Maki - hardware-signed onchain agent for everyday DeFi.
Built on Pi. Deterministic execution. Isolated keys. Local policy enforcement. Human-backed verification via World AgentKit.
One hard rule: the model interprets intent. It never moves funds.
- Skills are prompt-only. They shape intent and UX. They never build calldata. They never sign.
- Tools are typed. They invoke deterministic wallet-core and protocol adapters, not freeform model output.
- Every write is simulated, policy-checked, and rendered as a deterministic summary before it reaches the approval boundary.
- Signing is isolated behind a separate local signer over schema-strict IPC.
- World AgentKit serves as the proof layer: Maki can cryptographically prove it acts on behalf of a human-backed agent wallet.
- Secure Enclave - primary smart-account path
- Ledger - hardware-backed EOA path
Full agentic capability - natural-language intent, multi-step reasoning, tool use, protocol execution - with hardware-isolated key material between the model and the chain.
Maki does not trade power for safety. It enforces safety structurally: the model has the same reasoning and orchestration authority as any broad desktop agent, but signing keys, calldata construction, and fund movement are physically separated from the model runtime. The agent is capable. The keys are unreachable.
- First-party, deterministic execution path - no "let the model improvise shell commands until something works"
- Protocol and API responses are validated before entering the signing pipeline
- Local policy, human approval, and hardware-backed signing sit between the model and the chain
In broad agent runtimes, security depends on the model behaving correctly. Maki's design assumes it won't:
- Skills do not execute. They cannot silently introduce an exfiltration or shell-execution path.
- The wallet path is not exposed as arbitrary browser, file, or shell authority.
- Prompt injection into content is not trusted to "behave" - authority is structurally reduced and blast radius is narrowed by design.
- High-risk actions terminate at a hardware-backed approval boundary, not inside a general-purpose agent runtime.
Today, policy is enforced locally before signing. Next step: push the strongest controls into the smart account itself - spending limits, allowlists, automation scopes, and delayed admin actions.
npm install -g makiHomebrew is the target distribution from the original spec. For now, the clean-machine path is a global npm install.
On Apple Silicon Macs, the npm package includes a prebuilt native signer. If no compatible bundled signer is available, Maki falls back to building the signer locally.
Open one terminal for the signer:
maki signer startOpen a second terminal for the chat shell:
makiOn first launch, Maki runs a setup wizard that writes ~/.maki/config.yaml and ~/.maki/policy.yaml.
Maki currently supports two signer/account lanes:
- Secure Enclave smart account: the main ERC-4337 path
- Ledger EOA: a hardware-backed direct transaction path via Ledger/Speculos
Inside the chat shell:
/login
Create my smart account
Check my balance
Quote swapping 0.00001 ETH to USDC
Swap 0.00001 ETH to USDC
Send 0.00001 ETH to 0x...
Useful security commands:
/doctor
Get policy
Signer status
Get my account info
Verify that Maki is a human-backed agent
Maki follows a strict pipeline for writes:
interpret -> resolve -> build -> simulate -> policy check -> deterministic summary -> approve -> sign -> submit
The important part is that the LLM does not become execution truth. The model can ask for a transfer or a swap, but deterministic local code decides:
- which token/address was resolved
- which protocol/router is allowed
- what calldata gets built
- whether the action fits local policy
- what the human-readable summary says
That makes Maki much closer to a constrained transaction copilot than a broad autonomous workstation agent.
World AgentKit is integrated as an optional trust layer for protected remote endpoints.
- Maki can register its wallet as a human-backed agent.
- Maki can answer an AgentKit challenge and prove that a remote request is backed by a real human, not just a script.
- This improves trust for relay, automation, and protected API flows without weakening local self-custody.
Swap routing uses the Uniswap Trading API when configured with an API key. Phase 1 uses validated Uniswap V2/V3-backed routing.
- Get an API key from the Uniswap Developer Platform
- Add it to
~/.maki/config.yaml:
uniswapApiKey: YOUR_UNISWAP_API_KEYWhen uniswapApiKey is configured, quote_swap and build_swap use the Uniswap Trading API as the primary swap backend:
- Quote —
POST /quotereturns optimized routing across supported V2/V3 paths - Approval check —
POST /check_approvaldetermines if ERC-20 approval is needed - Swap —
POST /swapreturns an unsigned transaction targeting the Universal Router
All API responses are validated before entering Maki's signing pipeline:
- Swap targets must be known Uniswap Router contracts
- Chain IDs, recipients, token paths, input amounts, and min-out bounds must match the locally-resolved intent
- Approval calldata is decoded and bounded before signing
- Universal Router calldata is decoded and checked against the expected route semantics
- The full safety pipeline still applies: simulate → policy check → deterministic summary → Touch ID → sign → submit
Uses x-permit2-disabled: true for ERC-4337 smart account compatibility. Phase 1 supports CLASSIC, WRAP, and UNWRAP routing types. UniswapX (Dutch auction) support is deferred.
Without an API key, Maki falls back to on-chain Quoter V2 and local calldata construction.
Maki has a single local policy center in ~/.maki/policy.yaml covering:
- approval behavior by risk class
- per-tx and daily spending caps
- token / protocol / recipient allowlists
- dangerous-action rules
- automation permissions
These controls are enforced locally before signing. They are not on-chain smart-account limits yet. The roadmap is to push the hardest constraints on-chain so the account itself can enforce spending caps and allowlists even outside the main Maki UI.
- Global Pi session/auth state for Maki lives in
~/.maki/agent/ - Wallet config, policy, socket, and DB live in
~/.maki/ - On Apple Silicon Macs,
maki signer startuses the bundled native signer first and only falls back to a local Swift build if needed - The first real smart-account write flow still requires a funded smart account and a bundler API key
- Ledger EOA is available for a hardware-backed direct-signing path
- World AgentKit setup can be checked with
maki world statusandmaki world register
For the full Base Sepolia walkthrough, see docs/first-transaction.md.