Documentation — Proof of Claw

✦ Overview

Proof of Claw is a framework for running autonomous AI agents whose behavior is cryptographically provable, whose communication is end-to-end encrypted, and whose high-value actions require human approval via hardware signing.

An agent built with Proof of Claw can:

Reason privately using decentralized inference (0G Compute)
Store persistent memory and execution traces on decentralized storage (0G Storage)
Discover and message other agents via ENS-resolved encrypted channels (DM3)
Prove to any on-chain verifier that it followed its declared policy (RISC Zero zkVM)
Route high-value or out-of-policy actions to its owner's Ledger device for physical approval (Ledger DMK + Clear Signing)

The core agent runtime is adapted from IronClaw, a Rust-based OpenClaw reimplementation with WASM-sandboxed tool execution, capability-based permissions, and defense-in-depth security.

Tech Stack: Rust · Tokio · Wasmtime · 0G Compute · 0G Storage · ENS · DM3 · RISC Zero · Boundless · Ledger DMK/DSK · Solidity (Foundry) · Swarm Protocol

▶ Quick Start

Prerequisites

Rust 1.75+
Foundry (forge, cast)
RISC Zero toolchain
Node.js 18+ (for web UI, optional)

1. Build the Agent Runtime

terminal

# Build the Rust agent runtime
cd agent
cargo build --release
  

2. Build RISC Zero Programs

terminal

# Compile zkVM guest and host programs
cd zkvm
cargo build --release
  

3. Deploy Smart Contracts

terminal

cd contracts
forge build
forge script script/Deploy.s.sol --rpc-url $RPC_URL --broadcast
  

4. Run the Agent

terminal

cd agent
cargo run

⬢ Architecture

A layered design separating agent reasoning, integration services, and on-chain verification. Each layer assumes the layer below it may be compromised.

Agent Core — IronClaw Runtime

The core agent is written in Rust and consists of three primary subsystems:

Component	Path	Responsibility
Agent Loop	`agent/src/core/agent.rs`	Main event loop, message handling, intent routing, job coordination
Intent Router	`agent/src/core/intent_router.rs`	Classifies incoming messages into actionable intents
Job Scheduler	`agent/src/core/job_scheduler.rs`	Manages asynchronous task execution
Tool Registry	`agent/src/tools/registry.rs`	Available tools and their metadata
WASM Sandbox	`agent/src/tools/sandbox.rs`	Isolated execution environment for untrusted tools
Capabilities	`agent/src/tools/capabilities.rs`	Permission and rate limit enforcement
Policy Engine	`agent/src/safety/policy_engine.rs`	Enforces declared agent policy rules
Content Sanitizer	`agent/src/safety/sanitizer.rs`	Removes malicious content from inputs/outputs
Injection Detector	`agent/src/safety/injection_detector.rs`	Detects prompt injection attempts

Two-Tier Trust Model

Tier	Condition	Signing	Verification
Autonomous	Action value < threshold	Agent server wallet	RISC Zero proof on-chain
Ledger-Gated	Value ≥ threshold or escalation	Owner's Ledger device	RISC Zero + Ledger approval

Data Flow

Autonomous Action Flow

Agent receives message (user or DM3)

Intent router classifies action

0G Compute performs private inference

Safety layer validates against declared policy

Tool execution in WASM sandbox

Execution trace stored on 0G Storage

RISC Zero proof generated via Boundless

Agent wallet submits proof + action to verifier contract

Contract verifies proof and executes action

Ledger-Gated Action Flow

1–7

Same as autonomous flow

RISC Zero proof indicates approval required

Contract emits ApprovalRequired event

Web UI alerts owner

Owner reviews on Ledger device (Clear Signing)

Owner physically approves

Ledger signs approveAction() transaction

Contract executes action

◉ 0G Network

⚡

0G Compute 0G Storage

Every LLM call runs through 0G's Sealed Inference — prompts enter encrypted, operators cannot inspect them. Execution traces are stored on 0G Storage with content-addressable root hashes that anchor the provable chain.

integrations/0g_compute.ts — Sealed Inference

import { createZGServingNetworkBroker } from '@0glabs/0g-serving-broker';

// Initialize broker with agent's wallet
const broker = await createZGServingNetworkBroker(wallet);
const services = await broker.inference.listService();
const provider = services.find(s => s.verifiability === 'TeeML');

