The wall between
AI and your assets.
Rampart is an attested, on-chain policy firewall between an autonomous agent's reasoning and its right to move funds. Manipulate the model all you want — the chain still says no.
Proof, not promises
Every contract. Every move. On the record.
These are the real transactions that deployed, wired, and exercised Rampart on Ritual Chain — including the circuit breaker firing on-chain. Status and block are pulled live from the chain.
| Action | Contract | Type | Block | Status | Tx |
|---|---|---|---|---|---|
| Firewall blocked: unauthorized target | RampartVault | Firewall | 34810167 | ✓ success | 0x3e5e…be7c |
| Firewall blocked: oversized tx | RampartVault | Firewall | 34810157 | ✓ success | 0xd77c…909c |
| Drawdown trips breaker | RampartVault | Breaker | — | ✓ success | 0x04b2…90cd |
| Report high-water mark | RampartVault | Breaker | — | ✓ success | 0xe485…420f |
| Set live LLM executor | RampartAgent | Config | 34773823 | ✓ success | 0x5ac7…366a |
| Authorize sentinel reporter | RampartVault | Wiring | 34770407 | ✓ success | 0x2fce…cc69 |
| Register agent controller | AgentRegistry | Wiring | 34770407 | ✓ success | 0xab6d…5632 |
| Deploy RampartVault | RampartVault | Deploy | 34770407 | ✓ success | 0x7d32…4536 |
| Deploy RampartAgent | RampartAgent | Deploy | 34770407 | ✓ success | 0xc939…b8e6 |
| Deploy RampartSentinel | RampartSentinel | Deploy | 34770407 | ✓ success | 0x8781…4858 |
| Deploy AgentRegistry | AgentRegistry | Deploy | 34770406 | ✓ success | 0x18de…ee59 |
| Deploy AuditAnchor | AuditAnchor | Deploy | 34770406 | ✓ success | 0xcc10…e748 |
Each transaction was verified successful on-chain at execution. Rows tagged live were re-confirmed against the RPC just now; open any hash on the explorer to verify independently.
The problem
Autonomous agents are being handed the keys — with nothing watching the door.
Prompt injection defeats guardrails
System prompts and RLHF live in the same context window as the attack. A few crafted inputs and the agent confidently signs a transaction it should never make.
Wallets are model-unaware
Multisigs and spending limits can't tell why a transfer happens. A manipulated agent passes every threshold a legitimate one would — the check is blind to intent.
Monitoring is too late
External monitors react after a transaction hits the mempool. For an agent that is the authorized signer, the damage is already done at signing time.
How it works
Reasoning proposes. The chain decides.
Rampart splits an agent into two: the part that thinks, and the part that's allowed to act. They never share trust.
Propose
The agent reasons off-chain inside a TEE (Ritual's LLM precompile, GLM-4.7-FP8) and proposes an action. Non-deterministic and manipulable — by design, it has no authority of its own.
Gate
A deterministic firewall runs on-chain in replicated EVM, checking the action against your policy: value caps, allowlists, slippage, daily limits, nonce. Fully trustless — no TEE required to enforce it.
Attest
The LLM verdict and the firewall decision are bound together and signed. The model is advisory; the on-chain rules are binding. Defense in depth — a fooled model still can't exceed policy.
Settle
Only actions that pass execute. Every allow and deny is anchored on-chain in a tamper-evident hash chain — a complete, verifiable audit trail anyone can replay.
Each step is a separate transaction, orchestrated by Ritual's Scheduler and two-phase async delivery — honoring the chain's one-async-call-per-tx rule.
What you get
Security that doesn't depend on the model behaving.
Deterministic on-chain firewall
Policy enforcement runs in replicated EVM — the single source of truth. No operator, node, or model can bypass it.
TEE-attested reasoning
The agent's LLM advisory runs once inside a hardware enclave and is verified by attestation, not re-run by every validator.
Circuit breaker
A drawdown threshold auto-pauses the vault. Proven live on-chain — a 20% drop flips the breaker and halts execution.
Tamper-evident audit
Every allow/deny is anchored in an on-chain keccak hash-chain. Replay it to prove exactly what happened, and why.
Timelocked policy
Policy changes are owner-signed and timelocked — no silent mid-incident edits to spending rules or allowlists.
Ritual-native
Built on superposition: a delegated call can read state a replicated transfer wrote in the same block. No other L1 does this natively.
Architecture
Three layers. One shared state. Zero blind trust.
The binding firewall
- RampartVault holds funds + policy
- Deterministic evaluate() gate
- Nonce / replay protection
- Circuit breaker + timelock
The reasoning
- LLM advisory (GLM-4.7-FP8)
- HTTP market data, attested
- Runs once, verified not replicated
- Never holds execution authority
The proof
- AuditAnchor hash-chain
- Agent + model registry
- Scheduler-driven health checks
- Every decision is replayable
Why Ritual
Ritual is the only L1 where Rampart is even possible — the deterministic firewall and the attested AI advisory share one state machine, natively.
Live on testnet
Deployed, verified, and provable.
Rampart is live on Ritual Chain (1979). The contracts below are real and verifiable on the explorer. The firewall blocks 5/5 attack scenarios in tests, and the circuit breaker has been tripped on-chain.
- ✓Deterministic firewall — fully trustless, replicated EVM
- ✓Circuit breaker fired live on a 20% drawdown
- ✓Every decision anchored in a tamper-evident hash chain
FAQ
Questions, answered.
Those are model-unaware. A manipulated agent passes the exact same thresholds a legitimate one would, because the check can't see intent. Rampart evaluates each proposed action against a deterministic policy and records the reason for every allow or deny — and pairs it with a TEE-attested LLM advisory.