PaladinFi Trust — pre-trade OFAC + GoPlus + lookalike risk gate for evm agents (designing plugin, feedback welcome)

[mgopal20]

Hi all — designing an Eliza plugin and posting here for feedback before npm-publish.

What it does

@paladinfi/eliza-plugin-trust will give evm-plugin-using agents a pre-trade composed risk gate on the buy token, in a single HTTP call:

• OFAC SDN screening (service refreshes from U.S. Treasury SDN XML every 24h; cryptocurrency-tagged entries via Feature 345 / Detail 1432)
• GoPlus trust-list + token-security signals (where surfaced; recently-deployed contracts may not yet be classified)
• Etherscan source verification status
• Anomaly heuristics (fresh-deploy, low-holder, proxy patterns)
• Lookalike detection (symbol/name proximity vs whitelist + recently-active tokens)

Returns recommendation: allow | warn | block plus a per-factor breakdown.

Today: Base only (chainId 8453); other EVMs on roadmap.

Why an evm-agent operator might want this

Three concrete failure modes that today's evm-plugin swap path doesn't gate on:

1. Buying a sanctioned-address proxy
2. Buying a honeypot / sell-blocked token
3. Buying a fresh-deploy lookalike of a legitimate token

In each case the swap completes silently, the operator notices on sell-attempt.

Request shape (free preview, available now)

curl -sS -X POST https://swap.paladinfi.com/v1/trust-check/preview \
  -H 'content-type: application/json' \
  -d '{"chainId":8453,"address":"0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913"}'

Response (truncated):

{
  "address": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913",
  "chainId": 8453,
  "trust": {
    "recommendation": "sample-allow",
    "factors": [
      {"source": "ofac", "signal": "not_listed", "real": false},
      {"source": "etherscan_source", "signal": "verified", "real": false},
      {"source": "goplus", "signal": "ok", "real": false},
      {"source": "anomaly", "signal": "ok", "real": false}
    ],
    "_preview": true,
    "_message": "Preview response — SAMPLE FIXTURE. POST /v1/trust-check (x402-paid, $0.001/call) for live evaluation."
  }
}

The preview is intentionally sample-only (real: false on every factor, recommendation: "sample-allow" so it can't be screenshot-misused). The paid endpoint at POST /v1/trust-check runs live signals.

Plugin shape

Standalone plugin: @paladinfi/eliza-plugin-trust. Characters compose it in their action graph; before any swap, plugin emits the trust-check call (against the agent's existing wallet for x402 payment). On block, the agent abstains and posts to the operator log.

Looking for feedback on

• Action signature: synchronous gate vs async pre-hook? Eliza characters seem to mix both patterns and I haven't settled on the cleanest fit.
• Anything load-bearing about the current @elizaos/plugin-evm swap path that this should integrate with, not bypass?
• Naming convention — @paladinfi/eliza-plugin-trust is our scope (we own @paladinfi), but if there's a community-preferred third-party plugin pattern I'm missing, happy to adjust.

Build status

• Service is live (links below). Free preview wired today; paid endpoint live with x402 settlement on Base.
• Plugin package + character config snippet land within ~1-2 weeks pending feedback here.
• Open client + OpenAPI for the swap surface is MIT-licensed at https://github.com/paladinfi/paladin-swap-mcp; trust-check OpenAPI publishes alongside the plugin.

Cost

$0.001 USDC settled via x402 on Base per paid call. Free preview unlimited at the rate-limited preview path.

