NoxPilot

Trust boundary

Why the trust model matters

NoxPilot is not an unlimited-autonomy agent. The design is bounded authority, confidential thresholds, isolated capital, and instant revocability.

Unsafe autonomous model

Fast to demo, weak on trust.

One hot wallet stores capital and executes trades.

High risk

Policy thresholds are exposed or loosely managed.

Agent authority is broad and hard to revoke.

High risk

Users cannot clearly inspect trust boundaries.

NoxPilot bounded confidential model

Trust-minimized automation designed for operator control.

Vault capital remains isolated from operational execution.

Execution wallet receives only bounded session funding.

Policy thresholds stay confidential through handle references.

Pause and revoke controls are explicit in the operator UX.

Isolated execution wallet

Confidential policy

Principle 1

Capital isolation

Main capital remains in the vault. The operational wallet only receives bounded session funding. The agent never has direct access to the vault.

Principle 2

Confidential policy

Budget and confidence thresholds are stored as encrypted Nox handles. The contracts verify these confidentially — no one sees the raw values on-chain.

Principle 3

Revocable automation

The operator can pause the entire system or revoke any active session instantly. AI has bounded authority that expires automatically.

Capital flow

How money moves through NoxPilot

Follow the path from vault to guard to settlement.

Vault Wallet

Capital stored here, untouched by agent

PolicyVault.openSession()

Only bounded amount approved

ExecutionGuard

Receives session asset, enforces all limits

executeExactInputSingle()

One real swap with confidence proof

settleSessionAssets()

Sweep remaining back to vault

Vault Wallet

Capital returns — session closed

Try the demo