Emotional Hook: At 3am, Sam β the lone ops engineer at a 12-person fintech β got paged: their payroll-running AI agent, fed a poisoned cycle file, tried to push a disbursement it was never authorized to make. It didn't clear β because the grant behind it was scoped, capped, and revocable. Nobody had been managing those grants. Wardix is the control plane that issues, watches, and revokes them.
- GitHub Repository: github.com/edycutjong/wardix
- Live Console: wardix.edycu.dev
- Demo Video: https://youtu.be/aYhjJqaob7c
- Real testnet demo:
npm run demo:realβ four live verdicts fromtee:delegation/tee:payroll - Sponsor Bounty tracks:
- Best Agent utilizing Terminal 3 Agent Auth SDK ($300) (Primary)
- Bug Discover Bounty ($200) (Verified findings in BUGS.md)
Enterprises are handing real authority to AI agents that run jobs and move money. But there's no IAM for agentic workflows. Who did the org delegate, to which agent, for which functions, until when β and how do you revoke a compromised agent right now and prove it? A prompt-injected agent shouldn't be able to act outside its grant, and someone needs to manage those grants.
Terminal 3's enforcement primitive is the User-to-Agent Delegation Credential: a principal signs a scoped, capped, time-boxed grant authorizing a specific agent (by its secp256k1 public key) to call specific functions on a contract; the agent signs each invocation; the deployed contract verifies the whole chain inside an Intel TDX enclave and runs the action only if every check passes.
Wardix is a did:t3n control plane built on @terminal3/t3n-sdk that makes that primitive operable:
- Grant: Issues a real delegation credential via the TEE custodial signer (
tee:delegation/contracts::sign) β scoped functions + validity window. - Invoke: Submits a real delegated invocation to the deployed
tee:payrollcontract and surfaces the contract's own verdict. - Revoke:
tee:delegation/contracts::revokeβ the agent's next call is denied immediately. - Observe: Records every allow/deny with the live node's
request_idin the console verdict feed.
Every verdict below is the real contract's, captured live from testnet:
| Scenario | Verdict | Reason (from tee:delegation) |
|---|---|---|
| In-scope call, valid grant | β allow | authorized by tee:delegation |
| Function not in the grant | β deny | function_not_allowed |
| After on-chain revoke | β deny | credential_revoked |
| Grant past its window | β deny | Expired |
Run it yourself: npm run demo:real (needs a funded T3N_SANDBOX_TOKEN).
| In-scope call β β allow | Out-of-scope call β β deny | Revoked / expired β β deny |
|---|---|---|
 |
 |
 |
Every verdict is the tee:delegation contract's own decision, returned live from testnet with a real request_id.
graph TD
W["Wardix control plane (did:t3n)"] -->|"signCustodial"| D["tee:delegation/contracts\n verify cred + agent sig"]
W -->|"revokeDelegation"| D
A["Agent (delegated invocation)"] -->|"executeAndDecode"| D
D -->|"in-scope / not revoked / not expired"| P["tee:payroll/contracts\n run function"]
D -->|"function_not_allowed / credential_revoked / Expired"| X["deny"]
P --> C["Wardix console (verdict feed)"]
X --> C
tee:delegation/contracts:sign(issue grant) +revokeβ the agent-auth core.tee:payroll/contracts: the scoped delegated target (compute-payroll,execute-disbursement, β¦).tee:user/contracts:did:t3nidentity + TEE-managed wallet.- Auth:
handshakeβauthenticate(createEthAuthInput); custodial signing viaDelegationCustodialClient. - Attestation:
verifyTdxQuote/verifyDkgAttestation(Intel TDX).
- Node.js >= 18
# Clone the repository
git clone https://github.com/edycutjong/wardix.git
cd wardix
# Install dependencies
npm installCopy the example environment file:
cp .env.example .env.localThen set T3N_SANDBOX_TOKEN to a funded testnet dev tenant private key (claim one from the Terminal 3 Sandbox portal). This same key acts as the org + agent in the demo. See .env.example for T3N_ENV, T3N_LIVE, and the pinned T3N_PAYROLL_VERSION.
Issue a real delegation grant and submit real delegated invocations to the live tee:payroll contract β printing four contract-issued verdicts (allow / out-of-scope / revoked / expired), each with a node request_id:
npm run demo:realWith T3N_LIVE=1 and a funded token set, POST /api/verify runs the same real flow through the app:
curl -s -X POST http://localhost:3000/api/verify \
-H 'Content-Type: application/json' \
-d '{"functions":["compute-payroll"],"call":"execute-disbursement"}'
# β { "verdict":"deny", "reason":"function_not_allowedβ¦", "requestId":"β¦" }Run the Vitest suite (UI, the live /api/verify route, and adapter verdict classification):
npx vitest runRun the Next.js development server:
npm run devOpen http://localhost:3000 to view the live dashboard.
6-stage pipeline: Quality β Security β Build β E2E β Performance β Deploy
# ββ Code Quality ββββββββββββββββββββββββββββ
npm run lint # ESLint
npm run typecheck # TypeScript check
npm run test # Run tests
npm run test:coverage # Coverage report
npm run ci # Full quality gate
# ββ Advanced Testing ββββββββββββββββββββββββ
npm run e2e # Playwright E2E tests
npm run e2e:ui # Playwright interactive mode
npm run lighthouse # Lighthouse CI audit
# ββ Security ββββββββββββββββββββββββββββββββ
npm audit # dependency vulnerabilities
npx license-checker --production # license compliance| Layer | Tool | Status |
|---|---|---|
| Code Quality | ESLint + TypeScript | β |
| Unit Testing | Vitest (19 tests) | β |
| E2E Testing | Playwright (3 suites) | β |
| Security (SAST) | CodeQL | β |
| Security (SCA) | Dependabot + npm audit | β |
| Secret Scanning | TruffleHog | β |
| Performance | Lighthouse CI | β |
Detailed ADK feedback and documentation recommendations are available in BUGS.md.
This project is licensed under the MIT License Β© 2026 Edy Cu.