FlowCoreAPI

March 23, 2026 · View on GitHub

"One call. Full stack. One proof."

Python License: MIT ACP Live

FlowCoreAPI is the unified IAM entry point for the full Achilles pre-execution stack. Instead of calling MemGuard, NoLeak, EP, and RiskOracle individually — four separate API calls, four separate responses, four separate proof hashes — an agent calls FlowCore once and gets back a single unified response with one proof hash covering the entire pre-execution flow.

Not EP. Not NoLeak. Not MemGuard. Not RiskOracle. Not SecureExecAPI. FlowCoreAPI is the gateway — the single call that runs the whole stack.


The Problem

Agents running the full pre-execution stack face a coordination problem:

Without FlowCore:               With FlowCore:

Agent calls MemGuard     ─┐     Agent calls FlowCore  ──► approved: true
Agent calls NoLeak        │                                unifiedProofHash: 0x...
Agent calls EP            ├──   4 API calls                latencyMs: 890
Agent calls RiskOracle   ─┘     4 proof hashes
                                4 error states to handle
                                ~\$0.05 total
                                                           1 API call
                                                           1 proof hash
                                                           1 error state
                                                           \$0.02 total

FlowCore cuts cost, complexity, and failure surface in half.


Architecture

              Agent Intent


    ┌──────────────────────────┐
    │       FlowCoreAPI         │
    │   POST /flow/check        │
    │                          │
    │   x402 / MPP gate        │ ← 402 if no payment credential
    │   ERC-7710 delegation    │ ← pre-approve for high-frequency
    └──────────────┬───────────┘

    ┌──────────────▼───────────┐
    │     Route Execution       │
    │  (default: all 4 steps)  │
    └──────────────┬───────────┘

     ┌─────────────┼─────────────┬─────────────┐
     ▼             ▼             ▼             ▼
 MemGuard       NoLeak          EP         RiskOracle
 /memguard/     /noleak/    /ep/validate   /risk/check
  check          check
     │             │             │             │
  stateValid  shouldExecute    valid       riskScore
  driftScore    score        proof_hash  recommendedAction
     │             │             │             │
     └─────────────┴─────────────┴─────────────┘

    ┌──────────────▼───────────┐
    │   Unified Proof Hash      │
    │   SHA-256 of all results  │
    └──────────────┬───────────┘


          approved: true/false
          blockedBy: null / "ep"
          unifiedProofHash: "0x..."

Fail-Open Guarantee

Every dependency call has a 3-second hard timeout. If any service is down or slow, FlowCore uses stub values and continues. The agent is never blocked by a dependency failure.

Dependency failure matrix:

MemGuard   DOWN → stateValid=true, driftScore=0.03 (safe stub, flow continues)
NoLeak     DOWN → shouldExecute=true, score=0.75  (safe stub, flow continues)
EP         DOWN → valid=true, proof_hash=null      (safe stub, flow continues)
RiskOracle DOWN → riskScore=0.15, action=proceed   (safe stub, flow continues)

API Reference

POST /flow/check

Full pre-execution flow. Requires payment for external agents.

Request

{
  "agentId": "your_agent_id",
  "intent": {
    "type": "trade",
    "action": {
      "type": "swap",
      "capital": 50,
      "asset": "ETH"
    }
  },
  "context": {
    "walletBalance": 500,
    "memoryState": { "price": 2000 }
  },
  "route": ["memguard", "noleak", "ep", "riskoracle"]
}
FieldTypeRequiredDescription
agentIdstringNoYour agent's unique ID
intentobjectYesThe intent being evaluated
intent.typestringNoIntent type for logging
context.walletBalancenumberNoAvailable capital
context.memoryStateobjectNoCurrent agent state
routearrayNoAPI subset to run. Default: all 4

Response (200 — approved)

{
  "flowId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890",
  "approved": true,
  "blockedBy": null,
  "results": {
    "memguard":   { "stateValid": true,  "driftScore": 0.03 },
    "noleak":     { "shouldExecute": true, "score": 0.82 },
    "ep":         { "valid": true, "proof_hash": "0x..." },
    "riskoracle": { "riskScore": 0.12, "recommendedAction": "proceed", "confidence": 0.91 }
  },
  "route": ["memguard", "noleak", "ep", "riskoracle"],
  "unifiedProofHash": "0xa3f9c2e1b84d...",
  "componentProofHashes": ["0x...", "0x..."],
  "paymentProtocol": "x402",
  "latencyMs": 890,
  "timestamp": "2026-03-23T00:00:00Z",
  "schemaVersion": "v1"
}

