@usenami/plugin-signer

ElizaOS plugin for the Usenami Signer: place / cancel CEX or DEX orders, query account state, and verify the running Nitro Enclave attestation — without the agent ever holding the venue API key.

Status: v0 — works against six perp venues (Binance USD-M, OKX swap, Asterdex BSC, KuCoin Futures, Bybit V5 linear, Hyperliquid L1) via the same public gateway as @usenami/signer-mcp.

Why

If your ElizaOS agent trades on a CEX today, the API key lives in agent memory or in a .env file the agent process can read. That's the threat model — compromise the agent, compromise the key.

Usenami Signer keeps the key inside an AWS Nitro Enclave. HMAC and EIP-712 signatures are computed inside attested code. The agent calls the gateway, gets back a signed venue request, submits it, and reads the response. The key is never on disk, never in memory the agent can address, and the running code is provable via PCR0.

Install

npm install @usenami/plugin-signer

Add to your character:

import signerPlugin from "@usenami/plugin-signer";

export const character = {
  // ... existing config
  plugins: [signerPlugin],
  settings: {
    secrets: {
      SIGNER_GATEWAY_URL: "https://signer.usenami.io",
      SIGNER_API_TOKEN: "your-token-from-usenami.io/signer",
    },
  },
};

For local development you can also put the same vars in .env.

What the agent gets

Actions

| Name | Auth | Purpose | |---|---|---| | GET_SIGNER_ATTESTATION | none | Fetch the running enclave's PCR0 + registered_onchain flag. The trust receipt. | | LIST_SIGNER_VENUES | none | Static manifest of supported venues + auth schemes. | | GET_SIGNER_ACCOUNT | token | Equity / free margin / positions for a venue. Read-only signed request. | | PLACE_SIGNER_ORDER | token | Single market or limit order. Enclave enforces per-asset signature caps. | | CANCEL_SIGNER_ORDER | token | Cancel by order_id (+ symbol for binance / okx routes). |

Providers

SIGNER_ATTESTATION_PROVIDER runs every turn (60-second cache) and surfaces a one-line [signer] running enclave PCR0=… on-chain=… snippet to the agent's context. Lets the agent answer "what code is signing my orders?" without an explicit action call.

Supported venues

LIST_SIGNER_VENUES returns all six (read-only static manifest, no gateway call):

| venue id | asset class | auth scheme | symbol example | |---------------------|-------------|----------------------|-----------------| | binance | perp | hmac_sha256 | BTCUSDT | | okx | perp | hmac_sha256 | BTC-USDT-SWAP | | asterdex | perp | eip712 (bsc) | BTC-USD | | kucoin | perp | hmac_sha256 | XBTUSDTM | | bybit | perp | hmac_sha256 | BTCUSDT | | hyperliquid_main | perp | eip712 (hyperliquid) | BTC |

Which venues a given token may trade is bound server-side to that token's policy; LIST_SIGNER_VENUES reports the full set the gateway can sign.

Same contract as signer-mcp

This plugin and @usenami/signer-mcp share the same gateway protocol:

• Same env vars (SIGNER_GATEWAY_URL, SIGNER_API_TOKEN, SIGNER_FETCH_TIMEOUT_MS).
• Same Option-A signed-request bundle pattern (/account, /sign/order, /sign/cancel return one or more SignedRequests; client submits, reads the venue response).
• Same 6-venue set (binance / okx / asterdex / kucoin / bybit / hyperliquid_main), in lockstep with signer-mcp v0.2.0.

If you already use signer-mcp with Claude Desktop or Cursor, the token you have works here unchanged.

What v0 deliberately does NOT do

• stdio MCP transport (use @usenami/signer-mcp for that).
• Multi-account per venue per token.
• Withdrawals, transfers, or leverage configuration.
• Streaming / WebSocket data.

Verify the enclave

curl https://signer.usenami.io/attestation

Returns {pcr0_sha384, registered_onchain, timestamp_ms}. Cross-check pcr0_sha384 against the published build hash at usenami.io/signer/attestations, and against the on-chain registry at 0x38b42eED740b0fDeb211bBDf773F2238cAEec240 on Base mainnet.

License

MIT.