Sigil

In the financial services industry alone, non-human identities — automated trading systems, risk engines, fraud models — already outnumber human actors by roughly 100 to 1. And with modern agent frameworks — tool-using LLMs, autonomous workflows, and multi-agent orchestration — the ratio is set to rise at scale across industries.

Yet they remain effectively unbanked. They can interact with financial systems, but not in ways that are portable, verifiable, or trusted. They lack standardized ways to verify their permissions, operate independently across platforms, prove that their output actually comes from the model it claims to, or bear liability for the actions they take.

Sigil Protocol is an identity and provenance infrastructure for autonomous AI agents — a permanent on-chain record of who an agent is, who owns it, what it's authorized to do, and every consequential output it has ever produced. I built two permanently linked primitives on 0G Galileo: an AgentPassport, which gives every agent a portable on-chain identity anchored to its human or service principal, and a ProvenanceRecord, which notarizes any consequential artifact that the agent produces. Together, they let anyone resolve the full accountability chain — from artifact to agent to principal — without trusting the platform hosting the agent.

It is especially useful wherever AI agents cross institutional boundaries — regulated financial infrastructure, multi-agent workflows where trust must be delegated between autonomous systems, and any domain where "who decided this, and who authorized them to" needs to be answerable after the fact.

Real World Usage Examples -

1. A DAO receives a governance memo from an AI delegate before a treasury vote. It resolves the memo’s recordId, confirms which agent produced it, checks that agent’s PassportID, verifies the agent is authorized for governance analysis, inspects its attestation history, and validates the model fingerprint behind the output. The DAO is not just reading a memo; it is verifying the exact agent, the exact owner who authorized that agent, and the exact provenance of the recommendation before acting.

2. A marketplace wants to allow only licensed research firms to run AI analyst agents on its platform. Each incoming agent must present a PassportID. The marketplace verifies the principal owner is one of the approved firms, checks that the agent is still active, and confirms its permission scope matches the type of analysis it is trying to perform. This gives marketplaces a portable allowlist based on owner identity, not usernames.

Sigil is a monorepo of Solidity contracts, a TypeScript SDK, real agents created with the sigil SDK, and a Next.js resolver UI, all running against 0G Galileo testnet. On-chain, SigilRegistry manages the AgentPassport identity primitive using an ERC-7857 intelligent NFT with a dual-wallet model: the principal authorizes once at registration, and a fresh agent wallet signs every notarization autonomously thereafter — no per-action principal interaction required. ProvenanceNotary stores signed provenance records with EIP-712 typed-data signatures, per-signer nonce replay protection, and on-chain reverse-lookup by output hash so any artifact can be traced back to its producer. Off-chain, encrypted permission manifests and input contexts live in 0G Storage KV (AES-256-GCM, keys derived via HKDF from a principal signature — plaintext never leaves the owner's machine), while execution fingerprints and attestation history are appended to 0G Storage Log streams, one per agent.

For inference-backed outputs, we use 0G Compute to run qwen/qwen-2.5-7b-instruct and get a sealed receipt — a cryptographic proof tying the output to a specific model execution — which is hashed on-chain as the modelFingerprintHash before any result reaches the user. The SDK handles registration, encryption, notarization, and resolution end-to-end. We built real demo agents for code audit, DeFi risk scoring, and generic prompt execution, plus an interactive chat REPL where every response is notarized live on-chain in the same terminal session. The /passport resolver UI reads directly from chain and renders live identity and provenance data — connecting wallets to decrypt permission manifests for principal-gated views.

Here's the full flow.

Principal registration. A human principal calls SigilClient.register(), which generates a fresh agent keypair, encrypts the agent's permission manifest with AES-256-GCM (key derived from the principal's EIP-712 signature), writes the ciphertext to 0G Storage, and mints an ERC-7857 iNFT on 0G Chain. The resulting passportId permanently links principal → agent → every future output. The agent private key is returned once and stored in the agent runtime's secrets manager; Sigil never persists it.

Autonomous notarization. When the agent produces a consequential output — a risk score, a contract audit, a core decision/action — it calls ProvenanceNotaryClient.notarize(). The SDK runs sealed inference via 0G Compute (returning a cryptographic receipt), encrypts the input context and uploads it to 0G Storage, builds a v2 provenance envelope wrapping the proof and raw output, and calls ProvenanceNotary.notarize() on 0G Chain with an EIP-712 signature.
No per-notarization principal approval is required — the agent was authorized once at registration.

On-chain reputation. After each notarization, the auto-attest sidecar (a registered keeper relay) calls SigilRegistry.appendFingerprint() and appendAttestation(), updating the agent's task count, failure count, and reputation score (clamped 0–1000) directly on chain. KeeperHub's workflow engine fires on each event, providing an execution audit trail hashed into every fingerprint entry.

Universal resolution. Anyone holding a passportId, recordId, agent address, or output hash can resolve the full accountability chain in one call — backward from any artifact to its producing agent to its human principal, or forward from any principal to every record that agent has ever notarized. The smartResolve() function auto-detects input shape and routes to the right on-chain read.

The most notable hacky stunt is our onboarding flow. For external agents not built with the Sigil SDK, we ship two onboarding surfaces. The first is a hosted SKILL.md endpoint — a machine-readable onboarding contract that walks a foreign agent through the full registration flow step by step: how to request a passport, what to say to its principal at each stage, how to present the browser approval URL, how to receive and store the private key the moment it is delivered (exactly once, in the poll response after the principal signs on-chain), and which slash commands to register in its own runtime. The second is an MCP server with five tools — register, resolve, notarize, resolve provenance, and verify — exposable over stdio for local Claude Code sessions or over SSE for remote agents connecting over HTTP. Together these mean a foreign agent that has never touched the Sigil SDK can read one URL, follow the steps, get a real on-chain AgentPassport, and begin notarizing outputs — without any manual integration work on our side.