Conto Policy Enforcement

You are a spending policy enforcement layer. Before executing ANY payment, transfer, swap, or bridge, you MUST check Conto's policy engine for approval. Never send money without policy clearance.

Prerequisites

Before using this skill, you need:

1. 1. A Conto account — Sign up at conto.finance
2. A CONTO_SDK_KEY (required) — Generated from the Conto dashboard (format: conto_agent_...). See Getting Started below.
3. curl and jq — Command-line tools (pre-installed on most systems)
4. CONTO_API_URL (optional) — API base URL (default: https://conto.finance). Must use https:// in production (localhost allowed for development only).

When This Skill Activates

This skill applies whenever you are about to:

• - Transfer tokens (USDC, ETH, SOL, etc.) to any address
• Swap tokens on any DEX
• Bridge tokens between chains
• Pay for an API call (x402, paid endpoints)
• Make any onchain transaction that moves value

Getting Started

Step 1: Install the skill

CODEBLOCK0

Step 2: Set up your agent

Run the setup command with your agent name and wallet address:

CODEBLOCK1

This opens your browser to sign in to Conto. After you approve, the agent is automatically provisioned with:

• - An agent record linked to your organization
• Your wallet registered as EXTERNAL custody
• Default spend limits ($100/tx, $500/day)
• An SDK key saved to INLINECODE7

To find your wallet address, ask the agent: "What is my wallet address?" If you don't have a wallet yet, ask "Show me my wallet balances" — one will be provisioned automatically.

Arguments:

• - agent_name: Name for your agent (e.g., "my-hermes-agent")
• INLINECODE9: Your wallet address (0x... for EVM, base58 for Solana)
• INLINECODE10: EVM or SOLANA (default: EVM)
• INLINECODE11: Chain ID (default: 42431 for Tempo Testnet). Common values: 8453 (Base), 42431 (Tempo Testnet), 1 (Ethereum)

Step 3: Verify it works

Test that the skill is connected:

CODEBLOCK2

Or check your policies:

CODEBLOCK3

If you get a response, Conto is working.

Manual Setup (Alternative)

If the browser setup doesn't work, you can configure manually:

1. 1. Sign in at conto.finance
2. Connect your agent: Agents > Connect Agent > name it, set type to CUSTOM
3. Register your wallet: Wallets > Add Wallet > paste address, set EXTERNAL custody
4. Link wallet to agent: Agents > your agent > Wallets > link with spend limits
5. Generate SDK key: Agents > your agent > SDK Keys > Generate New Key (copy immediately — shown once)
6. Add to ~/.hermes/.env:

CODEBLOCK4

Which Wallet Mode Should I Use?

Conto supports two modes depending on who manages the wallet keys:

Question	Mode A	Mode B
Who holds the wallet keys?	Custody provider (Privy or Sponge)	You (via Hermes/Sponge MCP tools)
How many API calls per payment?

1 (single call, auto-executes) | 3 (approve → transfer → confirm) |
| When to use? | Wallet custodyType is PRIVY or SPONGE in Conto dashboard | Wallet custodyType is EXTERNAL in Conto dashboard |

Most Hermes setups use Mode B — your agent controls the wallet via Sponge MCP tools and Conto acts as the policy gate before each transaction.

Prefer conto-check.sh for Mode B commands (approve, confirm, x402, budget, services, and all policy commands). The shell helper includes input validation, HTTPS enforcement, timeouts, retry logic, and safe credential handling. Use raw curl only for Mode A endpoints (/request, /execute) and the x402 /record endpoint, which have no shell helper yet.

---

Quick Start: Your First Policy-Checked Payment (Mode B)

Here's a complete end-to-end example of sending 10 USDC with policy enforcement:

1. Request approval from Conto:

CODEBLOCK5

2. If approved, execute the transfer:

CODEBLOCK6

3. Confirm the transaction with Conto:

CODEBLOCK7

That's it. Conto checked the policy, you sent the payment, and the confirmation keeps spend tracking accurate. The sections below cover each step in detail.

---

Mode A: Provider-Managed Wallets (PRIVY / SPONGE)

For wallets managed by a custody provider (Privy or Sponge), use a single API call. Conto evaluates policies and instructs the custody provider to execute the transfer.

CODEBLOCK8

If approved and executed, the response includes the tx hash directly:

CODEBLOCK9

No need to call /execute or /confirm — Conto did everything. Report the tx hash and explorer URL to the user.

If approved but not auto-executed (e.g., autoExecuteError in response), call /execute manually:

CODEBLOCK10

If denied, the response includes reasons and violations — report them to the user (see denial handling below).

---

Mode B: External Wallets (EXTERNAL custody)

For wallets where you hold the keys, use the three-step flow: approve → transfer → confirm.

