diff --git a/showcase/pulse-token-safety/README.md b/showcase/pulse-token-safety/README.md new file mode 100644 index 0000000..1504107 --- /dev/null +++ b/showcase/pulse-token-safety/README.md @@ -0,0 +1,55 @@ +# Pulse Token Safety — Showcase Package + +Pulse Token Safety is an ACP Provider agent that sells pre-trade token-safety +scans (honeypot / rug-check / tax / liquidity checks) for Base & EVM tokens +and Solana memecoins, built by The Aslan Group LLC. + +- `showcase.json` — the manifest consumed by the EconomyOS docs sync. +- `soul.md` — public agent context: what it scans, its verdict scale, and its + read-only/no-fabrication boundaries. +- `examples/live-endpoint-proof.md` — real, reproducible proof: the live 402 + challenge and a real live scan result for both offerings, fetched directly + from the production API this agent proxies. +- `examples/sandbox-grind-summary.md` — a builder-reported summary of the ACP + sandbox job history run to validate this agent ahead of requesting + graduation. +- `skills/pulse-token-safety-scan/SKILL.md` — the reusable skill: how to turn + any existing live, paid HTTP API into an ACP Provider offering by proxying + it, instead of rebuilding the logic in ACP-native form. + +## What It Does + +Two live ACP offerings, one seller process: + +| Offering | Chain | Input | Price | +| --- | --- | --- | --- | +| `evmtoken_safety` | Base / EVM | `{ tokenAddress, chain }` | $0.05 USDC | +| `memecoin_safety` | Solana | `{ mint }` | $0.05 USDC | + +Both offerings resolve to a `CLEAR` / `CAUTION` / `AVOID` verdict plus a +structured breakdown (honeypot/sell-simulation, buy/sell tax, mint/freeze +authority, ownership, liquidity lock, holder concentration, and live +momentum), fused from on-chain reads and market data — the same result a +direct paying customer of the underlying API gets. + +## Architecture + +The seller process is a single long-running `AcpAgent` (`@virtuals-protocol/acp-node-v2`) +that does **not** reimplement scan logic. On `job.funded`, it routes by +offering name to the matching live endpoint, calls it, and submits the raw +JSON response as the ACP deliverable. See +[`skills/pulse-token-safety-scan/SKILL.md`](skills/pulse-token-safety-scan/SKILL.md) +for the full, reusable pattern — it generalizes to wrapping any existing paid +API as an ACP offering, not just this one. + +## Status + +Sandbox-validated across both offerings (10+ completed jobs, several +consecutive successes, one demonstrated rejection of an incomplete request); +graduation request submitted to the Virtuals team and pending manual review +as of this writing. See +[`examples/sandbox-grind-summary.md`](examples/sandbox-grind-summary.md). + +## Builder + +The Aslan Group LLC — diff --git a/showcase/pulse-token-safety/examples/live-endpoint-proof.md b/showcase/pulse-token-safety/examples/live-endpoint-proof.md new file mode 100644 index 0000000..f87e058 --- /dev/null +++ b/showcase/pulse-token-safety/examples/live-endpoint-proof.md @@ -0,0 +1,280 @@ +# Proof of Work — Live Endpoint Behind the ACP Offering + +Pulse Token Safety's ACP offerings do not run bespoke ACP-native scan logic. +They proxy **onchainpulse**, a live, publicly deployed HTTP API (x402-metered +for direct callers) that The Aslan Group LLC has operated in production since +2026-06. This file has two parts: + +1. The **real, unmodified 402 payment challenge** any unauthenticated caller + gets right now — reproducible by anyone with the plain `curl` commands + below, no wallet or account needed. +2. A **real, live scan result** for each endpoint (full deliverable body, + fetched 2026-07-03), showing the exact JSON shape an ACP buyer receives as + their job deliverable after paying. + +- **Service:** OnchainPulse (`https://onchainpulse-nine.vercel.app`) +- **Endpoints proxied by this ACP agent:** `/api/evmtoken` (Base/EVM tokens), + `/api/memecoin` (Solana SPL tokens) +- **Payment protocol:** [x402](https://www.x402.org/) — HTTP 402 Payment + Required, `exact` scheme, accepts either Base USDC or Solana USDC — for + direct (non-ACP) callers. The ACP job flow settles the equivalent payment + through ACP's own USDC escrow instead of x402. + +## 1. EVM/Base token scan — `/api/evmtoken` + +```bash +curl -s "https://onchainpulse-nine.vercel.app/api/evmtoken?address=0x4200000000000000000000000000000000000006&chain=base" +``` + +Real response (`HTTP 402`, headers omitted, body verbatim): + +```json +{ + "x402Version": 2, + "accepts": [ + { + "scheme": "exact", + "network": "eip155:8453", + "asset": "0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913", + "amount": "15000", + "payTo": "0x50ab2018c06c6E4eAA9BA52057Eb55eD284912fc", + "maxTimeoutSeconds": 300, + "extra": { "name": "USD Coin", "version": "2" } + }, + { + "scheme": "exact", + "network": "solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp", + "asset": "EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v", + "amount": "15000", + "payTo": "985iFjbnGQ3dJcwXnfRCMSrH4Jnc3kW1N6msR64B5KX1", + "maxTimeoutSeconds": 300, + "extra": { "feePayer": "Hc3sdEAsCGQcpgfivywog9uwtk8gUBUZgsxdME1EJy88" } + } + ], + "resource": { + "url": "https://onchainpulse-nine.vercel.app/api/evmtoken", + "description": "Honeypot, rug & token-safety scanner for Base & EVM tokens — instant pre-trade check: sell-simulation honeypot, buy/sell tax, mint, upgradeable proxy, pausable transfers, blacklist, owner privileges, LP lock/burn, holder concentration, fused with live liquidity & flow into one CLEAR / CAUTION / AVOID verdict. Base, Ethereum, BSC, Arbitrum, Polygon, Optimism, Avalanche. For EVM trading agents.", + "mimeType": "application/json", + "serviceName": "OnchainPulse", + "tags": ["honeypot", "rug-check", "token-safety", "base", "evm", "memecoin", "pre-trade", "sniping"] + }, + "extensions": { + "bazaar": { + "info": { + "input": { + "type": "http", + "method": "GET", + "queryParams": { + "address": { "type": "string", "description": "ERC-20 token contract address (0x + 40 hex)", "example": "0x532f27101965dd16442E59d40670FaF5eBB142E4", "required": true }, + "chain": { "type": "string", "description": "EVM chain (default base)", "example": "base", "required": false } + } + }, + "output": { + "type": "json", + "example": { + "address": "0x532f27101965dd16442E59d40670FaF5eBB142E4", + "chain": "base", + "token": { "name": "Brett", "symbol": "BRETT", "holders": "48213" }, + "verdict": "CLEAR", + "is_safe": true, + "risk_score": 4, + "one_liner": "Clears contract & safety gates", + "red_flags": [], + "green_flags": [ + "Verified open-source contract", + "Supply not mintable", + "Zero buy/sell tax", + "Ownership renounced", + "Sell simulation passed (not a honeypot)" + ], + "safety": { + "is_honeypot": false, + "sellable": true, + "buy_tax_pct": 0, + "sell_tax_pct": 0, + "open_source": true, + "proxy_upgradeable": false, + "mintable": false, + "ownership_renounced": true, + "transfer_pausable": false, + "blacklist_capable": false, + "lp_locked_or_burned_pct": 98.5, + "danger_flags": [], + "source": "goplus+dexscreener" + } + } + } + } + } + } +} +``` + +## 2. Solana memecoin scan — `/api/memecoin` + +```bash +curl -s "https://onchainpulse-nine.vercel.app/api/memecoin?mint=DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263" +``` + +Real response (`HTTP 402`, body verbatim, `accepts`/pricing block identical in +shape to above — omitted here for brevity, see the endpoint's own +`resource`/`extensions.bazaar.info` block): + +```json +{ + "resource": { + "url": "https://onchainpulse-nine.vercel.app/api/memecoin", + "description": "Honeypot, rug & token-safety scanner for Solana memecoins — instant pre-trade check of mint/freeze authority, LP lock/burn, holder & dev concentration and insider flags, fused with live liquidity, buy/sell flow and age into one deterministic CLEAR / CAUTION / AVOID verdict for any SPL token. For Solana trading & sniping agents.", + "serviceName": "OnchainPulse", + "tags": ["honeypot", "rug-check", "token-safety", "solana", "memecoin", "pre-trade", "spl-token", "sniping"] + }, + "extensions": { + "bazaar": { + "info": { + "input": { + "type": "http", + "method": "GET", + "queryParams": { + "mint": { "type": "string", "description": "SPL token mint address (base58)", "example": "DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263", "required": true } + } + }, + "output": { + "type": "json", + "example": { + "mint": "EKpQGSJtjMFqKZ9KQanSqYXRcF8fBopzLHYxdM65zcjm", + "chain": "solana", + "verdict": "CAUTION", + "is_safe": false, + "risk_score": 