WalletPermissionGuard
sec.walletpermissionguard
Security
planned
Spec started
frozen
flagship
Enforce that each strategy can only call the wallet methods the user has explicitly granted, scoped per session.
What it does
Enforce that each strategy can only call the wallet methods the user has explicitly granted, scoped per session.
Pipeline placement
runs after: Strategy OrderIntent and Risk guardrails
→
WalletPermissionGuard
→
runs before: Any order signing or submission
Applies to: Every pending order before signature
Why it matters
| If this fails | Consequence |
|---|---|
| Strategy calls an unauthorized wallet method | Unexpected asset movement or signing actions outside the user-granted scope, undermining non-custodial guarantees. |
| Method whitelist not enforced | A compromised strategy could sign arbitrary orders, draining pUSD balances. |
| Permission scope not session-bound | Stale grants from a previous session silently persist, violating least-privilege. |
Inputs
Polymarket inputs
| Input | Source | Required | Use |
|---|---|---|---|
| Pending order contract address and method | clob_auth | required | Check that the target contract method is on the per-strategy whitelist. |
| CTFExchangeV2 method signatures | onchain | required | Validate that the called method exists and is recognised in the V2 ABI. |
Internal inputs
| Input | Source | Required | Use |
|---|---|---|---|
| Per-strategy method whitelist and contract allowlist | Admin UI | required | Authoritative grant set for each strategy session. |
| Active session expiry timestamp | SessionKeyManager | required | Reject calls from expired sessions. |
| KillSwitch active flag | KillSwitch | required | Hard reject all calls when kill switch is active. |
Authority
What this bot is permitted to do
Reject Pause
State
Readiness
Spec started
Status
planned
Class
Guardrail
Default mode
shadow_only
Developer owner
Polytraders core
Capital impact
Critical
Reason codes emitted
| Code | Severity | Meaning | Action |
|---|---|---|---|
| KILL_SWITCH_ACTIVE | HARD_REJECT | Global kill switch is active. | Immediately return DENY. |
| SESSION_KEY_EXPIRED | HARD_REJECT | The active session key has expired. | Return DENY; prompt user to re-authorise. |
| WALLET_PERMISSION_DENIED | HARD_REJECT | Method or contract not in session whitelist, or size cap exceeded. | Return DENY and emit security alert. |
| PERMISSION_SCOPE_WARN | WARN | Order size is between 80% and 100% of max_per_call_size_usd. | Log warning; continue to next check. |
| SESSION_ABOUT_TO_EXPIRE | INFO | Session expires within require_reapproval_h hours. | Emit INFO; notify user to prepare re-authorisation. |
Related bots in Security
Used by
Reverse index — strategies that currently reference sec.walletpermissionguard. If you change this bot's authority or reason codes, these strategies must re-pass shadow.
| Strategy | State | Activity |
|---|---|---|
| NBA props — line-shop | demo-wired | last triggered 22m ago |
Showing 1 of 1 · demo-wired ≠ production-live
Why this matters
Security bots does NOT propose or execute trades; only guards signing and wallet operations. Understanding the authority boundary prevents misuse and makes promotion-gate reviews faster and more reliable. View raw spec JSON →