Step 1: Request Policy Approval

CODEBLOCK11

Required fields:

• - amount — Positive number, the USDC value of the transaction
• INLINECODE32 — The destination address (0x... for EVM, base58 for Solana)
• INLINECODE33 — Your wallet address that will send the funds
• INLINECODE34 — Chain ID number. Required. Common values: 8453 (Base mainnet), 42431 (Tempo Testnet), 84532 (Base Sepolia), 1 (Ethereum). For Solana, use a base58 senderAddress with any chainId — the chain type is detected automatically from the address format.

Optional fields:

• - recipientName — Human-readable name (e.g., "OpenAI API", "Uniswap Router")
• INLINECODE41 — Why this payment is needed (e.g., "Swap 0.5 ETH for USDC on Uniswap")
• INLINECODE42 — One of: API_PROVIDER, CLOUD, SAAS, INFRASTRUCTURE, MARKETING, PAYROLL, TRAVEL, LODGING, TRANSPORT, SUPPLIES, DATABASE, MONITORING, PAYMENTS, INLINECODE56
• INLINECODE57 — JSON object with any additional metadata

For x402 API payments (paid HTTP endpoints), use the dedicated pre-authorize endpoint instead:

CODEBLOCK12

Step 2: Handle the Approval Response

If approved ("approved": true):

CODEBLOCK13

Save the approvalId and approvalToken — you need them for Step 3.
The approval expires in 10 minutes. Execute and confirm before then.

Security note: The approvalToken is cryptographically bound to the original request parameters (amount, recipient, chain). The /confirm endpoint validates that the confirmed transaction matches the approved parameters. You cannot reuse an approval token for a different amount or recipient.

Step 2a: Execute the Transfer

Now execute the payment using your wallet. Conto approved the policy — now YOU must send the actual onchain transaction. Do NOT ask the user to execute it.

Use the appropriate MCP tool for the target chain:

Tempo (pathUSD):

CODEBLOCK14

Base (USDC):

CODEBLOCK15

Solana (USDC):

CODEBLOCK16

The transfer will return a transaction hash. Save it for Step 3.
If the transfer fails, report the error to the user. Do NOT call confirm.

Handling Denials

If denied ("approved": false):

CODEBLOCK17

DO NOT execute the payment. Report the denial to the user:

• - Show the reasons array (human-readable)
• Show violation details (type, limit, current values)
• If requiresHumanApproval is true, tell the user a Conto dashboard admin must approve it

If the request fails (HTTP errors):

• - 401: SDK key invalid. Ask user to check CONTO_SDK_KEY.
• 403: Missing scope. Needs payments:approve.
• 429: Rate limited. Wait for the Retry-After header value and retry.
• 500/502/503: Retry once after a 2-second delay. If it fails again, inform the user. The conto-check.sh helper handles this automatically.

Step 3: Confirm After Execution

After the transfer succeeds, report the transaction hash back to Conto:

CODEBLOCK18

Required fields:

• - txHash — The onchain transaction hash (0x + 64 hex chars for EVM, or base58 for Solana)
• INLINECODE71 — The exact token string from the approval response

Success response:

CODEBLOCK19

Confirmation is important — it updates spend tracking so future policy checks have accurate data. If you skip this, the daily/weekly/monthly counters will be wrong and the agent may overspend.

If confirmation fails with EXPIRED, the 10-minute window passed. Inform the user.

Reporting Results to the User

On success (approved + executed + confirmed):

CODEBLOCK20

On denial:

CODEBLOCK21

On requires approval:

CODEBLOCK22

Mapping Payment Types to Policy Calls

Transfers (send USDC/ETH/SOL to an address)

• - amount: The transfer amount in USDC (convert if needed)
• INLINECODE74: The destination address
• INLINECODE75: Your wallet address
• INLINECODE76: PAYMENTS or the appropriate category
• INLINECODE78: "Transfer X USDC to 0xabc..."

Swaps (DEX trades)

• - amount: The input amount in USDC equivalent
• INLINECODE80: The DEX router contract address
• INLINECODE81: Your wallet address
• INLINECODE82: INLINECODE83
• INLINECODE84: "Swap X TOKENA for TOKENB on Uniswap"
• INLINECODE85: The DEX name (e.g., "Uniswap V3 Router")

Bridges (cross-chain transfers)

• - amount: The bridged amount in USDC equivalent
• INLINECODE87: The bridge contract address
• INLINECODE88: Your wallet address on the source chain
• INLINECODE89: INLINECODE90
• INLINECODE91: "Bridge X USDC from Base to Solana"
• INLINECODE92: The bridge provider (e.g., "Relay Bridge")
• INLINECODE93: The source chain ID

x402 API Payments

Use the /api/sdk/x402/pre-authorize endpoint (see Step 1 above). This evaluates x402-specific rules like per-service caps, endpoint velocity limits, and service allowlists.

If authorized ("authorized": true), proceed with the x402 payment flow normally. No separate confirm step is needed for x402 — use the x402 record endpoint instead:

CODEBLOCK23

Policy Violation Types Reference

When a payment is denied, the violations[].type field tells you exactly what rule was triggered:

Violation Type	Meaning
INLINECODE97	Wallet doesn't have enough funds
INLINECODE98

Single transaction exceeds max allowed |
| DAILY_LIMIT | Would exceed daily spending cap |
| WEEKLY_LIMIT | Would exceed weekly spending cap |
| MONTHLY_LIMIT | Would exceed monthly spending cap |
| BUDGET_EXCEEDED | Would exceed budget allocation |
| TIME_WINDOW | Transaction outside allowed hours |
| BLACKOUT_PERIOD | Transaction during maintenance/blackout window |
| EXPIRED_PERMISSION | Transaction outside allowed date range |
| BLOCKED_COUNTERPARTY | Recipient is on the blocklist |
| WHITELIST_VIOLATION | Recipient is not on the allowlist |
| CATEGORY_RESTRICTION | Spend category is not permitted |
| VELOCITY_LIMIT | Too many transactions in time period |
| GEOGRAPHIC_RESTRICTION | Geographic/OFAC restriction |
| CONTRACT_NOT_ALLOWED | Smart contract not on allowlist |
| FAIRSCALE_LOW_SCORE | Counterparty Fairscale reputation too low |
| X402_PRICE_CEILING | x402 API call exceeds price cap |
| X402_SERVICE_BLOCKED | x402 service is on blocklist |
| X402_SERVICE_NOT_ALLOWED | x402 service not on allowlist |
| X402_ENDPOINT_LIMIT | x402 endpoint spend limit exceeded |
| X402_SESSION_BUDGET | x402 session budget exhausted |
| X402_VELOCITY | x402 call rate limit exceeded |
| MPP_PRICE_CEILING | MPP payment exceeds price cap |
| MPP_SERVICE_BLOCKED | MPP service is on blocklist |
| MPP_SERVICE_NOT_ALLOWED | MPP service not on allowlist |
| MPP_ENDPOINT_LIMIT | MPP endpoint spend limit exceeded |
| MPP_SESSION_BUDGET | MPP session budget exhausted |
| MPP_VELOCITY | MPP call rate limit exceeded |
| MPP_MAX_SESSION_DEPOSIT | MPP session deposit exceeds cap |
| MPP_MAX_CONCURRENT_SESSIONS | Too many active MPP sessions |
| MPP_MAX_SESSION_DURATION | MPP session exceeds max duration |
| MPP_SESSION_INTENT_BLOCKED | MPP session intent not allowed |
| MPP_METHOD_NOT_ALLOWED | MPP HTTP method not permitted |
| CARD_MCC_RESTRICTION | Card merchant category code not allowed |
| CARD_MERCHANT_RESTRICTION | Card merchant not on allowlist or is blocked |
| CARD_AMOUNT_LIMIT | Card transaction exceeds amount limit |

Error Reporting to the User

When a payment is denied, format the denial clearly:

CODEBLOCK24

When requiresHumanApproval is true:

CODEBLOCK25

Managing Policies from Hermes

If your SDK key is an admin key (keyType: "admin"), you can create, update, and delete policies directly from the CLI. Standard keys can only read policies and check payments.

List all policies

CODEBLOCK26

Create a policy

CODEBLOCK27

The response includes the new policy's id. Save it for assigning to agents.

Common policy recipes

Daily spending cap of $1,000:

CODEBLOCK28

Only allow API and Cloud payments:

CODEBLOCK29

Block a scam address:

CODEBLOCK30

Require human approval above $500:

CODEBLOCK31

Business hours only (Mon-Fri 9am-6pm):

CODEBLOCK32

Cap x402 API spend at $1/request, $50/day per service:

CODEBLOCK33

Add a rule to an existing policy

CODEBLOCK34

Replace all rules on a policy

CODEBLOCK35

Delete a policy

CODEBLOCK36

Available rule types

Rule Type	Operator	Value Format	Use Case
INLINECODE136	INLINECODE137	INLINECODE138	Per-transaction cap
INLINECODE139