Links

• Health: https://swap.paladinfi.com/health
• MCP Registry: io.github.paladinfi/paladin-swap
• Smithery: https://smithery.ai/servers/paladinfi/paladin-swap
• Repo: https://github.com/paladinfi/paladin-swap-mcp
• Terms: https://paladinfi.com/terms/

— Mallesh (@mgopal20), Malcontent Games LLC / PaladinFi

[mgopal20]

Quick update — v0.0.1 skeleton just shipped to anchor this Discussion with a real artifact instead of a design doc:

• npm: npm install @paladinfi/eliza-plugin-trust (package page)
• GitHub: https://github.com/paladinfi/eliza-plugin-trust (MIT)

v0.0.1 scope is intentionally narrow — see the file-level comment in src/actions/trust-check.ts for the full list. Two main simplifications vs the v2-alpha pattern in elizaos-plugins/plugin-evm/typescript/actions/transfer.ts:

1. No LLM prompt-template extraction yet — paladin_trust_check accepts the buy-token address explicitly via options.address. v0.1.0 will wire the standard composePromptFromState + parseKeyValueXml flow.
2. Preview endpoint only in the plugin — v0.0.1 calls /v1/trust-check/preview (free, sample-fixture). The paid /v1/trust-check endpoint is already live on the service; the plugin will wire it in v0.1.0 alongside the wallet-runtime EIP-3009 signing.

Reproducible smoke test (verifies the live API + the package's client end-to-end): npm install @paladinfi/eliza-plugin-trust && node -e "import('@paladinfi/eliza-plugin-trust').then(m => new m.PaladinTrustClient({apiBase:'https://swap.paladinfi.com', mode:'preview', defaultChainId:8453}).preview({address:'0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913', chainId:8453}).then(r=>console.log(r.trust.recommendation)))" — should print sample-allow.

v0.1.0 target — by 2026-05-16. Tracking issue with full checklist + subscribable progress: paladinfi/eliza-plugin-trust#1

One specific design question: if you've wired a swap action in Eliza, would you compose this trust check inline with the swap action, or call it as a separate guardrail step? The action signature in v0.1.0 turns on that answer — happy to iterate based on what fits real character flows.

[mgopal20]

Shipped: v0.1.0 live on npm (release notes).

Follow-up to the original post: the skeleton v0.0.1 promised functional v0.1.0 within ~2 weeks. v0.1.0 is here, on the early end of that window.

What’s in:

• LLM prompt-template extraction via composePromptFromState + useModel(ModelType.TEXT_SMALL) + parseKeyValueXml (same pattern as @elizaos/plugin-evm/transfer.ts).
• Paid x402 settlement against https://swap.paladinfi.com/v1/trust-check (Base, $0.001 USDC/call) via @x402/fetch@2.11.0 with onBeforePaymentCreation hook.
• Pre-sign hook validates 6 fields against hard-coded constants (treasury, USDC, BASE_NETWORK, $0.01 amount cap, 10-min validity, EIP-712 domain) before viem signs anything. Hook-abort errors carry a paladin-trust BLOCKED pre-sign: prefix for operator grep.
• createPaladinTrustPlugin({ walletClientAccount }) factory pattern with boot-time validation throwing on misconfigured paid mode.

Quick start (preview, free):

import { paladinTrustPlugin } from "@paladinfi/eliza-plugin-trust";
export const character = { plugins: [paladinTrustPlugin], ... };

Paid ($0.001 USDC/call):

import { privateKeyToAccount } from "viem/accounts";
import { createPaladinTrustPlugin } from "@paladinfi/eliza-plugin-trust";
const account = privateKeyToAccount(process.env.PALADIN_TRUST_KEY);
const plugin = createPaladinTrustPlugin({ walletClientAccount: account });

Verified end-to-end against live API. Settled USDC tx on Base mainnet for the first paid integration call: 0xe08f3636d2cbbac2eab95cb1685c670369311e4a4e560a743f40719ddd9db1a1.

Feedback (alpha API drift, paid-mode UX, missing factors) very welcome here or at the issue tracker.

[MrTalecky]

On inline vs separate: the evaluator path is cleaner. Composing this as a pre-action evaluator step rather than inlining the gate inside the swap action keeps the swap action testable without mocking the trust endpoint, and means trust-check failures are handled at the graph level rather than forcing the swap action to implement its own abort semantics. The v0.1.0 LLM extraction pattern (composePromptFromState + parseKeyValueXml) is the right building block — running the trust check as a precondition evaluator that sets a flag the swap action reads is cleaner than having the swap action call trust-check internally.

