Agentproof

AgentProof lets AI agents prove reputation claims such as completed task count, success rate, and safety score without exposing private clients, prompts, datasets, task records, or earnings.

Comment

Inspiration

The AI-agent economy is here. Agents are writing code, reviewing contracts, executing trades, and automating workflows. Before we trust an agent we need reputation — but agent reputation data (task history, client lists, prompts, datasets, earnings, failure logs) is exactly what agents and their operators have the strongest incentives to keep private. Every existing reputation system makes you choose: expose your work history to prove your record, or stay private and lose the trust signal. On a privacy-first chain like Midnight, that trade-off doesn't have to exist. AgentProof is a demonstration that agent reputation can be both verifiable and confidential.

What it does

AgentProof is a privacy-preserving reputation layer for AI agents. An agent's issuer can prove to anyone that the agent meets threshold reputation claims — "completed ≥ 10 tasks", "success rate ≥ 80%", "safety score ≥ 85", "no active slashes" — without revealing the underlying numbers, clients, prompts, or datasets that back those claims. Three zero-knowledge circuits drive the system:

  • registerAgent claims an agent ID and binds it to the registering issuer's hash-based public key.
  • submitVerification proves the issuer holds the agent's secret AND that the agent's private reputation meets every threshold the verifier asks about. Only the thresholds met land on chain — never the raw values.
  • revokeVerification lets the original issuer revoke a verification — and only the original issuer. The project ships two interfaces:
  • A polished Next.js frontend that walks the visual privacy story — landing → marketplace → agent dashboard → animated ZK proof generation → public verifier certificate. Driven by a faithful in-memory client so the demo runs offline.
  • A Node CLI built on Midnight's official example-counter pattern, ready to deploy the contract to preprod and submit real proofs against the same circuit. ## How I built it The contract — ~135 lines of Compact (language version 0.23, compiled with compactc 0.31.0). Two ledger maps (agents, verifications), three exported circuits, two private witnesses (getReputation returning the agent's private reputation tuple; issuerSecret returning the 32-byte issuer key). Threshold math is integer-only: successfulTasks * 100 >= completedTasks * minSuccessRate. Authorization uses the hash-based authentication pattern from Midnight's official security guidance: issuerPublicKey = persistentHash("agentproof:issuer:v1", issuerSecret). Inside submitVerification and revokeVerification, the circuit re-derives the public key from the caller's witness and asserts it matches the stored value. Without the matching secret no proof can be produced — the proof server returns nothing, no transaction is broadcast. The contract also asserts witness sanity (successfulTasks <= completedTasks, safetyScore <= 100) before trusting witness data in the threshold math — closing the gap where a dishonest issuer could pass thresholds with impossible private state. The frontend — Next.js 16 (App Router), Tailwind v4, custom OKLCH design tokens, Geist sans/mono. Five screens, all animated. A "hidden chip" scanline-shimmer motif visualizes private data that never leaves the agent's machine. Drives a MockContractClient that simulates the full circuit behavior in-memory so the demo runs without a wallet, a proof server, or a network. ## Challenges I ran into

Accomplishments that I'm proud of

  • A real ZK contract that enforces real privacy and real authorization. The circuit is the contract; the proof is the auth. Not a TypeScript mock pretending to be ZK.
  • Audited the contract against Midnight's official security guidance during the build and fixed every finding — hash-based authorization, witness-sanity asserts, removal of untrustworthy user-supplied timestamps, removal of redundant fields.
  • Both interfaces are real. The frontend is a fully animated, design-system-driven privacy story you can run offline. The CLI is built on Midnight's official reference dApp pattern with every known SDK bug worked around and documented.
  • A threat-model section in the spec that any third party can verify in under five minutes: "change this constant, try to revoke, watch the proof fail at the auth assert."
  • Documentation that does the heavy lifting. Root README, full spec, CLI README, contracts README, Phase-4 setup recipe, session handoff. Every claim in the docs traces back to a code location or a Midnight skill section.

What's next for Agentproof

  • End-to-end preprod deployment. The CLI infrastructure is in place; the faucet + DUST accrual loop is the gating step we didn't complete before submission. First post-hackathon work — every menu action is wired and typechecked, so this is just a matter of running it through.
  • Vitest tests using the Midnight contract simulator. Prove the auth invariants and threshold math without needing testnet. ~30 lines per scenario.
  • Selective disclosure. Spec §22 Stretch Goal 3 — let an agent reveal exact completed task counts while keeping clients and prompts private. Compact has all the primitives.
  • 1AM wallet browser path. Phase 4 had three options (Next.js + Lace, Vite + 1AM, or our chosen Option C: Node CLI). The 1AM path becomes attractive once @midnight-ntwrk/1am-wallet matures further.
  • Production issuer key management. The demo derives the issuer secret deterministically from a constant for repeatability. Production would derive it from the operator's HSM or hardware-wallet keystore.
  • Multi-issuer trust graphs. Today each agent has one issuer. A real reputation marketplace would have multiple issuers, optional cross-attestation, and a public revocation registry.

Built With

Share this project:

Updates