// OpenAI-compatible call through 0G Compute
const headers = await broker.inference.getRequestHeaders(provider.provider, prompt);
const response = await fetch(`${endpoint}/chat/completions`, {
  method: 'POST',
  headers: { 'Content-Type': 'application/json', ...headers },
  body: JSON.stringify({ messages, model }),
});

// Verify attestation
const verified = await broker.inference.verifyResponse(response);
  

✉ ENS + DM3

🌐

ENS DM3

Agents register as ENS subnames (e.g. alice-agent.proofclaw.eth) with text records storing DM3 profiles, policy hashes, and RISC Zero image IDs. Inter-agent communication is end-to-end encrypted via the DM3 protocol.

integrations/dm3_messaging.ts — E2E Encrypted Agent Chat

import { createEnvelop } from '@dm3-org/dm3-lib';

// Publish DM3 profile to ENS text record
await ensContract.setText(
  namehash('alice-agent.proofclaw.eth'),
  'eth.dm3.profile',
  toDataURI(deliveryServiceProfile)
);

// Send encrypted message to another agent
async function sendAgentMessage(recipientEns, message) {
  const recipientProfile = await resolveDm3Profile(recipientEns);
  const { encryptedEnvelope } = await createEnvelop(
    JSON.stringify(message),
    keys.signingKey,
    recipientProfile.publicEncryptionKey,
    recipientProfile.deliveryServiceUrl
  );
  await fetch(recipientProfile.deliveryServiceUrl, {
    method: 'POST',
    body: JSON.stringify(createJsonRpcCallSubmitMessage(encryptedEnvelope)),
  });
}
  

✱ RISC Zero + Boundless

✓

RISC Zero Boundless

The execution trace — 0G attestation, tool invocations, safety checks — is fed into a RISC Zero zkVM guest program. Proof generation is outsourced to the Boundless decentralized prover network. The receipt lands on-chain for anyone to verify.

guest/src/main.rs — RISC Zero zkVM Guest

// Runs inside RISC Zero zkVM — produces cryptographic receipt
fn main() {
    let trace: ExecutionTrace = risc0_zkvm::guest::env::read();
    let policy: AgentPolicy = risc0_zkvm::guest::env::read();

    // Verify every tool invocation against declared policy
    let mut all_passed = true;
    for invocation in &trace.tool_invocations {
        if !policy.allowed_tools.contains(&invocation.tool_name) {
            all_passed = false;
        }
    }

    // Check if Ledger approval is required
    let requires_approval = trace.action_value() > policy.max_value_autonomous;

    // Public output — anyone can verify on-chain
    risc0_zkvm::guest::env::commit(&VerifiedOutput {
        agent_id: trace.agent_id,
        all_checks_passed: all_passed,
        requires_ledger_approval: requires_approval,
        output_commitment: trace.output_commitment,
    });
}
  

⚿ Ledger DMK — Hardware Approval

🔒

Ledger DMK Clear Signing

High-value actions route to the owner's Ledger device via DMK/DSK. ERC-7730 Clear Signing metadata renders human-readable transaction details directly on the device — not raw hex.

integrations/ledger_approval.ts — Clear Signing

import { DeviceManagementKitBuilder } from '@ledgerhq/device-management-kit';
import { SignerEthBuilder } from '@ledgerhq/device-signer-kit-ethereum';

// Initialize Ledger DMK + Ethereum signer
const dmk = new DeviceManagementKitBuilder()
  .addTransport(webHidTransportFactory).build();
const sessionId = await dmk.connect({ deviceId });
const signerEth = new SignerEthBuilder({ dmk, sessionId }).build();

// When agent action exceeds autonomous threshold:
async function requestLedgerApproval(action, proofReceipt) {
  const signature = await signerEth.signTransaction({
    to: VERIFIER_ADDRESS,
    data: encodeApproveAction(action.agentId, action.outputCommitment),
  });
  return signature;
}
  

⬯ Swarm Protocol

⬯

Swarm

Proof of Claw agents can register with the Swarm Protocol network for multi-agent coordination. Agents advertise their capabilities (zk-verify, policy-check, swap, transfer) and can be discovered and orchestrated by other Swarm-connected agents.

⬢ Smart Contracts

ProofOfClawVerifier

The on-chain verifier contract handles:

Agent registration with policy commitment (policy hash)
RISC Zero proof verification via the on-chain verifier
Autonomous vs Ledger-gated execution routing
Action execution with on-chain enforcement

Clear Signing (ERC-7730)

ERC-7730 metadata stored at contracts/clear-signing/proofofclaw.json enables the Ledger device to render human-readable action descriptions instead of raw calldata. The owner sees exactly what the agent wants to do before physically approving.