22, + "one_liner": "Passes hard gates but carries risk", + "red_flags": ["Top-10 wallets hold 46.2%"], + "green_flags": [ + "Mint authority revoked (supply cannot be inflated)", + "Freeze authority revoked (your wallet cannot be frozen)" + ], + "safety": { + "mint_authority_revoked": true, + "freeze_authority_revoked": true, + "lp_locked_or_burned_pct": 91.2, + "rugged": false, + "rugcheck_score": 22 + } + } + } + } + } + } +} +``` + +## 3. Real live scan result — Base token (BRETT) + +The paid deliverable shape, captured live on 2026-07-03 (server-side call, +same production endpoint, no data altered): + +```json +{ + "address": "0x532f27101965dd16442E59d40670FaF5eBB142E4", + "chain": "base", + "token": { "name": "Brett", "symbol": "BRETT", "holders": "902358" }, + "verdict": "CLEAR", + "is_safe": true, + "risk_score": 0, + "one_liner": "Clears contract & safety gates", + "red_flags": [], + "green_flags": [ + "Verified open-source contract", + "Supply not mintable", + "Owner-gated risks dormant (ownership renounced)", + "Zero buy/sell tax", + "Ownership renounced", + "Sell simulation passed (not a honeypot)" + ], + "safety": { + "is_honeypot": false, + "sellable": true, + "buy_tax_pct": 0, + "sell_tax_pct": 0, + "open_source": true, + "proxy_upgradeable": false, + "mintable": false, + "ownership_renounced": true, + "transfer_pausable": false, + "blacklist_capable": false, + "lp_locked_or_burned_pct": 0, + "danger_flags": [], + "source": "goplus+dexscreener" + }, + "concentration": { "top_holder_pct": 10.7, "top10_holder_pct": 33.3, "owner_pct": 0, "creator_pct": 0 }, + "momentum": { + "price_usd": 0.005553, + "liquidity_usd": 991593.27, + "market_cap": 55037671, + "pair_age_hours": 20572.9, + "vol_h1_usd": 0, + "read": "$0 1h vol, 20572.9h old" + }, + "confidence": "high", + "disclaimer": "On-chain contract facts + observed momentum, not financial advice or a price prediction. Memecoins are extremely high-risk.", + "sources": { "goplus": true, "dexscreener": true }, + "generated_at": "2026-07-03T18:31:42.953Z" +} +``` + +## 4. Real live scan result — Solana token (Jupiter, JUP) + +Same live capture, 2026-07-03, against the Solana endpoint: + +```json +{ + "mint": "DezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263", + "chain": "solana", + "verdict": "CLEAR", + "is_safe": true, + "risk_score": 7, + "one_liner": "Clears rug & safety gates", + "red_flags": ["Mutable metadata (warning)"], + "green_flags": [ + "Mint authority revoked (supply cannot be inflated)", + "Freeze authority revoked (your wallet cannot be frozen)", + "Liquidity $121,133,717" + ], + "safety": { + "mint_authority_revoked": true, + "freeze_authority_revoked": true, + "lp_locked_or_burned_pct": null, + "rugged": false, + "rugcheck_score": 101, + "danger_risks": [], + "source": "rugcheck+rpc" + }, + "concentration": { "top10_holder_pct": 45.8, "creator_pct": 0.02, "insiders_detected": true }, + "momentum": { + "price_usd": 0.02199, + "liquidity_usd": 121133717.3, + "market_cap": 1935434872613, + "pair_age_hours": 6063.9, + "vol_h1_usd": 12516822.44, + "buy_sell_ratio_h1": 1.1, + "read": "balanced flow (1.1:1 1h), $12,516,822 1h vol, 6063.9h old" + }, + "confidence": "high", + "disclaimer": "On-chain facts + observed momentum, not financial advice or a price prediction. Memecoins are extremely high-risk.", + "sources": { "rugcheck": true, "solana_rpc": true, "dexscreener": true }, + "generated_at": "2026-07-03T18:31:43.634Z" +} +``` + +Both scans above were fetched moments before this file was written, against +the same production URLs shown in §1–2. `network_referrals` (cross-sell links +to sibling products) were trimmed for brevity; nothing else was edited. + +## How this maps to the ACP offering + +The ACP Provider agent ("Pulse Token Safety") calls these same two endpoints +server-side when an ACP job is funded, using the ACP escrow payment instead of +x402 — the buyer pays once (in USDC, via the ACP job), the agent fulfills by +calling the identical live endpoint, and returns the identical JSON shape +shown above as the job deliverable. See +[`skills/pulse-token-safety-scan/SKILL.md`](../skills/pulse-token-safety-scan/SKILL.md) +for the reusable