Guarded Execution
Approved football expenses become exact, one-time WDK payment capabilities. The wallet policy must reject changed recipients, tokens, amounts, accounts, chains, expiries, and consumed lifecycle states.
01
PaymentRequest
02
Domain approval policy
03
Immutable PaymentIntent
04
WDK policy evaluation
05
Quote and prepare
06
Direct guarded receipt
Exact PaymentIntent capability
Payment request
120 MockUSDT · atomic 120000000
Intent hash
0xcc740f28733b0afc3f9e093afd471be607d72c08248018690660096b59747a39
Ephemeral WDK account
0x9091f6e7e6041F80774E50Ea8E70Ffa9f2E97247
Real WDK proof
- SDK
- @tetherto/wdk
- Wallet module
- @tetherto/wdk-wallet-evm
- Network
- Sepolia
- Capability schema
- v1
- Fee quote
- Unsupported for placeholder token
- Prepared
- true
- Broadcast
- false
- Secrets persisted
- false
npm run wdk:policy-demo:jsonPolicy decisions
| Scenario | Result |
|---|---|
Insufficient approvals WDK native transaction policy denied the transaction: PaymentIntent is not in an executable lifecycle state. | DENY |
Exact authorized intent WDK native transaction policy allowed the exact PaymentIntent transaction. | ALLOW |
Changed amount WDK native transaction policy denied the transaction: governed-but-unmatched. | DENY |
Changed recipient WDK native transaction policy denied the transaction: governed-but-unmatched. | DENY |
Changed token WDK native transaction policy denied the transaction: governed-but-unmatched. | DENY |
Wrong chain WDK native transaction policy denied the transaction: governed-but-unmatched. | DENY |
Wrong treasury account WDK native transaction policy denied the transaction: governed-but-unmatched. | DENY |
Expired intent WDK native transaction policy denied the transaction: PaymentIntent is not in an executable lifecycle state. | DENY |
First valid signing attempt WDK allowed and signed the exact provider-derived no-broadcast transaction. | SIGNED |
Second use of same intent WDK native transaction policy denied the transaction: PaymentIntent has already been consumed. | DENY |
Audit journal
Proof provenance
- Generated
- 2026-07-10T07:55:16.048Z
- Source commit
- 2ff29786fd6b0c90ac32bf2e92ab46b8902dee78
- Artifact SHA-256
- 532dea2737cf3112220f201f55dbd607592c5ea8d367bfd27b2e65c506b202da
- Content hash
- 1ffeafc3cdd4d173543af2f66330332e545c2b7e36a1d52d72ccf3f2f77754b2
- Token bytecode
- missing-contract
- Gas limit
- 22086
Deterministic TeamTreasury execution proof
This is a separate deterministic local proof: PaymentRequest → PaymentIntent → WDK policy → WDK signature → TeamTreasury → MockUSDT transfer → execution receipt. MockUSDT is a local test token and is not official USDt. No real funds or public-chain broadcast are used.
Domain governance
Trusted roster, atomic amount, approval threshold, canonical PaymentIntent.
WDK signer enforcement
Exact contract call ALLOW/DENY, no modified calldata, one-time application consumption.
TeamTreasury on-chain enforcement
Captain/Treasurer approvals, expiry, exact MockUSDT transfer, and contract replay prevention.
PaymentIntent hash
0xa8ec2c9ab6394ee26204b3b200222a92b9dbf1bf48c5136e8ffa24dec067af8d
TeamTreasury / request
0xCf7Ed3AccA5a467e9e704C703E8D87F634fB0Fc9 · #0
WDK executor
0x32fb550Fe394dfcb50F453BBE97dACb75446f333
WDK policy / signing
ALLOW · signed true · approvals signed true
Atomic transfer
120000000 MockUSDT atomic units
Recipient balance
0 → 120000000
Broadcast boundary
Local true · public testnet false · mainnet false
Receipt verification
status 1 · execution event true · transfer event true
| Tamper / replay check | Result |
|---|---|
| changed-request-id | DENY |
| changed-calldata | DENY |
| second-app-use | DENY |
Artifact SHA-256: 6cacb92e47ae92ba806eb7df4f62be0be031efc4f0c2ba9b1ab52f3f78aec478 · source commit: 6f44c82aa688020c11c92a6a5982cbce5e870981
WDK replay: PaymentIntent has already been consumed. Contract replay: RequestAlreadyExecuted.
Runtime boundary
- The browser visualizes generated Node/CI proof data.
- Real WDK native policy simulation and signing run in Node because WDK depends on native runtime capabilities.
- The placeholder MockUSDT address has no Sepolia bytecode and is not described as a functional token contract.
- No transaction was broadcast.
- No seed phrase, private key, mnemonic, or funded wallet is persisted.