Architecture
Steward is the single chokepoint between an AI agent and the outside world. Every API call, every transaction, every secret access flows through Steward, gets policy-checked, gets logged, gets metered.Three Pillars
Wallet Vault
Encrypted key storage with policy-enforced signing. Agents never see private keys.
Secret Vault
Encrypted credential storage with an API proxy. Agents never see API keys.
Policy Engine
Declarative policy evaluation on every action. Default deny.
High-Level Flow
Request Flow: API Proxy
When an agent makes an API call (e.g., to OpenAI):Request Flow: Wallet Signing
When an agent needs to sign a transaction:Deployment Topology
Agent containers can be firewalled to only reach the Steward proxy. Even if fully compromised, an agent cannot exfiltrate data to arbitrary endpoints.
Multi-Tenant Isolation
Steward is multi-tenant by design:- Tenants are isolated at the database level — each tenant’s agents, secrets, and policies are scoped
- Agents authenticate with JWTs scoped to their tenant and agent ID
- Secrets are encrypted with per-tenant encryption keys (key hierarchy: master → tenant → secret)
- Policies are evaluated per-agent within their tenant context
Tech Stack
| Component | Technology |
|---|---|
| API Server | Hono on Bun |
| Database | PostgreSQL (Neon) |
| Encryption | AES-256-GCM with Argon2id key derivation |
| EVM Signing | viem |
| Solana Signing | @solana/web3.js |
| ORM | Drizzle |
| SDK | TypeScript, zero dependencies |