# Monarch for Coinbase AgentKit / Agentic Wallet Proof Pack # Scenario: autonomous Coinbase agent-wallet spend is blocked until Monarch runs before wallet execution. ## Unsafe AgentKit / Agentic Wallet project fails Doctor $ node packages/x402/src/cli.js doctor --root examples/coinbase-agentkit-proof-pack/unsafe --ci --strict { "tool": "monarch-doctor", "status": "failed", "ready": false, "applicable": true, "root": "examples/coinbase-agentkit-proof-pack/unsafe", "strict": true, "summary": "Money-moving code is not ready. Patch the reported payment files before go-live.", "checks": [ { "id": "payment_flow_scanned", "passed": true, "message": "Payment flow detected." }, { "id": "monarch_before_payment", "passed": false, "message": "One or more payment files lack a Monarch check before payment." }, { "id": "sandbox_passed", "passed": true, "message": "Sandbox scenarios passed." } ], "unprotectedPaymentFiles": [ "agentic-wallet-spend.js" ], "findings": [ { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "x402 payment handling found", "rails": [ "x402" ], "ruleId": "monarch.payment.x402-payment-handling-found", "location": { "startLine": 31, "startColumn": 5 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "pay-to wallet handling found", "rails": [ "wallet" ], "ruleId": "monarch.payment.pay-to-wallet-handling-found", "location": { "startLine": 21, "startColumn": 61 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "agent spend payment reference found", "rails": [ "wallet" ], "ruleId": "monarch.payment.agent-spend-payment-reference-found", "location": { "startLine": 21, "startColumn": 23 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "stablecoin payment handling found", "rails": [ "stablecoin" ], "ruleId": "monarch.payment.stablecoin-payment-handling-found", "location": { "startLine": 1, "startColumn": 7 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "Coinbase AgentKit or Agentic Wallet payment handling found", "rails": [ "agentkit", "wallet" ], "ruleId": "monarch.payment.coinbase-agentkit-or-agentic-wallet-payment-handling-found", "location": { "startLine": 6, "startColumn": 16 } } ], "sandbox": [ { "id": "missing-prepayment-check", "title": "Payment flow has no pre-payment trust check", "expected": "block", "actual": "block", "passed": true, "reason": "Monarch is not called before payment." }, { "id": "verified-low-risk", "title": "Verified endpoint, low risk", "expected": "allow", "actual": "allow", "passed": true, "reason": "Endpoint ownership, pay-to wallet, and delivery reliability are acceptable for sandbox use." }, { "id": "unknown-wrapper", "title": "Unknown wrapper", "expected": "caution", "actual": "caution", "passed": true, "reason": "The endpoint may be a wrapper and provider authorization is not visible." }, { "id": "changed-pay-to-wallet", "title": "Changed pay-to wallet", "expected": "block", "actual": "block", "passed": true, "reason": "The endpoint recently changed its payment destination." }, { "id": "failed-delivery", "title": "Endpoint accepts payment but fails delivery", "expected": "caution", "actual": "caution", "passed": true, "reason": "Recent paid calls did not consistently return usable responses." }, { "id": "verified-alternative", "title": "Risky endpoint with verified alternative", "expected": "route", "actual": "route", "passed": true, "reason": "A lower-risk verified alternative can satisfy the same intent." } ], "recommendation": "Run `npx @monarch-shield/x402 sandbox`, then add `checkBeforePayment` before signing or sending funds." } ## Patched AgentKit / Agentic Wallet project passes Doctor $ node packages/x402/src/cli.js doctor --root examples/coinbase-agentkit-proof-pack/patched --ci --strict { "tool": "monarch-doctor", "status": "passed", "ready": true, "applicable": true, "root": "examples/coinbase-agentkit-proof-pack/patched", "strict": true, "summary": "Money-moving code has a Monarch check in payment files and sandbox scenarios passed.", "checks": [ { "id": "payment_flow_scanned", "passed": true, "message": "Payment flow detected." }, { "id": "monarch_before_payment", "passed": true, "message": "Monarch check reference detected in payment files." }, { "id": "sandbox_passed", "passed": true, "message": "Sandbox scenarios passed." } ], "unprotectedPaymentFiles": [], "findings": [ { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "x402 payment handling found", "rails": [ "x402" ], "ruleId": "monarch.payment.x402-payment-handling-found", "location": { "startLine": 33, "startColumn": 5 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "pay-to wallet handling found", "rails": [ "wallet" ], "ruleId": "monarch.payment.pay-to-wallet-handling-found", "location": { "startLine": 23, "startColumn": 57 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "agent spend payment reference found", "rails": [ "wallet" ], "ruleId": "monarch.payment.agent-spend-payment-reference-found", "location": { "startLine": 23, "startColumn": 23 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "stablecoin payment handling found", "rails": [ "stablecoin" ], "ruleId": "monarch.payment.stablecoin-payment-handling-found", "location": { "startLine": 3, "startColumn": 7 } }, { "kind": "payment_flow", "file": "agentic-wallet-spend.js", "message": "Coinbase AgentKit or Agentic Wallet payment handling found", "rails": [ "agentkit", "wallet" ], "ruleId": "monarch.payment.coinbase-agentkit-or-agentic-wallet-payment-handling-found", "location": { "startLine": 8, "startColumn": 16 } }, { "kind": "monarch_check", "file": "agentic-wallet-spend.js", "message": "Monarch pre-payment guard detected before payment execution", "rails": [], "ruleId": "monarch.guard.check-before-payment", "location": { "startLine": 47, "startColumn": 10 } } ], "sandbox": [ { "id": "missing-prepayment-check", "title": "Payment flow has no pre-payment trust check", "expected": "block", "actual": "block", "passed": true, "reason": "Monarch is not called before payment." }, { "id": "verified-low-risk", "title": "Verified endpoint, low risk", "expected": "allow", "actual": "allow", "passed": true, "reason": "Endpoint ownership, pay-to wallet, and delivery reliability are acceptable for sandbox use." }, { "id": "unknown-wrapper", "title": "Unknown wrapper", "expected": "caution", "actual": "caution", "passed": true, "reason": "The endpoint may be a wrapper and provider authorization is not visible." }, { "id": "changed-pay-to-wallet", "title": "Changed pay-to wallet", "expected": "block", "actual": "block", "passed": true, "reason": "The endpoint recently changed its payment destination." }, { "id": "failed-delivery", "title": "Endpoint accepts payment but fails delivery", "expected": "caution", "actual": "caution", "passed": true, "reason": "Recent paid calls did not consistently return usable responses." }, { "id": "verified-alternative", "title": "Risky endpoint with verified alternative", "expected": "route", "actual": "route", "passed": true, "reason": "A lower-risk verified alternative can satisfy the same intent." } ], "recommendation": "No missing Monarch pre-payment check detected." } ## Sandbox proves unsafe payment branches $ node packages/x402/src/cli.js sandbox Monarch sandbox - PASS missing-prepayment-check: expected block, got block - PASS verified-low-risk: expected allow, got allow - PASS unknown-wrapper: expected caution, got caution - PASS changed-pay-to-wallet: expected block, got block - PASS failed-delivery: expected caution, got caution - PASS verified-alternative: expected route, got route