One boundary worth naming explicitly in the threat model: the onBeforePaymentCreation hook puts the $0.01/call cap in application code. That's the right place for the x402 payment path, but application-layer policy only holds if your plugin version is the one executing — a composability bug or plugin version mismatch defeats it at runtime. For deployments where the operator and the plugin author aren't the same party, on-chain cap enforcement (verifiable by anyone, not just enforced by plugin logic) is a meaningfully stronger guarantee. Not blocking feedback for v0.1.0, but worth calling out before PaladinFi Trust moves into multi-agent or enterprise setups where that separation exists.

[mgopal20]

Thanks for the substantive read — both points sharp, and the second one is the kind of feedback that's most useful at this stage.

On the action-vs-evaluator framing (point 1):

First, the actual v0.1.0 shape so we're talking about the same thing: it's a standalone Action — paladinTrustPlugin = { actions: [trustCheckAction], evaluators: [], providers: [] }. Not inlined inside a swap action, but also not registered as an evaluator. The agent picks paladin_trust_check from prompt context the same way it'd pick any other Action.

Your argument for separating trust from the swap action's internals tracks — expecting the agent's prompt-driven action selection to reliably gate every swap is fragile. We're weighing two shapes for v0.2.0:

1. Provider — runs in the context-prep phase before action selection; surfaces a paladinTrust: { recommendation, riskScore, factors } field on State that the swap action's validate() reads. Closest match in Eliza's actual lifecycle to "sets a flag the swap action reads" (Eliza's Evaluator primitive runs post-action for memory extraction, so it doesn't quite fit pre-action gating).
2. Evaluator in the post-action sense — fires after a swap, scores it, writes a memory the user-feedback flow surfaces. Different value prop — telemetry / self-correction over time, not a hard gate.

Leaning toward the Provider direction but want to gather more usage signal before committing. If you were picturing a different primitive or a hybrid shape, the clarification is welcome — happy to iterate before we settle on a direction.

On on-chain cap enforcement (point 2):

You're right that the $0.01 application-layer cap is only as strong as the plugin version in the runtime. A fork that strips onBeforePaymentCreation still settles whatever amount viem signs.

Today's threat model implicitly assumes single-trust-domain deployments (operator and plugin author are the same party, or the operator audits the source). For the multi-agent / enterprise case you're naming, contract-level cap is the right answer. Three sketches we're weighing:

• EIP-2612 permit + capped escrow — plugin signs a permit granting the escrow a per-call allowance; escrow reverts on amount > MAX_PER_CALL_USDC before pulling. (Distinct mechanism from EIP-3009; trades a one-time approval for cleaner cap semantics.)
• Receiving-endpoint contract consuming USDC via transferWithAuthorization and reverting above a posted cap.
• Operator-neutral facilitator that re-checks the cap at submission. Only meaningfully stronger than the application-layer hook if the facilitator isn't operator-controlled — otherwise it's the same trust assumption moved one layer down.

None of these are imminent — protocol changes that need design + audit. But this framing helps explain why "just rely on the hook" isn't sufficient where operator ≠ plugin author. Capturing it as a roadmap consideration.

Two questions back if you have a feel:

1. Is there an Eliza plugin you've seen do precondition-style gating well?
2. On the cap-enforcement contract, does a wrapper-approval (extra approve call to the wrapper at first paid call) cross a friction threshold for agent UX, or is it acceptable since the user is already trusting EIP-3009?

Thanks again — first community feedback on this thread and exactly the framing we needed.

[MrTalecky]

The Provider direction maps to what you described — context-prep phase, result in State, swap action reads it in validate(). The structural parallel in the existing stack is WalletProvider in @elizaos/plugin-evm: pre-populates walletInfo on State before action selection so any action can condition on balance without calling out at action time. A paladinTrust: { recommendation, riskScore, factors } field on State following the same pattern keeps the swap action's precondition a field check rather than a live call, and makes it testable by stubbing State directly.

