Medici Protocol

Architecture

How the Medici Protocol is built — from Canton ledger to frontend.

System Diagram

USERS & EXTERNAL SYSTEMS LAYER 8 Frontend Interfaces Chat / NL Interface Natural language intents Strategy Dashboard Drift, rolls, M2M Manual Trading Trade / Earn / Swap / Admin LAYER 7 On-Chain Intents (DAML) StrategyIntent AgentMessage IntentAnnouncement VaultComplianceRegistry LAYER 6 Intent Expression (off-chain) StrategyIntent schema · StrategyEngine · Constraint validation · Parameter defaults · constraintHash links on/off chain LAYER 5 Agent Runtime Orchestrator · Tick Scheduler · Health Checks · Singleton Enforcement · Process Supervisor LAYER 4 Specialized Agents OracleAgent Price feed RebalanceAgent Roll execution StrategyAgent Intent->config SettleAgent Maturity watch PosMonitor Drift/delta LAYER 3 Agent SDK (TypeScript) LedgerClient · StateStore (SQLite) · EventBus · Agent Base Class · Safety · Config LAYER 2 Ledger Service (Go) REST API /api/v1/* WebSocket Stream Token Cache + Refresh Canton Adapter LAYER 1 Canton Ledger (DAML) Core · Oracle · Rebalancing · Governance · Perpetual Physical Settlement · PoolVault · Intents · Canton JSON API v2 · Participant Node INFRASTRUCTURE Kubernetes / FluxCD Keycloak · Postgres · Validator · Domain · Splice Components · Ingress · Secrets Commands flow down · Events flow up · Intents bridge layers 6-8

Layer Descriptions

Layer 1 -- Canton Ledger (DAML)

The foundation. All contracts live on the Canton Network, a privacy-preserving blockchain from Digital Asset. DAML contracts define the protocol's rules: what a vault is, how P and N tokens work, how settlement happens. Once deployed, DAML contracts are immutable (upgradable via SCU -- Smart Contract Upgrade for minor changes, or migration for major ones).

Key properties: Sub-transaction privacy (only parties to a contract see its details), no public mempool (no front-running or MEV), ledger time for maturity checks, causality enforcement via DAML's contract model.

Layer 2 -- Ledger Service (Go)

A single Go binary that absorbs all 8 Canton JSON API quirks and exposes a clean REST + WebSocket API. This is the recommended interface for all application code. It normalizes created-event payloads (created.payload ?? created.createArguments), handles token refresh (5-min lifespan with retry), wraps commands into proper Canton format, and manages party/user lifecycle.

For non-custodial external parties, it also owns the Path C prepare/execute flow: the service prepares transactions, relays prepared hashes to the wallet for signing, and submits the signed transaction -- the service never sees a private key.

Layer 3 -- Agent SDK (TypeScript)

Shared library providing:

Layer 4 -- Specialized Agents

Independent, single-purpose agents that execute specific strategies:

AgentResponsibility
OracleAgentPublishes live price observations (CoinGecko) and the public PublishedPrice feed
RebalanceAgentMonitors vault delta, executes rolls when price approaches 1.5x strike
StrategyAgentTranslates user intents into agent configurations, reports drift
SettleAgentWatches maturity, fetches oracle price, submits settlement claims
PositionMonitorAgentTracks vault drift, M2M value, delta exposure
SwapTakerAgentMonitors SwapOffer contracts, auto-fills matching offers

Layer 5 -- Agent Runtime

The runtime orchestrator manages the fleet: tick scheduling (every N seconds), singleton enforcement (one instance per agent type), health checks with auto-restart, process supervision, and structured logging. Agents register with the runtime, which handles the lifecycle.

Layer 6 -- Intent Expression (Off-Chain)

Users express what they want through structured intents. A StrategyIntent might say "Track $50k BTC/USDC with standard strategy, max 15 bps/roll slippage." The StrategyEngine validates constraints, applies parameter defaults, and configures agents. A constraintHash links the off-chain intent to on-chain verification.

Layer 7 -- On-Chain Intents (DAML)

Intents recorded on the ledger provide an immutable audit trail. Templates include IntentAnnouncement (public signal of user intent), VaultComplianceRegistry (per-vault compliance tracking), and AgentMessage (inter-agent coordination). The DAML layer enforces lifecycle: an intent is created, agents reference it, and settlement verifies against it.

Layer 8 -- Frontend Interfaces

Three interface paths:

Data Flow

Frontend / Agent Ledger Service Canton JSON API DAML Ledger READ current state GET contracts/:m/:e /api/v1/contracts/:m/:e /v2/state/active-contracts Contract payloads READ real-time WebSocket connect WS /api/v1/stream /v2/updates (cursor) Created/Archived events WRITE custodial POST commands/submit /api/v1/commands/submit /v2/commands/submit-and-wait Choice executed WRITE non-custodial (Path C) POST commands/prepare /api/v1/commands/prepare /v2/interactive-submission/prepare Prepared transaction Wallet signs preparedTransactionHash POST commands/execute /api/v1/commands/execute /v2/interactive-submission/execute Signed tx executed ORACLE price feed OracleAgent /api/v1/commands/submit Create PriceObservation + PublishedPrice Archive prior PublishedPrice (Prune) in same tx At most ONE active PublishedPrice per ticker

Auth Flow

Client Keycloak Ledger Service Canton Participant 1 Token request (client_credentials or PKCE) 2 RS256 JWT (5-min expiry) 3 Authorization: Bearer <token> 4 Same token forwarded 5. Canton validates a. Token signature (JWKS via HTTP) b. Issuer matches IdP config issuer c. Token not expired d. Canton user: id == sub e. canActAs / canReadAs rights 6 Any check fails 401 or 403 7 Auto-refresh token + retry once

Multi-Party Propose/Operator-Execute Pattern

The protocol uses a two-phase pattern for operations that require multiple parties to authorize. This is Canton's equivalent of a multi-sig wallet (like Gnosis Safe).

Basic Pattern: SplitRequest Phase 1: PROPOSE Any authorized party Depositor creates SplitRequest Depositor is signatory Operator is observer only Phase 2: EXECUTE Protocol operator Exercises OperatorExecute Authority: {depositor, vaultAdmin} Creates Vault + P + N tokens Result: User proposes, admin/governance finalizes Governance Variant: N-of-M Multi-Sig Proposer Creates GovernanceProposal N Signatories Accept ProposalAcceptance contracts accumulate Threshold Met Final signer calls Execute DAML enforces: No double-accept · No execute below threshold · Single signatory per acceptance

Key Design Decisions