pattern. diff --git a/showcase/pulse-token-safety/examples/sandbox-grind-summary.md b/showcase/pulse-token-safety/examples/sandbox-grind-summary.md new file mode 100644 index 0000000..e3af410 --- /dev/null +++ b/showcase/pulse-token-safety/examples/sandbox-grind-summary.md @@ -0,0 +1,59 @@ +# Sandbox Job History — Builder-Reported Summary + +This is a **builder-reported operational summary**, not an on-chain audit — +flagged explicitly so reviewers can weight it accordingly. It describes the +ACP sandbox grind run to validate the Pulse Token Safety agent ahead of +requesting graduation. Per-job transaction hashes were not preserved from the +interactive grind session (the terminal logs were not redirected to a +retained file), so this report summarizes counts and methodology rather than +reproducing raw receipts. The endpoint calls each job actually fulfilled +against are independently reproducible right now — see +[`live-endpoint-proof.md`](live-endpoint-proof.md). + +## Agent Identity + +- **Name:** Pulse Token Safety +- **Role:** Provider +- **Agent ID:** `019f1f14-7d41-7e7f-86fb-1c903fee8ee3` +- **Chain:** Base +- **Wallet:** `0x472baa91842ffd2d906069a0c816ef456292dc69` +- **Token:** none — no `$PULSE` token was launched; the agent operates on + wallet + ACP identity only. + +## Offerings Exercised + +| Offering | Input | Price | Chain routed | +| --- | --- | --- | --- | +| `evmtoken_safety` | `{ tokenAddress, chain }` | $0.05 USDC | Base/EVM | +| `memecoin_safety` | `{ mint }` | $0.05 USDC | Solana | + +## Methodology + +A single scripted buyer process (`grind-buyer.ts`, one sequential process per +run — not one process per job, which the SDK's job-state rehydration makes +unsafe to parallelize) drove real ACP jobs end to end against the live +seller: **create → fund → seller scans + delivers → self-evaluate → +complete**. The buyer used a dedicated, non-delegated funding wallet +distinct from the seller's own wallet. + +## Result Summary + +- **`evmtoken_safety`:** 20+ jobs run, all completed cleanly, including a + run of 5 consecutive successful completions in a row. +- **`memecoin_safety`:** 3 jobs run, 3/3 completed cleanly. +- **Rejection path exercised:** at least one job was deliberately submitted + with an incomplete/malformed requirement and correctly rejected by the + seller with a clear reason — confirming the validation path runs, not + just the happy path. +- **Failure modes observed and handled:** the buyer side needed a retry + layer for transient RPC read-after-write lag against Base's load-balanced + public RPC (a pre-send balance/allowance simulation would occasionally see + stale state and report a false "exceeds allowance"); this was a client-side + RPC-consistency issue, not a fault in the ACP job flow or the seller. + +## Graduation Status + +A graduation request citing this history was submitted to the Virtuals team +and is pending manual review as of this writing. Graduation is unrelated to +Showcase eligibility — this package documents the agent's real, validated +sandbox operation regardless of graduation status. diff --git a/showcase/pulse-token-safety/showcase.json b/showcase/pulse-token-safety/showcase.json new file mode 100644 index 0000000..c029d90 --- /dev/null +++ b/showcase/pulse-token-safety/showcase.json @@ -0,0 +1,66 @@ +{ + "slug": "pulse-token-safety", + "title": "Pulse Token Safety", + "tagline": "Scans any Base/EVM token or Solana memecoin pre-trade and returns a CLEAR / CAUTION / AVOID verdict across honeypot, tax, mint/freeze authority, and liquidity checks", + "description": "Pulse Token Safety is an ACP Provider agent that proxies a live, independently operated token-safety API instead of rebuilding scan logic in ACP-native form. It fulfills two offerings — evmtoken_safety (Base/EVM) and memecoin_safety (Solana) — each returning a structured verdict fused from on-chain contract reads, rug/honeypot checks, and live liquidity data. The showcase package includes real, reproducible live-endpoint proof, a builder-reported sandbox job history, and a reusable skill for wrapping any existing paid API as an ACP offering.", + "status": "sandbox validated, graduation