⚠ Security & Threat Model

Every layer assumes the layer below it is compromised.

Threat	Mitigation
Agent acts outside policy	RISC Zero proof fails; action blocked on-chain. No proof = no action.
Inference tampering	0G Compute attestation signs every response. Tampered data produces an invalid proof.
Message interception	DM3 end-to-end encryption with keys from ENS profiles. Delivery service never sees plaintext.
Identity spoofing	ENS ownership tied to Ledger EOA.
High-value action without consent	Physical Ledger approval required. Owner sees human-readable Clear Signing display.
Prompt injection	Safety layer runs in proven execution trace. Injection detector + content sanitizer.

Safety Layer

The safety subsystem provides defense-in-depth:

Policy Engine — Enforces declared agent policy rules, validates tool invocations against allowlists
Content Sanitizer — Strips potentially malicious content from inputs and outputs
Injection Detector — Detects and blocks prompt injection attempts before they reach the LLM
WASM Sandbox — Untrusted tools execute in isolated Wasmtime containers with capability-based permissions

⬣ Agent API Spec

Any agent that implements these endpoints can connect to Proof of Claw. Build your agent in Python, Node, Go, Rust, or any language.

Required Endpoints

Your agent must implement these two endpoints to be connectable.

GET /health

// Health check — return 200 OK
// No body required. Used for liveness checks.

curl http://localhost:8420/health
// Response: 200 OK

GET /api/status

// Returns agent identity, configuration, and statistics

// Response shape:
{
  "agent_id": "my-agent",
  "ens_name": "my-agent.proofclaw.eth",
  "status": "online",
  "network": "sepolia",
  "allowed_tools": ["swap_tokens", "transfer", "query"],
  "endpoint_allowlist": ["https://api.uniswap.org"],
  "max_value_autonomous_wei": "1000000000000000000",
  "uptime_secs": 3600,
  "stats": {
    "total_actions": 42,
    "proofs_generated": 15
  }
}

Chat Endpoint

Required for the chat interface. This is where the agent processes user messages.

POST /api/chat

// Request:
{ "message": "swap 100 USDC for ETH" }

// Response:
{
  "response": "Executing swap: 100 USDC for ETH. Policy verified.",
  "intent": {
    "action_type": "swap",       // "swap" | "transfer" | "query" | "unknown"
    "confidence": 0.95
  },
  "policy_result": {
    "allowed": true,
    "approval_type": "autonomous", // "autonomous" | "ledger_gated"
    "checks": [
      { "rule_id": "tool_allowlist", "severity": "Pass", "details": "swap_tokens allowed" },
      { "rule_id": "value_threshold", "severity": "Pass", "details": "within limit" }
    ]
  },
  "proof": {
    "proof_id": "0xabcd...",
    "status": "verified",
    "output_commitment": "0x1234..."
  }
}

Optional Endpoints

These enable full dashboard, proofs, and messaging integration.

GET /api/activity

// Returns activity feed
[
  {
    "id": "act-001",
    "timestamp": 1712234567,
    "type": "proof_generated",     // "proof_generated" | "message_received" | "policy_violation"
    "title": "Swap executed autonomously",
    "description": "Swapped 100 USDC for ETH",
    "severity": "info"             // "info" | "warning" | "error"
  }
]

GET /api/proofs

// Returns proof history
[
  {
    "proof_id": "0xabcd...",
    "timestamp": 1712234567,
    "agent_id": "my-agent",
    "action": "swap_tokens",
    "status": "verified",
    "output_commitment": "0x1234...",
    "policy_checks": {
      "tool_allowlist": "Pass",
      "endpoint_restriction": "Pass",
      "value_threshold": "Pass"
    }
  }
]

GET /api/messages & POST /api/messages/send

// GET /api/messages — Returns message records
[
  {
    "id": "msg-001",
    "from": "my-agent",
    "to": "other-agent.proofclaw.eth",
    "content": "Hello, want to collaborate?",
    "timestamp": 1712234567,
    "direction": "outbound"
  }
]

// POST /api/messages/send
// Request: { "to": "bob.proofclaw.eth", "content": "Hello!" }
// Response: { "success": true, "message_id": "msg-002", "timestamp": 1712234567 }

