Programmable Agent Multisig · Solana

Give your agent
a key.
Keep your hand
on the helm.

Helm is the security layer for autonomous agents on Solana. Where multisig was built for humans, Helm is built for agents — programmable policy, tiered execution, and human-in-the-loop veto.

View source How it works
Status
v0.1.0-alpha · Devnet
Tests
48 passing
Audit
Clippy + cargo audit clean
License
Apache-2.0
01 / Thesis

Multisig was built for humans.
Agents need their own.

An autonomous agent needs on-chain authority. Hand it an unrestricted private key and you've handed it the keys to the vault. Wrap it in a human-driven multisig and you've broken its latency budget on the first trade.

Helm sits between the agent and the chain. Every transaction passes through programmable policy: whitelisted programs, USD-denominated caps via Pyth, hourly limits, an optional off-chain validator, and a human guardian with last-word veto.

Three execution tiers — instant, timelocked, and manual. Real-time when the policy allows, human-checked when it doesn't.

02 / The Problem

Four failure modes existing tools share.

01 / Stolen agent key

The drain at 3am.

A jailbroken model. A leaked key. A prompt injection. The agent has unrestricted authority — by the time you wake up, the wallet is empty.

No second line of defense.
02 / Human-speed multisig

Wait three hours
for a market that moved.

Squads and Goki ship for human approval cycles. Trading agents work in milliseconds. The two latencies don't compose.

Built for humans, asked to run agents.
03 / Off-chain policy

Promises, not proofs.

"Our agent has spending limits." Where? In a SaaS dashboard you don't own. The policy isn't enforced — it's claimed.

If it's not on-chain, it isn't real.
04 / Audit trail gaps

What did the agent
try to do?

Most setups don't record rejected proposals. A compromised agent can probe limits silently, learning where the rails are without leaving evidence.

Forensic blind spots are exit ramps.
03 / System

Three tiers, one vault.

Tier 01Instant

Whitelist + cap = green light.

Small transfers to whitelisted programs, under per-tx and hourly USD caps, execute inline in the same instruction. Sub-second. The agent never waits.

~1 slot latency
Tier 02Timelocked

Above the cap. Below the alarm.

Larger transactions queue as on-chain pending PDAs. The guardian has a configurable window to veto. After the timelock expires, anyone can execute. The agent moves; the human can intercept.

30s+ veto window
Tier 03Manual

Off the rails. Human first.

Forbidden programs, non-allowlisted tokens, hourly cap exhaustion — all rejected outright. Ambiguous cases require explicit guardian approval before they can execute.

100% human gated
04 / Built For

Operators who already think on-chain.

[ TRADER ] [ HFT ] [ DEFI ]

Trading desks

Run a market-making or arbitrage agent without trusting it with the full treasury. Set hourly caps in USD. Whitelist the DEX programs you actually use. Veto anything that looks wrong.

The agent moves fast. You set the bounds.
[ DAO ] [ TREASURY ] [ STEWARD ]

DAO treasuries

Delegate operational spending to a programmatic agent — subscriptions, contributor payments, recurring grants — under transparent on-chain policy. Multisig signers veto only when something deviates.

Less ops, more oversight.
[ BUILDER ] [ SDK ] [ INTEGRATE ]

Agent platforms

Building an agent product? Don't ship your own custody. Wrap user wallets in Helm vaults, expose proven primitives, give your users a security model they understand.

Outsource trust. Keep velocity.
[ SOLO ] [ INDIE ] [ EXPERIMENT ]

Solo builders

Running an experimental agent on your own funds? Configure a strict policy, fund a vault, and let the agent operate inside boundaries you set. Mistakes hit caps, not principal.

Mistakes, capped.
05 / Status

Live on devnet. Pre-audit.

The current binary is deployed to Solana devnet. SDK, hello-agent, and guardian CLI all run end-to-end against it. Not deployed to mainnet. Not audited. For testing and research only.

10
On-chain instructions
48
Tests passing
0
Clippy warnings
0
Audit findings
364
KB SBF binary
on devnet
Program ID
GCKPM4m6XT4gBQGoXhXxmRaQ1gtAMS2EVzauhcRFAv2t
Latest Tag
v0.1.0-alpha.3
06 / Roadmap

Four phases. Built in public.

Phase 01
Foundation
10 on-chain instructions. Tiered execution model. Pyth-priced USD caps. Off-chain validator hook. Fail-closed defaults. 48 integration tests. SDK + reference agent + guardian CLI. Devnet deployed.
Shipped
Phase 02
Hardening
Verifiable Docker build. Pyth V2 migration. Audit firm engagement. Mainnet deployment candidate. Published SDK on npm. Reference agent extended to Jupiter swaps.
In progress
Phase 03
Trust
M-of-N guardians. Social recovery. Multi-agent vaults. Telegram-based remote guardian. Permissioned validator marketplace. Cross-program permission scopes.
Planned
Phase 04
Ecosystem
Reference agents for major DeFi protocols. Vault-as-a-service for agent platforms. Composable policy modules. Cross-chain bridge for non-Solana agents.
Planned

The shape of the thing
is real now.

Three weeks ago this was a spec. Today it runs on devnet, end-to-end. Open source, pseudonymous, auditable.

Read the source Follow @helmprotocol