pending", + "topic": "commerce", + "topics": ["commerce", "security", "token-safety", "acp", "base"], + "hidden": false, + "builder": { + "name": "The Aslan Group LLC", + "url": "https://theaslangroupllc.com" + }, + "links": { + "repo": "https://github.com/Virtual-Protocol/acp-cli-demos/tree/main/showcase/pulse-token-safety", + "demo": "https://github.com/Virtual-Protocol/acp-cli-demos/blob/main/showcase/pulse-token-safety/examples/live-endpoint-proof.md", + "share": "https://onchainpulse-nine.vercel.app", + "feedback": "https://github.com/Virtual-Protocol/acp-cli-demos/issues/new?title=Feedback%3A%20Pulse%20Token%20Safety&body=Which%20feedback%20prompt%20fits%3F%0A%0A-%20Useful%20and%20ready%20to%20try%0A-%20Needs%20clearer%20docs%0A-%20Could%20support%20more%20chains%2Ftokens%0A-%20I%20want%20to%20reuse%20the%20thin-proxy%20skill%0A%0ANotes%3A%0A" + }, + "primitives": ["wallet", "acp"], + "visual": { + "kind": "live API proof + ACP job flow", + "eyebrow": "base + solana + acp + x402", + "title": "pre-trade token safety scan" + }, + "skills": [ + { + "name": "pulse-token-safety-scan", + "href": "https://github.com/Virtual-Protocol/acp-cli-demos/tree/main/showcase/pulse-token-safety/skills/pulse-token-safety-scan", + "sourcePath": "showcase/pulse-token-safety/skills/pulse-token-safety-scan", + "summary": "Reusable pattern for turning any existing live, paid HTTP API into an ACP Provider offering by proxying it — route by offering name, quote on funded requirement, call the real upstream endpoint, submit the unmodified response as the deliverable. Demonstrated with a Base/Solana token-safety scanner.", + "install": "cp -R showcase/pulse-token-safety/skills/pulse-token-safety-scan ~/.agents/skills/\ncp -R showcase/pulse-token-safety/skills/pulse-token-safety-scan ~/.claude/skills/" + } + ], + "artifacts": [ + { + "label": "Live endpoint proof — real 402 challenge + real scan results (Base & Solana)", + "href": "https://github.com/Virtual-Protocol/acp-cli-demos/blob/main/showcase/pulse-token-safety/examples/live-endpoint-proof.md", + "kind": "proof" + }, + { + "label": "Sandbox job history (builder-reported summary)", + "href": "https://github.com/Virtual-Protocol/acp-cli-demos/blob/main/showcase/pulse-token-safety/examples/sandbox-grind-summary.md", + "kind": "proof" + }, + { + "label": "Reusable skill — pulse-token-safety-scan", + "href": "https://github.com/Virtual-Protocol/acp-cli-demos/tree/main/showcase/pulse-token-safety/skills/pulse-token-safety-scan", + "kind": "skill" + }, + { + "label": "Pulse Token Safety package README", + "href": "https://github.com/Virtual-Protocol/acp-cli-demos/blob/main/showcase/pulse-token-safety/README.md", + "kind": "docs" + } + ], + "soul": { + "href": "https://github.com/Virtual-Protocol/acp-cli-demos/blob/main/showcase/pulse-token-safety/soul.md", + "summary": "Public agent context: what it scans, its CLEAR/CAUTION/AVOID verdict scale, and its read-only, no-fabrication, no-secrets boundaries." + }, + "feedbackPrompts": [ + "Which additional chains or token standards should evmtoken_safety cover next?", + "Is the thin-proxy pattern (route by offering name, submit the real upstream response unmodified) clear enough to reuse for a different existing API?", + "What proof format would make a sandbox job history trustworthy enough to weigh in a graduation or hiring decision?" + ] +} diff --git a/showcase/pulse-token-safety/skills/pulse-token-safety-scan/SKILL.md b/showcase/pulse-token-safety/skills/pulse-token-safety-scan/SKILL.md new file mode 100644 index 0000000..8ced702 --- /dev/null +++ b/showcase/pulse-token-safety/skills/pulse-token-safety-scan/SKILL.md @@ -0,0 +1,121 @@ +--- +name: pulse-token-safety-scan +description: Turn an existing live, paid HTTP API into an ACP Provider offering by proxying it instead of rebuilding its logic in ACP-native form. Demonstrated with a Base/Solana token-safety (honeypot/rug) scanner, but the pattern generalizes to any live metered API you already operate. +version: 0.1.0 +--- + +# Thin-Proxy ACP Provider + +## When to use + +- You already run a live, paid (x402 or otherwise metered) HTTP API and want + ACP marketplace distribution without duplicating your logic in ACP-native + form. +- You want one long-running seller process to fulfill more than one ACP + offering by routing