CORS Requirements

Since the Proof of Claw frontend is a static site, your agent must return CORS headers:

Required Headers

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type

Minimal Agent Examples

Python (Flask)

from flask import Flask, jsonify, request
from flask_cors import CORS

app = Flask(__name__)
CORS(app)

@app.route('/health')
def health():
    return 'ok'

@app.route('/api/status')
def status():
    return jsonify({
        'agent_id': 'my-python-agent',
        'ens_name': 'my-agent.proofclaw.eth',
        'status': 'online',
        'network': 'sepolia',
        'allowed_tools': ['query'],
        'endpoint_allowlist': [],
        'max_value_autonomous_wei': '0',
        'uptime_secs': 0,
        'stats': {'total_actions': 0, 'proofs_generated': 0}
    })

@app.route('/api/chat', methods=['POST'])
def chat():
    msg = request.json.get('message', '')
    return jsonify({
        'response': f'You said: {msg}',
        'intent': {'action_type': 'query', 'confidence': 0.8},
        'policy_result': {'allowed': True, 'approval_type': 'autonomous', 'checks': []},
        'proof': {'proof_id': '0x0', 'status': 'pending', 'output_commitment': '0x0'}
    })

app.run(port=8420)

Node.js (Express)

const express = require('express');
const cors = require('cors');
const app = express();
app.use(cors());
app.use(express.json());

app.get('/health', (req, res) => res.send('ok'));

app.get('/api/status', (req, res) => res.json({
  agent_id: 'my-node-agent',
  ens_name: 'my-agent.proofclaw.eth',
  status: 'online',
  network: 'sepolia',
  allowed_tools: ['query'],
  endpoint_allowlist: [],
  max_value_autonomous_wei: '0',
  uptime_secs: 0,
  stats: { total_actions: 0, proofs_generated: 0 }
}));

app.post('/api/chat', (req, res) => res.json({
  response: `You said: ${req.body.message}`,
  intent: { action_type: 'query', confidence: 0.8 },
  policy_result: { allowed: true, approval_type: 'autonomous', checks: [] },
  proof: { proof_id: '0x0', status: 'pending', output_commitment: '0x0' }
}));

app.listen(8420);

Minimum Viable Agent: Implement /health, /api/status, and /api/chat to connect and chat. All other endpoints are optional and enable additional features (dashboard activity, proofs explorer, messaging).

⚙ Configuration

Create a .env file in the agent directory:

.env

AGENT_ID=alice-agent
ENS_NAME=alice.proofclaw.eth
PRIVATE_KEY=0x...
RPC_URL=https://eth-sepolia.g.alchemy.com/v2/...
ZERO_G_INDEXER_RPC=https://indexer-storage-testnet.0g.ai
ZERO_G_COMPUTE_ENDPOINT=https://broker-testnet.0g.ai
DM3_DELIVERY_SERVICE_URL=http://localhost:3001
ALLOWED_TOOLS=swap_tokens,transfer,query
MAX_VALUE_AUTONOMOUS_WEI=1000000000000000000

Variable	Description
`AGENT_ID`	Unique agent identifier
`ENS_NAME`	Agent's ENS subname for identity and DM3 messaging
`PRIVATE_KEY`	Agent server wallet private key
`RPC_URL`	Ethereum RPC endpoint
`ZERO_G_INDEXER_RPC`	0G Storage indexer endpoint
`ZERO_G_COMPUTE_ENDPOINT`	0G Compute broker endpoint
`DM3_DELIVERY_SERVICE_URL`	DM3 delivery service for encrypted messaging
`ALLOWED_TOOLS`	Comma-separated list of permitted tools
`MAX_VALUE_AUTONOMOUS_WEI`	Threshold above which Ledger approval is required (in wei)

