Nunchuk Agent Signer
Spending-policy co-signer for AI agents
Passport Prime as a self-custodied, hardware-enforced spending-policy co-signer for an AI agent’s Nunchuk wallet.
Last updated Jul 2026

Spend paths · agent + Passport, or Passport alone
Overview
A self-custodied, hardware-enforced variant of Nunchuk’s server-side Platform Key. An AI agent runs a Nunchuk wallet via nunchuk-cli; Passport Prime holds one key and gates spending on-device. Transactions under your limits sign unattended (HSM mode); spends over the limits need a physical tap on Passport.
It is a drop-in for Nunchuk’s nunchuk-coldcard-hsm agent skill with ckcc replaced by prime-signer. The treasury model, 2-of-2 self-custodied or 2-of-3 cloud-assisted, is chosen at onboarding, on-device. 54 unit and integration tests pass, and the full agent → nunchuk-cli → Passport → broadcast flow works on testnet4 with both models.
What it does
- Self-custodied 2-of-2: agent + Passport co-sign; Passport spends alone after N blocks if the agent key is lost.
- Cloud-assisted 2-of-3: adds Nunchuk’s always-online Platform Key, so the agent keeps spending while Passport is off.
- Five cap layers: per-tx limit, rolling daily/weekly velocity, and clock-free session + lifetime backstops.
- Optional destination allowlist: non-allowlisted outputs always force an on-device approval.
- Under every cap → auto-sign, no human. Over any cap → on-device approval. Recovery spends always need approval.
- Append-only ledger debited before signing, so a power-cycle can’t erase a spend and reset the budget.
- Host tooling: prime-usb (USB-CDC), prime-signer (sim file-bridge), a prime-hsm agent skill, and an HWI driver skeleton.
Technical breakdown
How the proof-of-concept is built, for developers evaluating the platform.
The policy gate
src/nunchuk/gate.rs decides, per PSBT, whether to release a signature: per-tx limit (always), daily/weekly velocity (clock-dependent), and clock-free session + lifetime ceilings that survive reboot, plus an optional destination allowlist. src/nunchuk/history.rs is an append-only ledger flushed before the signature releases; only Auto + Approved records count toward enforcement.
Treasury models
2-of-2 self-custodied: wsh(or_d(multi(2, agent, prime), and_v(v:pk(prime), older(N)))). The recovery branch lets Passport sweep alone after ~30 days (4320 blocks) using a second Passport account (m/48’/1’/1’/2’). 2-of-3 cloud-assisted: wsh(multi(2, agent, prime, platform_key)); agent + Passport is a valid 2-of-3 that never needs Nunchuk. Building, registering, and everyday signing are verified on hardware; the recovery-leg sweep itself is not yet.
Host integration & a known limit
All Bitcoin work is nunchuk-cli’s job; the host layer only carries keys/descriptors/PSBTs: prime-usb over USB-CDC, prime-signer as a sim file-bridge, plus a prime-hsm agent-skill runbook and an HWI driver skeleton. Network is testnet4. Note: current hardware has no trustworthy clock (RTC), so daily/weekly caps are paused on-device. Session + lifetime (clock-free) caps enforce instead.
Dig into the source
README, architecture notes, and the wire protocol live in the repo.