On wrapper-approval friction: a one-time approve at first paid call is acceptable for agent UX — agents don't carry the click-cost that human wallets do, and a scoped escrow approve is the same trust ask as any ERC-20 spend the agent already issues. The pattern worth comparing against is EIP-2612 permit-per-call: no pre-approve needed, each request carries a single-use signed authorization scoped to the exact call amount and a short expiry. That removes the approve transaction entirely rather than minimizing it. On the Base side we've used per-call EIP-712 authorizations for agent spend limits for this reason — the worst-case exposure is bounded to a single call even if the signing scope leaks, whereas a standing allowance to the escrow stays live until explicitly revoked. For the operator ≠ plugin-author case you named, per-call permit is meaningfully stronger than scoped approve even if the approve target is narrow.

[mgopal20]

Quick correction on our current shape, then agreement on where to go.

The plugin already signs per-tx via walletClientAccount: LocalAccount — it issues no standing approvals beyond what the swap aggregator itself requires (Permit2 / router-specific approvals are governed by the aggregator route the agent chose, not the plugin). Each returned calldata is signed individually. The EIP-3009 transferWithAuthorization we use for x402 settlement is the same per-call EIP-712 authorization pattern (different from EIP-2612 in spec — 3009 transfers with nonce vs 2612 sets allowance — but same per-call authorization shape).

Where I think you're pointing — and where I agree — is agents-talking-to-other-agents, or a service that needs to delegate a bounded payment surface to a sub-agent. The EIP-712 typed-data layer at consumption time gives bounded-worst-case exposure that the plain LocalAccount model doesn't (one signature = one specific authorization, verified by the settling contract). It's a direction we're thinking through for a new version with more features in development.

On Provider vs Action: the framing makes sense — keep paladin_swap as an Action for the imperative path, and look at a separate Provider that exposes the trust verdict as readable state for non-committal queries. The WalletProvider parallel in plugin-evm is helpful framing. We're working through the right shape.

One thing worth saying directly: you're right that application-layer payment caps lack on-chain enforceability. The hourly/daily caps in our SpendingTracker are agent-side discipline — they bound the agent's own runaway-loop blast radius, not a hostile substitute. We document this in THREAT_MODEL.md §6-7. Per-call EIP-712 payment-bounded authorizations are the on-chain-enforceable complement, and a natural fit for the Provider pattern when we get there.

[MrTalecky]

The EIP-3009 correction is right — transferWithAuthorization is actually cleaner than permit in one respect: no allowance state to leak between calls. Per-call authorization shape is what matters, and 3009 enforces it at the contract rather than the wallet layer.

The THREAT_MODEL.md §6-7 framing does more work than it looks like. Explicitly separating blast-radius discipline (SpendingTracker) from on-chain enforceability (per-call EIP-712 authorizations) makes the security claim honest about its own scope. That distinction gets collapsed in most protocol docs and creates real problems for integrators who inherit threat models they didn't write. The Provider path, when you get there, can close the gap naturally — session remaining capacity as readable State means routing decisions downstream don't require reading contract state directly.

[mgopal20]

Both points exactly right.

The §6-7 separation was deliberate — application-layer policy (SpendingTracker) and on-chain enforceability (per-call EIP-712 authorizations) are different objects, and integrators inheriting a threat model deserve to see which is which. Glad it reads as honest scope rather than implicit equivalence.

The Provider direction is the natural fit for the v0.3.0 traction-gated hardening pass. v0.2.0 ships with the action-level approach (action calls trust-check internally + reads SpendingTracker state) since that's testable end-to-end without a Provider abstraction layered above. Once we get there, exposing session remaining capacity as readable State (matching the WalletProvider/walletInfo precedent from your earlier comment) is the cleanest closure of the gap — routing decisions can condition on it without contract reads, and the on-chain authorization stays the load-bearing enforcement.