LTE | "1000" | Daily spending cap | | WEEKLY_LIMIT | LTE | "5000" | Weekly spending cap | | MONTHLY_LIMIT | LTE | "20000" | Monthly spending cap | | BUDGET_CAP | LTE | {"amount":10000,"period":"MONTHLY"} | Budget allocation | | ALLOWED_CATEGORIES | IN_LIST | ["API_PROVIDER","CLOUD"] | Category whitelist | | BLOCKED_CATEGORIES | IN_LIST | ["GAMBLING"] | Category blocklist | | ALLOWED_COUNTERPARTIES | IN_LIST | ["0xabc..."] | Address whitelist | | BLOCKED_COUNTERPARTIES | IN_LIST | ["0xbad..."] | Address blocklist | | TIME_WINDOW | BETWEEN | {"start":"09:00","end":"18:00"} | Allowed hours | | DAY_OF_WEEK | IN_LIST | ["Mon","Tue","Wed","Thu","Fri"] | Allowed days | | VELOCITY_LIMIT | LTE | {"maxCount":10,"period":"HOUR"} | Rate limiting | | REQUIRE_APPROVAL_ABOVE | GT | "500" | Human approval threshold | | GEOGRAPHIC_RESTRICTION | IN_LIST | ["US","CA","GB"] | Country whitelist | | TRUST_SCORE | GTE | "0.5" | Min counterparty trust score | | COUNTERPARTY_STATUS | IN_LIST | ["TRUSTED","VERIFIED"] | Required counterparty status | | CONTRACT_ALLOWLIST | IN_LIST | ["0xcontract..."] | Smart contract whitelist | | BLACKOUT_PERIOD | BETWEEN | {"start":"2026-04-01","end":"2026-04-02"} | Block during maintenance | | DATE_RANGE | BETWEEN | {"start":"2026-01-01","end":"2026-12-31"} | Allowed date range | | FAIRSCALE_MIN_SCORE | GTE | "50" | Min Fairscale reputation score | | X402_PRICE_CEILING | LTE | "1" | Max per x402 API call | | X402_ALLOWED_SERVICES | IN_LIST | ["api.openai.com"] | x402 service whitelist | | X402_BLOCKED_SERVICES | IN_LIST | ["untrusted.api"] | x402 service blocklist | | X402_MAX_PER_ENDPOINT | LTE | "10" | Max spend per x402 endpoint | | X402_VELOCITY_PER_ENDPOINT | LTE | {"maxCount":5,"period":"MINUTE"} | x402 endpoint rate limit | | X402_SESSION_BUDGET | LTE | "100" | x402 session spend cap | | MPP_ALLOWED_SERVICES | IN_LIST | ["api.example.com"] | MPP service whitelist | | MPP_BLOCKED_SERVICES | IN_LIST | ["untrusted.api"] | MPP service blocklist | | MPP_MAX_PER_SERVICE | LTE | "50" | Max spend per MPP service | | MPP_MAX_PER_ENDPOINT | LTE | "10" | Max spend per MPP endpoint | | MPP_VELOCITY_PER_ENDPOINT | LTE | {"maxCount":5,"period":"MINUTE"} | MPP endpoint rate limit | | MPP_SESSION_BUDGET | LTE | "100" | MPP session spend cap | | MPP_MAX_SESSION_DEPOSIT | LTE | "50" | Max MPP session deposit | | MPP_MAX_CONCURRENT_SESSIONS | LTE | "3" | Max active MPP sessions | | MPP_MAX_SESSION_DURATION | LTE | "3600" | Max MPP session seconds | | MPP_BLOCK_SESSION_INTENT | IN_LIST | ["streaming"] | Block specific MPP intents | | MPP_ALLOWED_METHODS | IN_LIST | ["GET","POST"] | Allowed MPP HTTP methods | | CARD_ALLOWED_MCCS | IN_LIST | ["5411","5812"] | Allowed card merchant codes | | CARD_BLOCKED_MCCS | IN_LIST | ["7995"] | Blocked card merchant codes | | CARD_ALLOWED_MERCHANTS | IN_LIST | ["Amazon","Stripe"] | Card merchant whitelist | | CARD_BLOCKED_MERCHANTS | IN_LIST | ["Casino.com"] | Card merchant blocklist | | CARD_MAX_AMOUNT | LTE | "500" | Max per card transaction |

Critical Rules

1. 1. Use the right mode for the wallet type. Mode A (/request + autoExecute) for PRIVY/SPONGE wallets. Mode B (/approve + transfer + /confirm) for EXTERNAL wallets.
2. NEVER skip the policy check. Every payment must go through Conto first.
3. NEVER execute a denied payment. If approved is false or status is DENIED, stop.
4. For Mode B: ALWAYS confirm after execution. Call /confirm with the tx hash to keep spend tracking accurate. Mode A handles this automatically.
5. Approvals expire quickly. Mode A (/request) approvals expire in 5 minutes. Mode B (/approve) approvals expire in 10 minutes. Execute promptly after approval.
6. On API errors, fail closed. If the Conto API is unreachable after one retry, do NOT proceed with the payment.
7. Convert to USDC equivalent. The amount field is always in USDC. If you're swapping ETH or another token, convert to the USDC equivalent value for the policy check.