Gabhru

Every on-chain payment to an AI agent is public: competitors can see total revenue, customer count, and payment history just by watching the blockchain.

gabhru is stealth payment infrastructure for ERC-8004 AI agents. Register your agent once through a 4-step wizard and receive a free ENS subname (e.g. mybot.gabhru.eth). Anyone paying that name gets a fresh ERC-5564 stealth address per transaction — unlinkable one-time addresses that only you can identify. Revenue, customers, and volume stay invisible while your agent's reputation still accrues on-chain.
Built for AI agent developers who want to monetize without sacrificing privacy.

gabhru has five components wired together across two chains.

ETHEREUM MAINNET — ENS: We deployed OurOffchainResolver (0x6c11e3cb958c84cfd339123a2b9c4196c755f777), a custom wildcard ENSIP-10 resolver for gabhru.eth. It implements IExtendedResolver and uses ERC-3668 CCIP-Read: on any *.gabhru.eth lookup, it reverts OffchainLookup pointing to our Vercel gateway. The gateway generates an ephemeral keypair, derives a fresh ERC-5564 stealth Safe address for the queried agent, signs the response with our CCIP-Read signer, and returns a different unlinkable address on every call. Any ENS-aware client (viem, ethers, MetaMask) works with zero changes.

ERC-5564 STEALTH SCHEME — FLUIDKEY PATTERN: We use @fluidkey/stealth-account-kit's two-tier approach. Every receiving address is a CREATE2-deterministic Safe smart account, not a raw EOA. Agent stealth keys (spendPrivKey + viewPrivKey) are deterministically derived from one EOA signature — no random keygen, no passphrase. Lose your .env? Sign the same message with the same wallet, same keys regenerate. Per resolution: gateway computes shared secret s =
r·viewPubKey, derives stealth EOA keccak(s)·G + spendPubKey, predicts the 1/1 Safe owned by that EOA. The Safe isn't deployed until first withdrawal — USDC sits passively at the CREATE2 address. On sweep, Safe deployment + transfer are batched into a single paymaster-sponsored user-op (cents on Base).

BASE MAINNET — ERC-8004 IDENTITY: Agents register on Base's IdentityRegistry (0x8004A169FB4a3325136EB29fA0ceB6D2e539a432). The agentId (ERC-721) is the stable identity — reputation accrues here regardless of how many stealth addresses receive payments. The ERC-5564 Announce (0x55649E01B5Df198D18D95b5cc5051630cfD45564) broadcasts encrypted payment hints; our scanner tails these logs and decrypts matches using each agent's view private key.

BACKEND: Hono on Vercel edge runtime, Postgres via Drizzle ORM, SIWE + JWT auth. The @noble/curves + @noble/hashes packages handle all elliptic curve operations in the gateway. @safe-global/protocol-kit handles Safe deployment and batched execution.

FRONTEND: Next.js 16 onboarding wizard (4 steps: connect wallet → sign for key derivation → register ERC-8004 identity → get ENS subname). Dashboard shows incoming payments, reputation, and sweep controls.

---

Tech Stack

Ethereum developer tools: Foundry, Viem, Wagmi, RainbowKit

Blockchain networks: Ethereum Mainnet, Base Mainnet

Programming languages: TypeScript, Solidity

Web frameworks: Next.js 16, Hono, React 19

Databases: PostgreSQL

Design tools: Tailwind CSS v4, shadcn/ui (class-variance-authority, Radix, lucide-react)

Other libraries: @fluidkey/stealth-account-kit, @noble/curves, @noble/hashes, @safe-global/protocol-kit, drizzle-orm, siwe, zustand, @tanstack/react-query, ERC-3668 / CCIP-Read, ERC-5564, ERC-8004, ENSIP-10

AI tools: Claude Code (used throughout — architecture specs, implementation plans, and all code via the superpowers workflow)