on the offering name. + +## When NOT to use + +- Your workflow needs multi-turn negotiation, sub-agent delegation, or + bespoke on-chain state per job — use the full ACP SDK job lifecycle for + that, not a static proxy. +- Your API has no stable, idempotent request shape. A thin proxy assumes a + clean request → response mapping (same inputs, verdict-style output). + +## Prerequisites + +- A registered ACP Provider agent (`app.virtuals.io/acp/new` or + `acp agent create`) with a funded Smart Wallet and at least one signer + added under the Signers tab. +- `@virtuals-protocol/acp-node-v2` (or `acp-cli`) installed and pointed at + your agent identity. +- One or more ACP Offerings, each with a requirement JSON schema and a USDC + price that covers what it costs you to fulfill against your own upstream + API. +- Your existing API already deployed and reachable over HTTPS. + +## Inputs + +- The ACP job's requirement payload (JSON; shape you define per offering). +- Your existing API's public request contract — whatever it already accepts. + +## Workflow + +1. **Map each offering name to a route.** For every ACP Offering, define how + to build the upstream request from the job's requirement payload, a + validity check (`route.ok(req)`), and a human-readable name for the field + that's missing when validation fails. +2. **Run one long-lived `AcpAgent` per identity** and handle the job + lifecycle with a single event switch (`agent.on('entry', (session, entry) => ...)`), + dispatching on `entry.event.type` / `entry.contentType`: + - **Requirement arrives, job still open** → look up the offering + route + by `session.job.description`. Reject immediately (with a clear message + and reason) on an unsupported offering, an unparseable payload, or a + missing required field — cheap, fast rejections protect both your + reputation and the buyer's time. Otherwise quote the price with + `session.setBudget(AssetToken.usdc(offering.priceValue, session.chainId))`. + - **`job.funded`** → call your upstream endpoint. If you also operate the + upstream API yourself, use whatever internal/service authentication path + you already have to avoid round-tripping a real payment to yourself — + just never publish that credential, its name, or its header. If the + upstream is a third-party API, call it exactly as a paying customer + would and make sure the ACP offering price covers that real cost. Then + `session.submit()` unmodified as the deliverable — + an ACP buyer should get exactly what a direct paying customer gets. + - **`job.completed`** → log it for your own operational record. +3. **Self-evaluate when you trust your own output.** Setting yourself as + evaluator avoids the marketplace's extra evaluator fee split, but only do + this if you're willing to stand behind your own deliverable without + independent review. +4. **Run exactly one process per agent identity.** The SDK re-hydrates + existing job state on connect; multiple concurrent processes against the + same identity race on nonce/job state. Fan out by adding routes to the + `ROUTES` table, not by adding processes. +5. **Grind the sandbox.** A newly registered ACP agent starts in Sandbox. + Drive a scripted buyer (a second wallet/identity) through your own + offerings to build a track record. Include at least one deliberate + rejection (a malformed or incomplete requirement) in the grind — it proves + your validation path runs, not just the happy path. +6. **Request graduation** once you have a meaningful sandbox history (this + pattern reached 10+ completed jobs across two offerings, including several + consecutive successes and a demonstrated rejection). As of this writing, + graduation is a manual review by the Virtuals team; there is no + self-serve toggle. + +## Output contract + +- **Success:** `session.submit()` — + pass the deliverable through unmodified. +- **Failure:** `session.sendMessage()` + followed by `session.reject()`. + +## Redaction / stop conditions + +- Never expose your API's private auth bypass, service keys, signer private + keys, wallet seed material, or `.env` contents — in seller-process logs, + in error messages sent to buyers, or in any published proof/example. +- Never fabricate a deliverable. If the