AIP SafeHarness

AIP SafeHarness

The problem

AI agents that touch on-chain assets have no execution-layer guarantee. The agent says one thing in its reasoning trace, but anything can happen between intent declaration and tx confirmation. Existing agent infrastructure stacks (ERC-8004 identity, ERC-8183 commerce, x402 payment) leave this gap unaddressed.

The solution: AIP

AIP (Agent Intent Protocol) is an on-chain integrity primitive built on EIP-1153 transient storage. Its core mechanic:

preCheck(intentHash) → action() → postCheck(intentHash)

All three calls execute atomically within a single transaction. AIPSensoryLayer locks the declared intent hash in transient storage at preCheck, then verifies it hasn't drifted at postCheck. If anything in between (the action call, MEV interference, malicious wrapper) deviates from the declared intent, the entire transaction reverts. No partial execution. No residual allowance. No manipulation window.

Design discovery during testing: calling preCheck and postCheck in two separate transactions reverts the second one with AIP__CommitmentMismatch. This is not a bug — it is evidence that EIP-1153 transient storage clears at the tx boundary, enforcing the atomic guarantee at the protocol level. The intra-tx integrity boundary is itself verifiable on-chain.

The harness: SafeHarness

SafeHarness is the off-chain Python orchestration around AIP:

1. Dual-agent loop — Generator (Agent A) proposes the action plan. Reviewer (Agent B) audits it against safety criteria with structured JSON verdict.

2. HITL checkpoint — state is uploaded to 0G Storage before human review, preventing tampering between review and execution.

3. AIP submission — serialized intent and computed intent hash are passed to AgentExecutor, which wraps AIPSensoryLayer atomically.

0G integration

• 0G Chain (Aristotle Mainnet, Chain ID 16661): AgentExecutor and AIPSensoryLayer v2 contracts deployed and verified on chainscan

• 0G Storage: Merkle-rooted snapshots of agent state at every lifecycle milestone (awaiting_human / submitting_onchain / completed), independently retrievable via 0G indexer

Two integrity guarantees

• Intra-tx integrity (AIP contract): all-or-nothing atomic execution within one transaction

• Cross-tx integrity (0G Storage): publicly verifiable trail of agent state evolution across the full lifecycle

Neither layer alone is sufficient. Together they form a complete verifiable execution lifecycle.

Mainnet evidence

• AgentExecutor: 0x5715001b3add9724DF93D57E145c2a4330422D0F

• AIPSensoryLayer v2: 0xe2073A9bFe630d87C2256357a09AfA918feD41C9

• End-to-end demo tx: 0x5c5d50ca... emits IntentOpened → ExecutionTriggered → IntentClosed in 1 atomic transaction

• 3 storage snapshots per run, GET-retrievable from indexer-storage-turbo.0g.ai

All proofs are real and independently verifiable on chainscan.0g.ai.

Honest limitations

The demo action is mock event emission, not a real DEX swap call. AIP integrity is independent of action payload — the same guarantees apply when wired to a real swap router. HITL is audit-tier (synchronous prompt), not suitable for high-frequency trading.

During the hackathon (April–May 2026), I built and deployed AIP SafeHarness end-to-end on the 0G Aristotle Mainnet.

Sprint 1 (off-chain infrastructure):

- Dual-agent generator/reviewer loop with structured JSON evaluation

- @persist_state decorator for persisting state.json data

- HITL checkpoint with options to approve, reject, or modify

- Resume handling for KeyboardInterrupts

Sprint 2 (On-chain integration):

- Deployed AIPSensoryLayer v2 + AgentExecutor to the 0G Aristotle Mainnet (Chain ID 16661)

- Wired AgentExecutor.setAip(AIPSensoryLayer) for runtime validation

- Both contracts have been verified on chainscan.0g.ai

- Successful end-to-end demo run: The AIP executed transactions involving 3 events each (IntentOpened, ExecutionTriggered, IntentClosed). Additionally, 3 0G storage snapshots were taken at key points in the transaction lifecycle (awaiting_human, submitting_onchain, completed).

Sprint 3 (Verification & Production Hardening):

- Added upload verification layer in zerog_bridge.py — polls the 0G indexer to confirm that storage data has been delivered to all nodes, not just that the transaction has been recorded on the chain

- NETWORK environment switch for coexistence of testnet and mainnet

– Hard failure in the event of critical snapshot loss (no partial successes that go unnoticed)

– Discovered and documented an EIP-1153 boundary behavior: Calling preCheck and postCheck in separate transactions results in the second call being undone. This indicates that temporary data is cleared at the transaction boundary, thereby ensuring atomicity.

Result: Every state transition in the agent’s lifecycle can be independently verified on-chain using ChainScan, as well as through 0G Storage using the indexer GET function.

Pre-seed / Independent research project.

Solo developer (undergraduate student).

AIP Protocol's earlier specification was submitted to IEEE TDSC in March 2026; the engineering implementation in this hackathon (AIP SafeHarness) demonstrates the protocol's intra-tx integrity guarantees and cross-tx state verification end-to-end on 0G Aristotle Mainnet.

No external funding. Open to grants, ecosystem partnerships, and academic collaboration post-hackathon.