surprise signer. |
| V5 | Receipt only on execution. receiptId is non-null only when executionPerformed is true. Reference adapters set referenceAdapter:true and emit a ref_-prefixed, reference-generated receipt — never a real on-venue order id. | No fake "it traded" signal. |
| V6 | No secrets in the binding or agent_authority block. Venue-local secrets stay server-side; only non-secret references appear in payloads. | Bindings travel to UI/logs. |
| V7 | Declared maturity. The venue's VenueCapabilityContract.maturity and integrationNotes honestly state whether it is reference or production, and what must be wired. | External users aren't misled. |
Cross-cutting rules
- Funding route rule. A funding plan resolves a venue → target chain/address + route; it never auto-creates a wallet, and
executemoves funds only with approval + the fail-closed live flag + passing policy. - No-secrets rule. Every outward payload passes
assertNoSecrets. - Determinism rule. The LLM/agent brain may propose; only the backend executor decides whether and actually signs.
Running conformance
bash
node --test --experimental-strip-types --no-warnings "test/conformance/*.test.ts"
# or the whole suite
pnpm testAdding a conforming adapter
- Implement the port (
WalletProviderAdapterorVenueAdapter). - Set honest
maturity/integrationNotes(venues) on the capability contract. - Add a case to the relevant conformance test asserting the rules above.
- Wire the real provider/venue API to flip
maturitytoproduction.