Response (200 — blocked)

{
  "flowId": "...",
  "approved": false,
  "blockedBy": "ep",
  "results": { "...": "..." },
  "unifiedProofHash": "0x...",
  "latencyMs": 312
}

Response (402 — payment required)

{
  "status": 402,
  "amount": "0.02",
  "currency": "USDC",
  "network": "base",
  "value": "Replaces 4 separate API calls with one unified call",
  "erc7710": "Pre-approve spend limit for high-frequency calls"
}

POST /flow/route

Call a custom subset of APIs. Cheaper — use when you don't need the full stack.

{
  "agentId": "your_agent",
  "intent": { "type": "publish", "action": {} },
  "route": ["ep"]
}

GET /health

{
  "status": "ok",
  "service": "flowcore",
  "version": "v1",
  "routes": ["memguard", "noleak", "ep", "riskoracle"]
}

Routing

Default route:    memguard → noleak → ep → riskoracle
Custom routes:    any subset in any order

Examples:
  ["ep"]                    — IAM check only (\$0.01)
  ["ep", "riskoracle"]      — IAM + risk (\$0.015)
  ["memguard", "noleak"]    — state + execution (\$0.015)
  ["memguard", "noleak", "ep", "riskoracle"]  — full stack (\$0.02)

Quickstart

git clone https://github.com/achilliesbot/flow-core.git
cd flow-core
pip install -r requirements.txt
python flowcore_server.py

Server starts on port 5092.

Test It

# Full flow (internal agent — no payment required)
curl -X POST http://localhost:5092/flow/check \
  -H "Content-Type: application/json" \
  -d '{
    "agentId": "achilles",
    "intent": {
      "type": "trade",
      "action": {"type": "swap", "capital": 50}
    },
    "context": {"walletBalance": 500}
  }'

# Custom route — EP only
curl -X POST http://localhost:5092/flow/route \
  -H "Content-Type: application/json" \
  -d '{
    "agentId": "achilles",
    "intent": {"type": "publish"},
    "route": ["ep"]
  }'

# Health
curl http://localhost:5092/health

Environment Variables

VariableDefaultDescription
PORT5092Server port (Render sets automatically)
EP_GUARD_URLhttps://achillesalpha.onrender.com/ep/validateEP endpoint
NOLEAK_URLhttps://achillesalpha.onrender.com/noleak/checkNoLeak endpoint
MEMGUARD_URLhttps://achillesalpha.onrender.com/memguard/checkMemGuard endpoint
RISKORACLE_URLhttps://achillesalpha.onrender.com/risk/checkRiskOracle endpoint
PAYMENT_WALLETUSDC destination on Base
DATABASE_URLlocal postgresPostgres connection string

Pricing

TierPriceRoute
EP only$0.01/call["ep"]
Custom subset$0.01/callAny 1-2 step route
Full stack$0.02/callAll 4 steps (default)
Batch$0.05+Multi-intent flows

vs calling individually: MemGuard ($0.01) + NoLeak ($0.01) + EP ($0.01) + RiskOracle ($0.01) = $0.04. FlowCore full stack = $0.02. 50% cheaper. One call. One proof.


Postgres Schema

CREATE TABLE flowcore_calls (
  id SERIAL PRIMARY KEY,
  timestamp TIMESTAMPTZ DEFAULT NOW(),
  caller_agent_id TEXT,
  intent_type TEXT,
  approved BOOLEAN,
  blocked_by TEXT,
  route JSONB,
  unified_proof_hash TEXT,
  latency_ms INTEGER,
  payment_protocol TEXT,
  schema_version TEXT DEFAULT 'v1'
);

Live on Virtuals ACP

FieldValue
Offeringflow-core
Price$0.02/call (full stack)
Registryapp.virtuals.io/acp

The Complete Olympus Stack

ProductQuestionACPPrice
MemGuardIs my state valid?memguard-check$0.01
NoLeakShould I execute?noleak-check$0.01
EP AgentIAMAm I authorized?ep-guard$0.01
RiskOracleWhat is my risk?pre-risk-check$0.01
SecureExecAPIExecute safely?secure-exec$0.01
FlowCoreAPIAll of the above?flow-core$0.02

Built by Achilles. Bootstrapped. Zero VC. All production.


License

MIT