Skip to main content

​
Overview

Most firewalls do one thing: block. Sudont does something fundamentally different β€” when a transaction is suspicious but not clearly malicious, it interrogates the agent.
The Interrogation Protocol is a structured, adversarial feedback loop. It doesn’t just block. It teaches.
The Judge returns an INTERROGATE verdict. The Cortex challenges the agent with a specific, actionable demand. The agent self-corrects and resubmits. The corrected transaction re-enters the Diamond. If the agent’s correction satisfies the Constitution, it is approved. If not, it is blocked and the failure is logged.

​
The Three Verdicts

Every transaction that passes through the Diamond receives one of three verdicts from the Judge:
VerdictTriggerOutcome
APPROVEIntent matches physics, within Constitution limitsEIP-191 signed approval artifact
BLOCKIntent β‰  physics, or Constitution hard-violatedImmutable rejection with reason code
INTERROGATEMedium-risk signal detectedCortex opens a challenge round
INTERROGATE is not a soft block. It is an active protocol. The Judge does not wait β€” it immediately signals the Cortex to initiate a challenge against the requesting agent.

​
The Feedback Loop

Agent Submits Request

The AI agent submits a transaction or approval request through the Sudont sidecar.

Diamond Pipeline Evaluates

The request passes through Constitution β†’ Cortex/Cage β†’ Judge. The Judge identifies a medium-risk signal and returns INTERROGATE.

Cortex Issues Challenge

The Cortex states the specific violation and demands a correction. Examples:
  • β€œApproval amount exceeds maximum. Reduce to exact trade amount.”
  • β€œDestination not on allowlist. Provide an approved address.”

Agent Self-Corrects

The agent receives the structured prompt, adjusts its parameters, and resubmits the transaction with the corrected values.

Verification

The Cortex checks the correction against the Constitution. If compliant, the corrected transaction is approved and signed. If not, the challenge fails β€” terminal block.

​
When Interrogation Triggers

The Cortex enriches every transaction with computed flags before the Judge evaluates it. The Judge queries the Constitution’s Polar ruleset to classify risk. MEDIUM risk triggers interrogation.
SignalWhy It’s Suspicious
Unlimited token approval (MAX_UINT256)Agent may be granting unbounded access to a spender
Unverified spender addressConstitution does not recognize the counterparty
Non-allowlisted contract destinationAgent may be interacting with an unknown protocol
These signals are defined in Polar alongside the allow() rules β€” not hardcoded in code. Adding a new risk heuristic is a policy change, not a code change.

​
Interrogation Scenarios

An autonomous DeFi agent requests token approval with amount = MAX_UINT256.
Interrogation Trace
[STEP 1/4]  AGENT REQUESTED UNLIMITED APPROVAL.
[JUDGE]     ACTION: INTERROGATE β€” Require bounded approval limit.

            [Cortex rewrites approval to exact trade amount]

[STEP 3/4]  AGENT AGREED. APPROVAL REDUCED TO EXACT AMOUNT.
[STEP 4/4]  SPENDER VERIFIED. APPROVAL ALLOWED.
The Cortex applies an atomic rewrite β€” the unlimited approval is replaced with the exact amount required for the current trade. The rewrite is logged as a challenge_diff event. The agent’s original request is preserved in the adversarial record.

​
The Adversarial Record

Every interrogation β€” pass or fail β€” produces an immutable audit trail.
Adversarial Record
{
  "kind": "challenge_diff",
  "run_id": "a3f9c2e1",
  "agent": "0xAgentAddress",
  "before_destination": "0x20e9...c4a1",
  "after_destination": "0x1111...1111",
  "agent_claim": "Strategic asset reallocation to authorized vault.",
  "agent_response": "Double-checked. Use vault 0x1111...1111",
  "corrected": true
}
An auditor can reconstruct exactly what an agent claimed, what the firewall demanded, and how the agent responded β€” without access to the code. The event stream is the complete record. An agent that lies gets caught. If an agent provides a destination that isn’t on the allowlist, the Cortex verifies the proposed address against the Constitution before applying any patch. A false address is treated the same as no address: immediate block, adversarial record written.

​
What Interrogation Cannot Do

The Cortex is deliberately constrained:

Cannot Approve

Only the Judge can produce a signed approval artifact. The Cortex has no signing authority.

Cannot Sign

No private key operations occur in the challenge round. Cryptographic operations are Judge-only.

Cannot Modify Policy

The Constitution’s allowlists are read-only during a challenge. Policy is immutable mid-flow.

Cannot Loop Indefinitely

Each transaction receives at most one challenge round. A failed challenge is terminal.

Handling Interrogation in Code

See the SDK Quickstart for a complete TypeScript example of an agent that handles INTERROGATE responses, self-corrects, and resubmits β€” implementing the full ReAct loop.