What the demo proves.
demo.pqsafe.xyz runs an AI agent that pays its own SaaS bills using PQSafe-signed envelopes. Real virtual card, real charges, real audit trail. This page narrates the ten steps that happen end-to-end — what you see, what the agent is doing under the hood, and why each step matters.
The agent's monitoring layer (here: Sentry's billing webhook, but any inbox poll works) signals that Sentry is about to charge the cardholder. The agent's job is to decide whether to authorize the charge.
The agent's policy says: SaaS bills under $50/month, from one of 5 pre-approved vendors, are auto-pay. Sentry @ $26 matches.
The agent calls the pqsafe.pay.v1 skill (or the raw SDK) to generate a signed mandate: agent_id, amount=26.00, currency=USD, recipient=Sentry's DID, nonce, expires in 5 minutes.
// what the skill returns { agent_id: 'did:web:agents.raymond.com:saas-pay', amount: '26.00', currency: 'USD', recipient: 'did:web:sentry.io:billing', nonce: 'a3f2…d801', signature: { alg: 'ap2-ecdsa-p256+ap2-mldsa65', ecdsa: '…', mldsa: '…' } }
The envelope hits api.pqsafe.xyz/v1/mandates/verify (or local SDK verify). Both signatures pass, nonce isn't in the registry, expires_at is in the future. Verifier returns OK.
Airwallex Borderless creates a virtual card with exactly the policy bounds: capped at $26, locked to Sentry's merchant ID, expires in 5 minutes. The bridge stores the envelope hash → card ID mapping.
Standard card transaction. Sentry sees a normal MasterCard auth, captures $26. The card was created moments ago and will be void within minutes; nothing else can charge it.
Card-bridge receives the capture event. It joins the capture (amount, merchant, timestamp) with the originating envelope hash and writes the pair to the audit log.
The card-bridge submits the envelope's nonce to the on-chain SpendEnvelope registry on Arbitrum. Even if the envelope leaks now, replay is prevented.
A new row in the demo dashboard: timestamp, agent, amount, recipient, envelope fingerprint, registry tx hash, capture tx hash. One signed, verified, captured, audited end-to-end transaction. Click into the row to expand the full envelope JSON and re-verify it in your own browser via /verify.
The demo also shows a deliberately blocked attempt: the agent receives a phishing-style "Sentry CFO" invoice for $5,000 from a typo-squat domain. The agent's policy rejects the recipient DID; no envelope is issued; no card is minted. The blocked attempt is logged for audit visibility.
What this proves about PQSafe
- Spend authorization is cryptographic, not procedural. The amount, recipient, currency, and time window are bound to the signature. A leaked envelope can't be repurposed.
- The post-quantum signature is on the hot path. Every transaction in the demo carries an ML-DSA-65 signature alongside ECDSA. The verifier checks both.
- The audit trail is verifiable by anyone. Envelopes are public artifacts (minus signatures). Anyone can re-verify any historical transaction at /verify using the published issuer pubkey.
- The rail is real, not simulated. Airwallex Borderless is a regulated card issuer; the captured charges show up on a real card statement. The demo runs on Raymond's own account.
- Policy failure is observable. Step 10 shows the same machinery rejecting an attack — the absence of an envelope is also a verifiable signal.
Recording & reproducibility
The live dashboard is the canonical version. A scripted screen recording will be published at this URL once the May 13 recording session is complete, embedded inline above the steps. In the meantime, the demo at demo.pqsafe.xyz is open and replayable.
To run a copy yourself: clone PQSafe/pqsafe, populate the Airwallex sandbox keys, point the issuer at sandbox.pqsafe.xyz, and run bash demo/run.sh. Documented in the repo README.