OWSOps

Manage, monitor, and secure your OWS agent wallets.

The local-first operations dashboard for the Open Wallet Standard. Per-agent budgets, policy enforcement, real-time spend tracking, and analytics - one command to install.

Built as part of the OWS Hackathon 2026.

Playground: owsops.xyz

npx ows-ops

Table of Contents

• Quick Start
• How It Works
• Features
• Architecture
• Policy Engine
• Supported Chains
• Dashboard Pages
• Agent Transaction API
• API Reference
• Configuration
• Database Schema
• Development
• Deployment
• License

Quick Start

Prerequisites

• Node.js >= 22
• OWS installed with a vault set up. Follow the OWS Quickstart to get started.
• MoonPay CLI (optional, for auto-top-ups and fiat on-ramp)

Install & Run

# Option 1: Run directly (no install)
npx ows-ops

# Option 2: Install globally
npm install -g ows-ops
ows-ops

# Option 3: With options
ows-ops --port 4000 --no-open

OWSOps will:

1. Check for Node.js 22+ and OWS installation
2. Start the Express server on http://localhost:3001
3. Open the dashboard in your browser

CLI Options

ows-ops [options]

Options:
  --port <number>    Server port (default: 3001)
  --host <string>    Server host (default: localhost)
  --no-open          Don't auto-open browser
  -h, --help         Show this help message

Environment Variables

| Variable | Description | Default | |----------|-------------|---------| | OWS_PASSPHRASE | OWS vault passphrase (prompted in dashboard if not set) | - | | OWS_VAULT_PATH | Custom OWS vault path | ~/.ows | | HELIUS_API_KEY | Helius API key for Solana RPC (falls back to public RPC if not set, which is rate-limited) | - | | ARC_RPC_URL | Custom RPC URL for Arc testnet | https://rpc.testnet.arc.network | | PORT | Server port (overridden by --port) | 3001 | | OWSOPS_DB_PATH | Custom path for OWSOps SQLite database (agents, spend logs, alerts are stored here) | ~/.ows-ops/owsops.db |

How It Works

OWSOps sits alongside OWS on your machine. Create wallets, issue agent keys, enforce budgets, and track every transaction - all from one local dashboard.

1. Create wallets & agents

Create OWS wallets and issue scoped API keys from the dashboard. Set budgets, chains, and approval modes per agent. Wallets are created through OWS - OWSOps never has access to private keys.

2. Agents transact

Policies created in OWSOps are registered directly in OWS - they're enforced even if agents sign via OWS directly. For full spend tracking and approval flows, agents use the OWSOps API (POST /api/v1/tx/send).

3. Monitor everything

Every transaction through the OWSOps API is tracked in real time. See spend breakdowns, budget utilization, alerts, and analytics on the dashboard instantly.

Features

Agent Management

Create and manage scoped API keys for AI agents:

• Per-agent budgets - daily and monthly USD spending limits (required at creation)
• Chain restrictions - limit agents to specific chains (required at creation)
• Approval modes - Auto, Veto Window, or Strict per agent
• Risk escalation - configurable thresholds to auto-escalate approval mode based on transaction value
• Lifecycle controls - pause, resume, revoke agents from the dashboard
• API key access - API key available from the agent card on the dashboard with copy and .env export

Unified Policy Engine

One powerful policy executable handles it all - spending limits, per-transaction caps, approval modes, and risk-based escalation. Configurable per agent with a wide set of parameters. Policies are registered directly in OWS, so they're enforced even for direct OWS signing.

Budget Enforcement

Per-agent daily and monthly spend caps enforced at transaction time. Real-time price feeds for automatic USD conversion of native tokens and stablecoins.

Approval Modes

Three modes configurable per agent:

| Mode | Behavior | Use Case | |------|----------|----------| | Auto | Instant signing (budget is the only gate) | Low-risk agents, small budgets | | Veto Window | Transaction proceeds, but manager receives a real-time WebSocket notification and can veto within a countdown window | Medium-trust agents | | Strict | Transaction held until manager approves or rejects via real-time dashboard notification | High-value, low-trust agents |

Configurable risk-based escalation automatically upgrades the mode when transaction value exceeds your thresholds.