Appreciate the consistency on the through-line across these threads — agent-as-different-from-human-wallet is the right architectural lens, and your specific examples (no-allowance-state-leak, scoped escrow vs per-call permit, application-vs-on-chain enforceability) have all landed in the threat model.

[musaabhasan]

For a pre-trade risk gate, I would keep the plugin as a decision-support/evaluator layer rather than letting it silently decide execution. The output shape should be explicit enough that downstream agents can explain why a trade was allowed, warned, or blocked.

Useful fields would be:

• recommendation: allow, warn, block
• confidence and reason_codes
• freshness: when each source was last checked
• source_breakdown: OFAC, GoPlus, source verification, anomaly heuristics, lookalike score
• policy_version: the ruleset used to combine signals
• override_required: whether human confirmation is needed

The hard part is stale or missing data. A newly deployed contract with no GoPlus classification should not look the same as a clean contract. I would encode unknowns as first-class states and let policy decide whether unknown means warn or block.

For testing, I would include negative cases for symbol lookalikes, proxy contracts, stale OFAC cache, unverified source, and conflicting signals across providers. That will make the plugin much easier to trust in autonomous trading graphs.

[mgopal20]

Three useful threads here — going to answer each against what's currently shipping vs. what's open.

On "first-class states for stale/missing data": shipped last week (server v0.11.73). When any underlying source (OFAC / paladin.anomaly / scam_intel) raises, the factor is now included in the response with signal: "unreachable", real: false, contributing 0 to risk_score. When all three raise simultaneously, recommendation is forced to "warn" rather than the prior silent "allow". The vector existed across the v0.11.5x patch window. Walkthrough with the actual response shape and the v0.11.62 lookalike-removal context: https://paladinfi.com/blog/trust-block-fail-closed-contract/. Plugin v0.1.1 patches landed today documenting the contract; npm install @paladinfi/eliza-plugin-trust@0.1.1 picks it up (no client code change required). If you want to verify the contract on your side: paid /v1/trust-check calls with all upstream sources mocked-unreachable produce three factors with signal: "unreachable" + real: false and recommendation: "warn".

On the suggested output fields: split into what we emit today vs. what's open.

• policy_version — yes, every response includes "version": "1.1" inside the trust block. Bumps on contract changes (v0.11.73 moved 1.0 → 1.1).
• source_breakdown — yes, the factors array gives per-source signal + details. Unreachable factors additionally carry real: false; healthy-source factors don't emit the real key.
• recommendation — yes, allow / warn / block as the gate primitive.
• freshness — not emitted per-factor today. OFAC is daily Treasury XML refresh (no hard staleness cap on the cache itself today — if Treasury XML breaks for an extended period the prior cache stays loaded; that's part of the same freshness-surfacing work). GoPlus + Etherscan are on-call. Reasonable v0.3.0+ schema candidate.
• confidence — not emitted today. We've held off because confidence-as-a-number can imply more calibration than the underlying signals support; risk_score is the honest aggregate today (0–100 weighted sum).
• override_required — recommendation already encodes this: block means the agent should abstain absent explicit human override. Adding a parallel override_required field would need a concrete integration story to justify the duplication.

On negative test cases: tests/v0.11.73/test_fail_closed.py covers per-source-raise, all-sources-raise, and OFAC-override-preserved. Proxy-contract and fresh-deploy patterns flow through paladin.anomaly (additive risk-score weighting). Stale OFAC cache: refresh runs daily; if a refresh fails the prior cache stays loaded with an audit-log warning (not currently surfaced as a per-factor signal, and no hard upper-bound on staleness — same gap as above). Conflicting-signal cases resolve today via additive risk_score weighting — e.g., one unreachable source (weight 0) + one anomaly-flagged signal (weight 30) lands at score 30 → warn. No explicit conflict-resolution policy beyond additive weighting; a discrete test category for this isn't in test_fail_closed.py and is a reasonable gap to close. We don't currently ship a public test corpus alongside the plugins; can publish on request if there's a specific use to design for.