⌂ Repository Structure

project layout

proof-of-claw/
├── agent/                      # Rust agent runtime
│   └── src/
│       ├── core/               # Agent loop, intent router, job scheduler
│       ├── tools/              # WASM sandbox, tool registry, capabilities
│       ├── safety/             # Policy engine, sanitizer, injection detector
│       └── integrations/       # 0G, ENS/DM3, Ledger integrations
├── zkvm/                       # RISC Zero zkVM programs
│   ├── guest/                  # Guest program (policy verification)
│   └── host/                   # Host program (proof generation)
├── contracts/                  # Solidity smart contracts
│   ├── src/
│   │   └── ProofOfClawVerifier.sol
│   ├── clear-signing/
│   │   └── proofofclaw.json    # ERC-7730 metadata
│   └── script/Deploy.s.sol
├── frontend/                   # Web UI
│   ├── index.html              # Landing page
│   ├── docs.html               # Documentation (this page)
│   ├── agents.html             # Agent management
│   ├── dashboard.html          # Monitoring dashboard
│   ├── deploy.html             # Agent deployment
│   ├── messages.html           # DM3 message viewer
│   └── proofs.html             # ZK proof explorer
└── spec.md                     # Full technical specification
  

★ Target Bounties

Best OpenClaw Agent on 0G

$6,000

0G Compute (inference), 0G Storage (memory + traces)

Best ENS Integration for AI Agents

$5,000

ENS subnames for agent identity, DM3 for encrypted messaging

AI Agents x Ledger

$6,000

Ledger DMK/DSK for human approval, Clear Signing (ERC-7730)

✔ What's Working

Working Rust Agent Runtime Compiles cleanly, 35/35 tests pass. Full agent loop, intent router, REST API on port 8420.

Working Policy Engine Tool allowlist enforcement, value threshold checks, severity levels (Block/Warn/Sanitize/Pass).

Working Injection Detector Regex-based prompt injection detection with case-insensitive matching.

Working WASM Sandbox Wasmtime-based isolated execution for untrusted tools with capability validation.

Working Tool Registry Content-addressable registration with SHA256 capability hashes. Built-in tools: swap, transfer, query.

Working 0G Compute HTTP inference with attestation extraction, graceful fallback to content hash.

Working 0G Storage Trace upload/retrieval with content-addressable root hashes, graceful degradation when offline.

Working ENS + DM3 Full namehash, on-chain resolution, DM3 profile lookup with 3-tier fallback, encrypted messaging.

Working EIP-8004 Identity registration, reputation queries, validation history, trust threshold checks with bootstrap phase.

Working iNFT (ERC-7857) Agent minting with encrypted metadata on 0G Storage.

Working Proof Generator Supports Boundless (remote), local RISC Zero, and mock (dev) backends.

Working Smart Contracts ProofOfClawVerifier, EIP8004Integration, ProofOfClawINFT — all compile with Foundry.

Working RISC Zero Guest Real zkVM guest program with full policy verification logic.

Working Frontend UI All 7 pages functional. Live API mode + mock fallback. Search, copy, responsive design.

Working ENS Resolver (JS) Real on-chain resolution via RPC, multi-network support (Sepolia, Mainnet, 0G).

⚠ What's Incomplete

Stub Ledger Approval Gate Always returns Ok(true) — no actual Ledger device communication. 15-line placeholder in agent/src/integrations/ledger.rs.

Mock Data RISC Zero Host Real RISC Zero host program but seeds hardcoded test traces instead of accepting real agent input.

Missing Contract Tests Zero Foundry test files. No test/ directory in contracts.

Partial ERC-7730 Metadata Contract address is 0x000...000 (needs post-deployment update). Missing some method display formats.

Partial ProofOfClawINFT balanceOf() is O(n) without owner mapping. Missing safeTransferFrom receiver validation.

In-memory Job Scheduler Basic HashMap-based tracking with no persistence. State lost on restart.

⚒ Roadmap

High Priority

High Implement Ledger DMK/DSK approval flow (replace stub in agent/src/integrations/ledger.rs)
High Write Foundry contract tests (contracts/test/)
High Wire RISC Zero host to accept real execution traces from the agent
High Deploy contracts to testnet and update ERC-7730 metadata with real addresses

Medium Priority

Med Add safeTransferFrom ERC-721 receiver validation to ProofOfClawINFT
Med Optimize balanceOf() with owner-to-tokenIds mapping in ProofOfClawINFT
Med Complete ERC-7730 Clear Signing metadata for all contract methods
Med Add persistent storage for job scheduler (currently in-memory)
Med End-to-end integration test: agent → 0G → RISC Zero → on-chain verification

Nice to Have

Nice Production RISC Zero proof generation via Boundless (currently mock in dev)
Nice Multi-chain deployment scripts and ERC-7730 metadata
Nice Agent dashboard real-time WebSocket updates (currently polling)
Nice DM3 delivery service node setup and documentation
Nice IronClaw full integration mode testing

Proof of Claw Documentation