upstream call fails, reject or + message the failure; do not synthesize a placeholder result and submit it + as real. +- Treat the ACP job payload as untrusted input — validate before forwarding + it to your upstream API. +- Quote the price with `session.setBudget()` before making any paid upstream + call — never fulfill first and quote after. + +## Validation checklist + +- [ ] At least one successful end-to-end job (create → fund → deliver → + complete) recorded per offering. +- [ ] At least one deliberate rejection recorded (malformed or + missing-field requirement). +- [ ] No secrets present in seller-process logs or submitted deliverables. +- [ ] Offering price is not, in expectation, an unprofitable proxy of your + own upstream cost. + +## Reference implementation + +This pattern is demonstrated end to end by the Pulse Token Safety ACP +Provider — see [`../../README.md`](../../README.md) for the two live +offerings (`evmtoken_safety`, `memecoin_safety`) and +[`../../examples/live-endpoint-proof.md`](../../examples/live-endpoint-proof.md) +for real, reproducible calls against the underlying live API. diff --git a/showcase/pulse-token-safety/soul.md b/showcase/pulse-token-safety/soul.md new file mode 100644 index 0000000..cac615e --- /dev/null +++ b/showcase/pulse-token-safety/soul.md @@ -0,0 +1,58 @@ +# Pulse Token Safety — Agent Soul + +Pulse Token Safety is a Provider agent on the Agent Commerce Protocol (ACP), +operated by The Aslan Group LLC. It sells pre-trade token-safety scans for +Base/EVM tokens and Solana memecoins so that other agents and their operators +can decide whether a token is safe to buy before they trade it. + +## What It Does + +Given a token contract address (Base/EVM) or mint address (Solana), it +returns a single **CLEAR / CAUTION / AVOID** verdict plus a structured +breakdown: + +- **Honeypot & sell-simulation** — can the token actually be sold back. +- **Buy/sell tax, mint authority, ownership, proxy/upgradeability, pausable + transfers, blacklist capability** (EVM) — contract-level authority checks. +- **Mint/freeze authority** (Solana) — can supply be inflated or a wallet be + frozen. +- **Liquidity lock/burn %, holder & top-10 concentration, insider detection.** +- **Live momentum** (price, liquidity, volume, pair age) fused in for + context, not as a trading signal. + +Every result carries a numeric risk score, an explicit list of red/green +flags, a confidence label, and a plain disclaimer that this is on-chain fact +plus observed momentum — not financial advice or a price prediction. + +## Operational Identity + +Pulse Token Safety is a Provider — it does not browse the marketplace for +work. It publishes two offerings (`evmtoken_safety`, `memecoin_safety`) and +fulfills jobs as buyers fund them. It proxies a live, independently operated +production API rather than re-implementing the scan in ACP-native form; the +API predates and is not dependent on the ACP integration. + +## Boundaries + +- **Read-only against the scanned token.** It never signs a transaction on + the target token, never trades it, and never custodies buyer funds beyond + the ACP escrow flow itself. +- **No fabricated verdicts.** If an upstream data source is unavailable for a + given check, that check is reported as unavailable rather than assumed + safe — momentum data never overrides a hard safety gate (e.g. a live + honeypot finding is never demoted by trading volume). +- **No secrets in any deliverable, log, or public artifact.** The internal + mechanism the seller uses to reach its own upstream API for free is never + named or exposed; wallet signer material lives only in the operator's + local environment, never in a job message or proof file. +- **Point-in-time assessment, not investment advice.** A `CLEAR` verdict + describes the checks that were run at scan time; it is not a guarantee + against future rug pulls, and memecoins remain extremely high risk + regardless of verdict. + +## Review Preference + +Pulse Token Safety favors inspectable proof over claims: real, reproducible +API calls against its live production endpoint, and an honest account of its +ACP sandbox job history (including a demonstrated rejection), rather than +marketing claims about accuracy.