The "treat unknowns as first-class states" framing maps cleanly to what we shipped and what's still open. Useful inputs as we scope v0.3.0; no schema commitments here.

[mgopal20]

Quick update against the design threads from this conversation — v0.3.0 has shipped (@paladinfi/eliza-plugin-trust@0.3.0).

v0.3.0 is the first public release; the prior internal v0.2.0 candidate was held back for a security-hardening sprint, which is now incorporated.

What was open in this thread → what's now in v0.3.0:

On signer-key custody + recovery (musaabhasan + MrTalecky threads). Each /v1/simulate response is signed by a 2-of-2 KMS pair (AWS account A + GCP), with a third independent key (AWS account B) signing the public events-mirror attestation. All three Ethereum addresses are pinned in an on-chain trust anchor — PaladinKeyRegistry at 0x30Bad67154C0115c5873b291cf3Dda120e508775 on Base. Both plugin AND server (post-v0.3.0 hardening) read the registry over a multi-RPC quorum on every refresh cycle — an attacker who controls one RPC cannot lie about the current pair on either side.

On rotation and the 7-day window. All key rotations + token-registry-hash changes + indexer-key changes go through a 7-day timelock at the contract level. The owner (a Gnosis Safe 2-of-3 at 0x824B874dE8E6FEFb99705F9f30097525c1722C2A) can propose*Change(...) immediately, but finalize*Change() reverts until the timelock elapses, and a 24h owner-only finalize window prevents permissionless front-running of a legitimate cancel. So every malicious rotation is publicly visible on-chain for at least 7 days before it can take effect; a customer running in keyTrustMode: 'pinned' locks to a specific pair and refuses to follow rotation entirely until they update their config.

On decision-support vs silent execution (musaabhasan's framing — "keep the plugin as a decision-support/evaluator layer"). Load-bearing in the design. The plugin's verifier returns a structured TrustState carrying the verified currentPair, pendingRotation (if any), revocation state, the bundled TOKEN_REGISTRY_HASH, and cache freshness. Downstream agents read that state explicitly — there is no "silently allow" path. When cache is stale + chain is unreachable across all RPCs, the plugin's keyTrustMode semantics decide:

• 'auto-rotate' (default): follow on-chain rotation events after the 7-day timelock; retry once then return STALE_TRUST_STATE on unreachable
• 'pinned': continue using the pinned pair as long as the on-disk cache HMAC verifies; refuse to swap to a different pair without operator-explicit config rotation

On state-diff visibility (Engineering thread). Every signed /v1/simulate response carries the full state-diff observed by the server-side Anvil simulator + a server-signed serverObservedTokenRegistryHash. v0.3.0 adds explicit chainId binding as a top-level signed envelope field (closes a defense-in-depth gap surfaced during the security audit — chainId was previously bound only transitively via requestHash). The plugin runs an independent client-side invariant validator on returned deltas before the wallet signs: third-token-drain check, In*/Out* family bounds, native ETH delta sanity. Layer 5 in the 6-layer defense.

On the EIP-3009 framing (MrTalecky's point about per-call authorizations). Held. v0.3.0's paid /v1/trust-check call still uses transferWithAuthorization per-call authorization with onBeforePaymentCreation pre-sign hook validating against hard-coded constants (treasury address, USDC contract, $0.01 amount cap, 10-min validity window, EIP-712 domain). The 6-field check fires before viem signs anything.

