Skip to content
sigil

Architecture

Sigil Agents are LLM-driven workflows bound to a TEE-custodied wallet, a policy schema, and a curated tool surface. The platform is opinionated: you don’t bring your own agent runtime — you pick a template and the runner knows what tools to register, what the system prompt should say, and what policy fields to enforce server-side.

The five templates

Payment

Pays vendors, payroll, refunds. Allow-listed recipients, EUR caps per tx and per day enforced server-side.

Trading

Swaps via 0x Protocol with slippage and USD caps. Multi-EVM.

Treasury

Fiat ↔ crypto via Bit2Me. Buys/sells with EUR, withdraws to allow-listed wallets only.

Compliance

Pre-flight gate for transfers. Scores destination + recipient + tx shape, writes a Drive report, auto-allows under threshold, routes high-risk to the Reviews queue.

Orchestrator

Reads inputs, plans, delegates to specialists over A2A. No wallet of its own.

The runner

Every run executes inside a single Cloud Run Jobs instance that loads the agent, builds a tool registry, then enters a Send → tool_uses → tool_results loop with the Anthropic API. The loop terminates when the LLM emits final_answer, the step cap is hit, the token budget is exhausted, or a tool requests a pause.

Three loop properties matter for product correctness:

  1. Tools are policy-gated server-side. A tool that breaks an allowlist or cap returns ErrToolNotInvocable. The LLM gets the error as a tool_result is_error=true so it can adapt, but cannot bypass.
  2. tool_use ids flow through context so a tool that wants to pause the run knows which call it’s pausing on.
  3. Pause and resume preserve message history verbatim in agent_runs.paused_messages so resume re-enters the loop with the same state.

Agent-to-Agent (A2A)

Sigil ships a pragmatic subset of the A2A protocol. Each agent has:

  • A Discovery card at GET /v1/agents/{id}/.well-known/agent-card.json (public)
  • A JSON-RPC endpoint at POST /v1/agents/{id}/a2a (bearer auth) supporting tasks/send and tasks/get

For in-org delegation (Orchestrator → Compliance, Compliance → specialist), the runner skips the HTTP round-trip and spawns a child run locally with parent_run_id set. The parent pauses with status=awaiting_delegate; the child’s terminal state triggers the parent’s resume automatically. See Pause and resume.

For external callers, the same JSON-RPC endpoint is exposed publicly with a Sigil-issued as_live_… bearer token.

Connectors

Tools beyond the built-ins come from connectors: curated adapters the operator binds to an agent. Two credential models:

  • OAuth (Google Drive, Sheets): BYO OAuth client + redirect dance.
  • API key (Bit2Me, Compliance providers): single-form paste of label + key + secret (+ optional TOTP seed for vendors that demand 2FA on writes).

Credentials are KMS envelope-encrypted with AAD bound to the connection id. The runner decrypts on demand and wipes the buffer immediately after each adapter call.

See Connectors for the full list and BYO setup.

Policies, recap

Three layers, top-down. Each layer can refuse a tool call; none can be bypassed by the LLM:

  1. Org-wide rules (Sigil platform): hard kill-switches per destination, chain, asset.
  2. Agent template defaults: built into the system prompt + tool set.
  3. Agent config: operator-supplied — allowed_recipients, max_per_tx_eur, block_score_threshold, report_drive_folder_id, allowed_outputs, etc.

See Policies for the data model and how each layer intercepts a call.