Live Activity Feed

Real-time transaction feed powered by Socket.IO. Filter by agent, chain, or operation type. Every transaction through the OWSOps API is tracked, logged, and streamed to your dashboard.

Spend Analytics

Per-agent, per-chain, per-day spending breakdowns. 7-day and 30-day trend charts. Budget utilization bars. Spot anomalies before they become problems.

Multi-Chain Wallets

Create and manage OWS wallets that support all chains. OWSOps never has access to private keys - wallet creation and signing happen through OWS. Dashboard operations support Ethereum, Solana, Tron, and Arc today, with more chains coming soon.

MoonPay Integration & Wallet Transfers

Monitor agent wallet balances. When a wallet runs low, trigger USDC funding via MoonPay integration. Transfer funds between agent wallets directly from the dashboard. Set low-balance alert thresholds per chain.

Transaction Playground

Test agent-authorized transactions from the dashboard. Select an agent, chain, token, and recipient - execute real transactions with full policy evaluation before going live.

Architecture

Runs on your machine alongside OWS. Same local-first philosophy - your keys, your rules, your data.

Agents (SDK / CLI)              OWSOps Dashboard
      |                                |
      | POST /api/v1/tx/send           | http://localhost:3001
      v                                v
+-----------------------------------------------+
|            OWSOps (localhost:3001)             |
|                                               |
|   Express API --> Budget check                |
|               --> Approval flow               |
|               --> Spend tracking              |
|               --> OWS sign & send             |
|                                               |
|   +-----------+        +-----------+          |
|   |    OWS    |        |  SQLite   |          |
|   |  ~/.ows/  |        |  Budget   |          |
|   | wallets/  |        |  Spend    |          |
|   |  keys/    |        |  Alerts   |          |
|   | policies/ |        |           |          |
|   +-----------+        +-----------+          |
+-----------------------------------------------+

Policies enforced at OWS level - Policies created in OWSOps are registered directly in OWS. They're enforced even if agents sign via OWS directly - budget and chain rules always apply.

Full tracking via API - Agents that transact through the OWSOps API (POST /api/v1/tx/send) get full spend tracking, approval flows, real-time notifications, and analytics on the dashboard.

Policy Engine

A single unified policy executable registered in OWS handles all enforcement. Configure these parameters per agent directly from the dashboard:

| Rule | Parameter | Example | |------|-----------|---------| | Daily Spending Limit | max_daily_usd | $50/day | | Monthly Spending Limit | max_monthly_usd | $500/month | | Per-Transaction Limit | max_tx_usd | $10/tx | | Chain Allowlist | chain_ids | eip155:1, solana:5eykt4Us…, tron:mainnet, eip155:5042002 | | Approval Mode | approval_mode | auto / veto / strict | | Risk Escalation | veto + strict thresholds | Configurable USD thresholds |

More rules like address allowlists, rate limits, and business-hours restrictions coming soon.

How Policy Hooks Work

1. OWS receives a sign request with an ows_key_ token
2. OWS evaluates all attached policies (including the OWSOps executable)
3. OWS pipes PolicyContext JSON to the executable's stdin
4. The executable reads OWSOps's SQLite DB, evaluates rules, returns { "allow": true } or { "allow": false, "reason": "..." }

Agent Creation Defaults

Every agent created through OWSOps gets a unified policy executable registered in OWS that enforces the configured budget, chain restrictions, approval mode, and risk escalation rules.

Supported Chains

Wallets created through OWSOps are OWS wallets - they support all chains out of the box. Dashboard operations currently support Ethereum, Solana, Tron, and Arc, with more chains coming soon.

| Chain | CAIP-2 ID | Network | Dashboard Support | |-------|-----------|---------|-------------------| | Ethereum Mainnet | eip155:1 | mainnet | Active | | Ethereum Sepolia | eip155:11155111 | testnet | Active | | Solana Mainnet | solana:5eykt4UsFv8P8NJdTREpY1vzqKqZKvdp | mainnet | Active | | Solana Devnet | solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1 | testnet | Active | | Tron Mainnet | tron:mainnet | mainnet | Active | | Tron Nile | tron:nile | testnet | Active | | Arc Testnet | eip155:5042002 | testnet | Active | | Bitcoin | - | - | Coming soon | | Cosmos | - | - | Coming soon | | Sui | - | - | Coming soon | | TON | - | - | Coming soon | | Spark | - | - | Coming soon | | Filecoin | - | - | Coming soon |

Dashboard Pages

| Page | Description | |------|-------------| | Dashboard | Overview: wallet balances, total spend, active alerts, 7-day spend trend, recent activity | | Wallets | Multi-chain wallet management, token balances, MoonPay USDC purchases, wallet-to-wallet transfers | | Agents | Create/manage agents with policies, budgets, approval modes. API key display with copy and .env export | | Activity | Real-time transaction feed with filters (agent, chain, operation, date). Live streaming mode | | Analytics | Spend breakdowns by period, agent, chain. Configurable timeframes (7d-90d, 3mo-12mo) | | Playground | Test agent-authorized transactions with full policy evaluation | | Settings | Alert thresholds, vault info, network configuration |

Agent Transaction API

Agents submit transactions through the OWSOps API for full spend tracking and approval flows.

POST /api/v1/tx/send

Submit a transfer intent. OWSOps handles budget checks, approval flows, and signing via OWS.

Authentication: Authorization: Bearer <agent-token>

Request body:

{
  "chain": "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1",
  "recipient": "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU",
  "amount": "0.01",
  "token": "SOL"
}

Response:

{
  "success": true,
  "txHash": "5K8y...",
  "chain": "solana:EtWTRABZaYq6iMfeYKouRu166VU2xqa1",
  "token": "SOL",
  "amount": "0.01",
  "recipient": "4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU"
}

GET /api/v1/tx/status

Check agent status and remaining budget.

Authentication: Authorization: Bearer <agent-token>

Response:

{
  "agent": { "id": "...", "name": "my-agent", "status": "active", "allowedChains": ["..."] },
  "budget": {
    "daily": { "limit": 50, "spent": 12.50, "remaining": 37.50 },
    "monthly": { "limit": 500, "spent": 120, "remaining": 380 }
  }
}

API Reference

All endpoints are served from the Express server (default http://localhost:3001).

Agents

| Method | Path | Description | |--------|------|-------------| | GET | /api/agents | List all agents | | GET | /api/agents/:id | Get agent with spend summary | | POST | /api/agents | Create agent (creates OWS key + policies) | | PUT | /api/agents/:id | Update agent metadata (budget, tags, notes) | | DELETE | /api/agents/:id | Revoke agent | | POST | /api/agents/:id/pause | Temporarily disable agent | | POST | /api/agents/:id/resume | Re-enable paused agent | | PUT | /api/agents/:id/policy | Update agent policy in-place | | POST | /api/agents/:id/regenerate | Regenerate API key with updated policies |

Wallets

| Method | Path | Description | |--------|------|-------------| | GET | /api/wallets | List all OWS wallets with chain addresses | | GET | /api/wallets/:id | Get wallet detail | | GET | /api/wallets/:id/balances | Get balances via RPC | | POST | /api/wallets | Create new OWS wallet | | POST | /api/wallets/:id/transfer | Transfer funds between wallets |

Activity

| Method | Path | Description | |--------|------|-------------| | GET | /api/activity | Transaction log (paginated, filterable) | | GET | /api/activity/agent/:id | Activity for a specific agent | | GET | /api/activity/stream | SSE stream of new entries |

Analytics

| Method | Path | Description | |--------|------|-------------| | GET | /api/analytics/spend | Aggregate spend (by agent, chain, period) | | GET | /api/analytics/summary | Dashboard summary stats | | GET | /api/analytics/chains | Per-chain spend breakdown | | GET | /api/analytics/agents | Per-agent spend breakdown | | GET | /api/analytics/recent | Recent activity (last 10 entries) | | GET | /api/analytics/alerts | Recent alerts | | POST | /api/analytics/alerts/:id/acknowledge | Acknowledge an alert | | POST | /api/analytics/alerts/check | Trigger low balance check |

Budgets

| Method | Path | Description | |--------|------|-------------| | GET | /api/budgets/:agentId | Budget status for agent | | PUT | /api/budgets/:agentId | Update budget limits | | GET | /api/budgets/overview | All agents budget overview |

Approvals

| Method | Path | Description | |--------|------|-------------| | GET | /api/approvals | List pending approvals | | GET | /api/approvals/:id | Get approval detail | | POST | /api/approvals/:id/approve | Approve strict-mode transaction | | POST | /api/approvals/:id/deny | Deny strict-mode transaction | | POST | /api/approvals/:id/veto | Veto a veto-window transaction |

MoonPay

| Method | Path | Description | |--------|------|-------------| | GET | /api/moonpay/status | Check MoonPay CLI authentication status | | POST | /api/moonpay/top-up | Trigger MoonPay fiat on-ramp for wallet |

Other

| Method | Path | Description | |--------|------|-------------| | POST | /api/simulate | Simulate a transaction | | GET | /api/settings | Get OWSOps settings | | PUT | /api/settings | Update settings | | POST | /api/settings/passphrase/verify | Verify passphrase works with OWS | | GET | /api/health | Health check + OWS vault status |

Configuration

Price Providers

OWSOps converts native token values to USD for budget tracking. Multiple built-in providers:

| Provider | Source | Tokens | Notes | |----------|--------|--------|-------| | tokens.xyz | tokens.xyz API | Wide coverage | Primary provider | | CoinGecko | CoinGecko API | ETH, SOL + any listed token | Free, no API key | | Static | Hardcoded | USDC, USDT, DAI = $1.00 | Always available, fallback |

Prices are cached in SQLite with a configurable TTL.

Passphrase Handling

OWSOps needs the OWS vault passphrase for operations like creating wallets and API keys:

1. If OWS_PASSPHRASE env var is set - used automatically
2. If not set - dashboard shows a modal prompt when needed
3. The passphrase is never stored - held in server memory only during the request

Database Schema

OWSOps uses SQLite (~/.ows-ops/owsops.db) for all local persistence:

| Table | Purpose | |-------|---------| | agents | Agent metadata - name, wallet, budget limits, approval mode, status | | spend_log | Transaction entries - agent, chain, tx hash, token, value, USD estimate | | budget_tracking | Rolling aggregates - daily/monthly spend per agent | | alerts | Budget warnings, anomaly flags, policy denials | | pending_approvals | Strict/veto mode approval queue | | price_cache | Token prices with TTL-based expiry | | settings | Key-value config (provider selection, thresholds) |

Development

Prerequisites

node --version  # >= 22
npm --version   # >= 9

Setup

git clone https://github.com/0xharp/ows-ops.git
cd ows-ops
npm install

Environment Setup

Create a .env file in the project root:

# Required if your OWS vault is encrypted
OWS_PASSPHRASE=your-vault-passphrase

# Recommended for Solana RPC (free tier at helius.dev)
HELIUS_API_KEY=your-helius-api-key

# Optional
# OWS_VAULT_PATH=~/.ows
# PORT=3001

Run in Development

# Start both server (Express + tsx watch) and client (Vite HMR) concurrently
npm run dev

# Or run them separately:
npm run server   # Express on port 3001 (tsx watch, auto-reload)
npm run client   # Vite on port 5173 (proxies /api to 3001)

• Dashboard: http://localhost:5173 (dev) or http://localhost:3001 (production)
• API: http://localhost:3001/api/

Build

npm run build          # Full production build (client + server + SDK)

# Individual builds:
npm run client:build   # Vite -> client/dist/
npm run server:build   # tsc -> dist/server/
npm run sdk:build      # tsc -> dist/sdk/

Type Check

npm run typecheck      # tsc --noEmit

Project Structure

ows-ops/
├── bin/
│   └── owsops.js                 # CLI entry - npx ows-ops
├── client/
│   ├── src/
│   │   ├── App.tsx               # Router + layout + homepage
│   │   ├── pages/                # Dashboard, Agents, Wallets, Activity, Analytics, Playground, Settings
│   │   ├── components/           # BudgetBar, CopyButton, DotMatrix, ApprovalToast, ExplorerLink
│   │   └── hooks/                # useDashboard, useAgents, useActivity, useFunding, useSocket
│   └── vite.config.ts
├── server/
│   ├── index.ts                  # Express server + Socket.IO
│   ├── env.ts                    # Env var loading + passphrase resolution
│   ├── types.ts                  # Shared server types
│   ├── routes/                   # agents, wallets, activity, analytics, approvals, budgets, moonpay, simulate, settings, agentApi
│   ├── services/                 # ows, budgetEngine, alerts, priceProvider, balances, txBuilder, simulator, network, socketIO, spendEvents, moonpay
│   │   ├── chains/               # Modular chain adapter registry — evm, solana, tron, arc (add a chain by dropping a file here)
│   │   └── providers/            # Price provider implementations (tokens.xyz, coingecko, static)
│   ├── db/sqlite.ts              # Database initialization
│   ├── middleware/               # errorHandler, requestLogger, validate
│   ├── utils/                    # Shared helpers (fetchWithRetry, etc.)
│   └── policies/
│       └── owsops-agent-policy.js  # Unified policy executable (budget + approval + risk escalation)
├── sdk/                          # Exportable SDK functions
├── package.json
├── tsconfig.json
├── tsconfig.server.json
└── tsconfig.sdk.json

Tech Stack

| Layer | Technology | |-------|-----------| | Frontend | React 19, React Router 7, Tailwind CSS 4, Vite 8 | | Backend | Express 4, Socket.IO 4, better-sqlite3, Zod 4 | | Blockchain | ethers 6, @solana/kit 6, @open-wallet-standard/core | | Language | TypeScript 6 (strict mode) | | Security | Helmet, CORS, express-rate-limit (300 req/min) |

Deployment

Playground

A live playground deployment is available at owsops.xyz.

Self-hosting

OWSOps can be deployed for live demos or team use:

• Mount ~/.ows/ on a persistent volume (not ephemeral filesystem)
• Set OWS_VAULT_PATH env var to point to the persistent volume
• Set OWS_PASSPHRASE env var for automated operations

npm Publishing

npm run build                    # Build client + server + SDK
npm publish                      # Publish to npm as ows-ops

Users install with:

npx ows-ops                      # Downloads and runs

Disclaimer

This software is provided as-is and has not been independently audited for security. By using OWSOps, you acknowledge and agree that:

• This is experimental software built during a hackathon. Use at your own risk.
• Do not use with significant funds without conducting your own security review.
• The authors are not liable for any loss of funds, data breaches, key compromise, or damages of any kind arising from the use of this software.
• You are solely responsible for your own key management, wallet security, and operational practices.
• OWSOps interacts with the OWS vault on your machine. Ensure your vault passphrase and environment are secured appropriately.
• No guarantees are made regarding the correctness of budget enforcement, policy evaluation, price feeds, or transaction handling.

If you are managing wallets with real value, perform your own due diligence and security audit before relying on this software.

License

MIT

Built by @0xharp as part of the OWS Hackathon 2026.

GitHub · npm · Playground