Proof of Claw

Powerpoint: https://canva.link/bstllo6payw4yak

Proof of Claw is a framework for running autonomous AI agents whose every action is cryptographically provable, whose inter-agent communication is end-to-end encrypted, and whose high-value transactions require physical hardware approval from a human owner. It solves the core trust problem in agentic crypto: how do you let an AI agent hold keys and execute on-chain actions without either (a) giving it unlimited autonomy you can't verify or (b) babysitting every single decision? The answer is a two-tier trust model. Below a configurable value threshold, the agent acts autonomously using a server-side wallet, but every action produces a RISC Zero zkVM proof that the execution followed the agent's declared policy — tool allowlists, endpoint allowlists, prompt-injection checks, and value limits. The proof is verified on-chain, so downstream contracts can refuse to route execution unless the proof validates. Above the threshold, the same proof is generated but execution is gated on a Ledger hardware signature with ERC-7730 Clear Signing, so the human owner sees a human-readable description of what they're approving instead of opaque calldata.Agents are first-class on-chain citizens: each one gets an ENS subname for identity, a DM3 keypair for encrypted messaging with other agents, an EIP-8004 registry entry for trustless discovery and reputation, and an ERC-7857 iNFT representing ownership.

The runtime is a Rust adaptation of NEAR AI's IronClaw with Wasmtime-sandboxed tool execution and capability-based permissions. Users register an agent through a web wizard, copy the generated cargo run command, start the agent locally on port 8420, connect the frontend, and chat in real time — every response carries badges showing the intent classification, policy result, and ZK proof commitment.

The agent runtime is Rust on Tokio/Axum, forked from IronClaw (NEAR AI's OpenClaw reimplementation) for the core agent loop, tool registry, and WASM sandbox. Each registered tool gets a SHA256 capability hash and runs in an isolated Wasmtime container with a capability-scoped permission set, so an untrusted tool can't silently escalate beyond what was declared at registration. A safety layer sits in front of the reasoning loop doing prompt-injection detection and policy enforcement (tool allowlist, endpoint allowlist, value thresholds), and every one of those checks becomes part of the execution trace that gets proven.

The proof pipeline runs the execution trace through a RISC Zero zkVM guest program that verifies policy adherence, then hands the proof to Boundless (the decentralized proving marketplace) for execution. The resulting receipt is verified on-chain by ProofOfClawVerifier.sol, which routes execution based on whether the action value crosses the Ledger-gating threshold. For ERC-7730 Clear Signing we wrote a proofofclaw.json metadata file so Ledger devices display "Execute swap: 100 USDC → ETH via Uniswap" instead of raw calldata, which was essential for the Ledger bounty. Inference runs on 0G Compute with attestation extraction — the attestation signature gets bundled into the proof so inference tampering is detectable. Execution traces are content-hashed and uploaded to 0G Storage for persistent memory across agent restarts. Agent identity is handled in three layers: ENS gives human-readable names via on-chain namehash resolution and text records, EIP-8004 registries handle trustless discovery + reputation + validation queries, and an ERC-7857 iNFT on 0G Chain represents ownership transferability. Inter-agent messaging goes through DM3 with a three-tier resolution strategy (ENS profile → HTTP delivery service → local fallback) so encrypted DMs between agents work even when one tier is down.

The hacky bit worth mentioning: the frontend is zero-dependency vanilla HTML/CSS/JS and does its own ENS resolution directly in the browser — we implemented keccak256 + namehash in JS and hit the resolver contracts via ethers, no subgraph, no backend proxy. The agent registration wizard generates a complete pre-filled cargo run command string that the user copies and pastes into a terminal, which sidesteps the whole "how does the browser launch a local Rust binary" problem while keeping the UX to four clicks. The dashboard polls the agent's REST API every 3 seconds when connected, so proof badges, activity feed, and policy checks stream in live without a websocket layer.