New in v0.3.0 (server release v0.12.0 + plugin v0.3.0 — note swap.paladinfi.com/health shows the co-deployed swap-router's 0.11.74; the simulator shares nginx but version-tracks separately):

• Typed-domain digest. The signing digest is now keccak256(keccak256("PaladinFi/simulate/v2") ‖ keccak256(JCS(body))) — structurally separated 32-byte domain constant + 32-byte body hash. Pre-hardening the domain separator was the raw apiVersion string, which was audit-flagged as structurally weak (cross-service replay defense was by-policy key segregation, not digest math).
• Wire format paladin-simulate-v1 → paladin-simulate-v2. Breaking change; pre-v2 not accepted by either side. apiVersion field server-side is now Literal["paladin-simulate-v2"] — v1 requests cleanly rejected with HTTP 422.
• EpochUnavailableError 503. Server fail-closed when on-chain epoch read fails in production. Pre-hardening would have silently fallen back to genesis epoch 0.
• retryToken HMAC scope expanded. HMAC binding now includes (request_hash, taker, ip_/24-or-/56_prefix, expires_at). Leaked tokens cannot replay across different takers or networks.
• x402 facilitator URL host-allowlist. Closes the env-override-to-attacker-host vector.
• XFF trusted-proxy guard. Defends against XFF spoofing when nginx is bypassed.

Honest scope notes (what v0.3.0 is NOT):

• Owner is PaladinFi-controlled. The Gnosis Safe 2-of-3 has all signer keys under operational control of a small team. The customer's defense against malicious rotation is the 7-day timelock + plugin sticky-revoked + keyTrustMode: 'pinned' + monitoring pendingRotation in the returned TrustState, not signer independence. A future release adds an independent third-party multisig signer.
• No truly independent simulator at Layer 4 yet. Layer 4 is our server-side Anvil. Layer 5 is the plugin's independent invariant re-validation of the claimed deltas (not a re-simulation). Truly independent simulation is on the roadmap but nontrivial — the Uniswap V3 callback pattern's CallbackTransferFailed() revert in stateOverride mode means generic publicClient.call({...}) doesn't generalize across all aggregator paths.
• RPC pool diversity is the customer's responsibility. Plugin's baseRpcUrls config selects providers; a compromised majority of the chosen quorum could feed stale state. No dedicated THREAT_MODEL section yet.
• Software-key KMS, not HSM-on-prem. AWS KMS + GCP Cloud KMS are FIPS 140-2 Level 1 (GCP HSM-backed at provider's level); cloud-provider operator + lawful-process exposure documented in THREAT_MODEL §§4-5.

Where to look:

• Release notes + quick-start: https://github.com/paladinfi/eliza-plugin-trust/releases/tag/v0.3.0
• Threat model: https://github.com/paladinfi/eliza-plugin-trust/blob/main/THREAT_MODEL.md
• Contract on Basescan: https://basescan.org/address/0x30Bad67154C0115c5873b291cf3Dda120e508775#code (verified source)
• Transparency mirror: https://swap.paladinfi.com/events.json (deferred to v0.4.0; signed by AWS Key Replace GPT-3.5 with Node Llama3 #3 when published)
• Plugin source: https://github.com/paladinfi/eliza-plugin-trust (tag v0.3.0)
• v0.3.0 e2e test pack + audit trail: https://github.com/paladinfi/paladinfi-contracts/tree/main/tests/v0.2.0/e2e (6 tests against the live deploy)

Open to questions on any of the above. Real-money signing on every paid call is the load-bearing security claim — pushback on threat-model framing is exactly the conversation we wanted from this thread.

— mgopal20

[MrTalecky]

The on-chain PaladinKeyRegistry + 7-day timelock + Gnosis Safe 2-of-3 owner combination is the structural shape that closes the right gap. The 24h owner-only finalize window is the part that's easy to underweight — it cuts the front-running surface for cancelling a malicious rotation, which is the failure mode that turns a "publish 7 days early" deterrent into a real one. Customers running in keyTrustMode: 'pinned' ignoring rotation entirely until config opts in is the matching defensive primitive — sticky-revoked-by-default is auditable from the agent side; auto-rotate is convenient but assumes the integrator monitors pendingRotation in returned TrustState. The fact that those two modes are explicit in the surface, not implicit in policy, is what makes the threat model legible.

