Skip to content

add covenant-bento: screen via Bento's firewall + a labeled on-chain reputation signal#110

Open
mizuki0x wants to merge 1 commit into
mainfrom
feat/bento
Open

add covenant-bento: screen via Bento's firewall + a labeled on-chain reputation signal#110
mizuki0x wants to merge 1 commit into
mainfrom
feat/bento

Conversation

@mizuki0x

Copy link
Copy Markdown
Contributor

What this adds

A covenant-bento crate that consumes Bento Guard from inside the Covenant daemon, as two MCP tools, both off by default.

  • bento.screen runs your protect() over a natural-language intent and returns the verdict. It goes through a Node sidecar running your real @bentoguard/sdk, not a reimplementation, so the MagicBlock encryption and signing stay in your SDK. The agent key never reaches the daemon: it forwards a keypair file path, and only the sidecar reads it. Every screen has a hard timeout and fails closed (blocks) on any guard failure.
  • bento.reputation reads an agent's on-chain Bento standing (strikes, lock state) into a labeled soft signal, sitting alongside Covenant's audit-derived reputation, never blended into it.

Lane discipline

Covenant honors your verdict; it does not re-score intent or rebuild the firewall. A screen result is labeled a third-party firewall verdict, a reputation read a third-party soft signal. We consume your verdict and your on-chain record, we do not reproduce either.

What's verified

  • 24 tests, clippy and fmt clean, live-verified end to end through a booted daemon: screen returns the verdict through the real spawn/stdin/stdout contract; a hung guard fails closed via timeout and kill (not a stall); injection-shaped input is rejected.
  • @bentoguard/sdk 1.2.8 installs from public npm and the sidecar imports resolve; package-lock.json is committed.
  • The one thing not yet live is a real protect() call, which needs a Bento-registered agent.

What we need from you

  1. The reputation read is wired up to the on-chain decode, which is a marked seam returning a pending status until you publish the Action PDA program id, seeds, and account layout. The getAccountInfo fetch underneath is built and tested, so it is a small change on our side once the layout lands.
  2. Beta access, or a registered agent, so the live protect() screening goes from stub-verified to live.

Scope

We consume Bento as a firewall and reputation source. Setup, including the sidecar and every env var, is in docs/integrations/bento.md.

bento.screen runs an intent through bento's protect() via a node sidecar
(real @bentoguard/sdk, agent key stays in the sidecar, mirrors the x402
signer) and returns the verdict, failing closed if the guard is down.
bento.reputation reads an agent's on-chain bento standing into a labeled
soft signal, blocked only on bento publishing the program id and account
layout (the one seam). both off by default behind COVENANT_BENTO_ENABLED;
screening needs COVENANT_BENTO_PROTECT_ENABLED plus a guard binary,
reputation needs COVENANT_BENTO_PROGRAM_ID.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant