Tunnel

Multi-agent wallet sharing without key exposure. A host shares wallet access through a tunnel, and peers propose transactions that go through a policy engine before execution.

CLI Commands

Create a Tunnel (Host)

owl tunnel create -w main -n my-tunnel -p 9800

Flag	Description
-w, --wallet	Wallet to share	required
-n, --name	Tunnel name	required
-p, --port	WebSocket port for remote peers	default: 9800

Connect to a Tunnel (Peer)

owl tunnel connect ws://host:9800/my-tunnel -w my-wallet

Arg / Flag	Description
uri	Tunnel URI to connect to	required
-w, --wallet	Local wallet for signing auth challenges	required

List Tunnels

owl tunnel list

Authentication

Keys never leave the host. Peers prove wallet ownership via mp message sign challenge-response using the wallet's own keypair.

  Peer                              Host
    |                                 |
    |  -------- connect ---------->   |
    |                                 |
    |  <-- auth.challenge (nonce) --  |
    |                                 |
    |  mp message sign --message nonce|
    |                                 |
    |  -- auth.verify (sig, addr) ->  |
    |                                 |
    |  verify signature on-chain      |
    |                                 |
    |  <---- auth.success ----------  |

Policy Engine

Every incoming transaction proposal is evaluated against per-peer policies. Policies control what operations are allowed and whether they need manual approval.

  Incoming Proposal
        |
  Has policy? --No--> REJECT
        | Yes
  Daily limit OK? --No--> REJECT
        | Yes
  Auto-approve match? --Yes--> EXECUTE
        | No
  Queue for manual approval

Policy Options

Option	Type	Description
daily_limit_usd	number	Max daily spending in USD (default: 100)
allowed_tokens	string[]	Token symbols the peer can operate on
allowed_operations	string[]	Allowed ops: swap, transfer, bridge
auto_approve_max_usd	number	Auto-approve transactions under this amount

Transport

Unix Socket

Local machine communication. Fast, no network exposure.

WebSocket

Remote peer connections. Configurable port (default 9800).

MCP Tools

Tool	Description
owl_tunnel_create	Create a tunnel (host side)
owl_tunnel_connect	Connect as peer
owl_tunnel_list	List active tunnels
owl_tunnel_propose	Propose a transaction
owl_tunnel_approve	Approve a pending proposal
owl_tunnel_reject	Reject a pending proposal
owl_tunnel_policy_set	Set per-peer policies
owl_tunnel_policy_get	Get current policies