The explicit chainId binding in the signed envelope is the move I'd flag specifically. Domain-separator-via-apiVersion-string is the kind of gap that doesn't surface until you cross-deploy or redeploy — we hit a structurally similar issue on the BackstopRouter + MarketLMSR redeploy (Feb 2026) where EIP-712 domain consistency across config / ABI / indexer / SDK consumers was the part that needed the most discipline. Moving chainId from "transitively bound via requestHash" to "top-level signed envelope field" makes the replay-defense logic checkable in one place, which is the right place for an audit finding to land.

One observation on the RPC quorum side worth surfacing in THREAT_MODEL.md: once registry reads are load-bearing for the trust path (not just trade execution), the customer's RPC selection becomes a security-critical input, not just an availability one. "Compromised majority of chosen quorum" generalizes from state reads to registry reads — same primitive, different consequence. Could be worth a one-paragraph callout that baseRpcUrls config now sits on the trust-anchor critical path, paired with the recommendation to use at least one read-only provider customers can audit independently (Base node providers with distinct AS / regulatory exposure rather than three regional endpoints of the same provider). That's the kind of detail integrators usually don't think about until after the fact.

[mgopal20]

Appreciate the deep read — the front-running surface on the 24h owner-only finalize is what we'd been calling the cancellation-race window internally; deterrent-vs-real is the cleaner framing.

Your point on the explicit-mode-surface is the load-bearing one. keyTrustMode: 'pinned' + sticky-revoked-by-default in the visible API was a deliberate move — auto-rotate as default would have been convenient but would have shifted the auditability burden onto the integrator's monitoring of pendingRotation. Putting both modes in the surface makes the legibility checkable from the agent side, which is the security primitive you flagged.

C-1 specifically: raw apiVersion string passed as domain separator into the digest. Adjacent family to the EIP-712 consistency drift your BackstopRouter + MarketLMSR redeploy hit — same lesson, domain separation needs to be structurally checkable, not by-policy. v0.3.0 ships the typed formula keccak256(keccak256("PaladinFi/simulate/v2") || keccak256(JCS(body))): both inputs are 32-byte hashes so the separation is in one checkable place.

Your RPC-quorum point on the trust-anchor critical path lands. The "distinct AS / regulatory exposure" framing is the right shape — a §RPC-Trust-Path paragraph in THREAT_MODEL.md will ship in v0.3.2 (next doc release, targeting this week). Will link the diff when it merges.

[mgopal20]

Follow-up to my reply above — shipped in v0.3.2:

• §13 commit: e1741c6
• Release: v0.3.2
• npm: @paladinfi/eliza-plugin-trust@0.3.2

3-adversary review (Security audit-mode + Maintainer + Domain Skeptic) on the paragraph caught a couple of overclaims I'd drafted on the stale-grace fallback path — specifically that "the plugin doesn't blindly trust any single RPC" was false during the 2-hour grace window where the plugin falls back to the last HMAC-verified cached state. §13 now discloses that explicitly as documented exposure rather than defense. The KNOWN_BASE_RPC_OPERATORS PaladinFi-classification gap (M&A drift could weaken the construction-time distinctness check) is called out as the failure mode the customer-side recommendation pattern defends against. Open to a re-read on the shipped wording if anything doesn't match your framing.

[MrTalecky]

The §13 disclosure shape is right — a bounded, documented 2-hour HMAC-verified fallback is categorically different from an undisclosed one. "The plugin doesn't blindly trust any single RPC" being false during the grace window is exactly the kind of precision that makes a threat model useful: integrators can design around a disclosed exposure; they can't design around a guarantee they believed was stronger than it was. The KNOWN_BASE_RPC_OPERATORS M&A-drift callout has the same character — the failure mode is named, the customer-side defense is explicit, and the gap between "distinct at classification time" and "distinct under M&A" is visible rather than assumed away.

Nothing in §13 conflicts with the framing I was pointing at. The through-line from registry reads load-bearing on the trust path → baseRpcUrls security-critical → operator guidance for provider diversity is the right layering. The honest exposure notes on the grace window and classification drift make the threat model stronger, not weaker — you can audit a documented exposure.