{"id":50745512,"url":"https://github.com/edycutjong/proofly","last_synced_at":"2026-06-10T20:30:30.496Z","repository":{"id":363046715,"uuid":"1261767021","full_name":"edycutjong/proofly","owner":"edycutjong","description":"🧾 Prove it, don't reveal it — a did:t3n privacy agent that verifies compliance (age/KYC/jurisdiction) inside a TEE and discloses only a signed yes/no. Built on the Terminal 3 Agent Dev Kit.","archived":false,"fork":false,"pushed_at":"2026-06-07T08:05:33.000Z","size":1785,"stargazers_count":0,"open_issues_count":12,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-06-07T08:06:58.119Z","etag":null,"topics":["agent-auth","ai-agents","autonomous-agents","compliance","decentralized-identity","dorahacks","intel-tdx","kyc","nextjs","oid4vp","privacy","rust","sd-jwt","selective-disclosure","t3adk","tee","terminal3","verifiable-credentials","wasm","zero-knowledge"],"latest_commit_sha":null,"homepage":"https://proofly.edycu.dev","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/edycutjong.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-06-07T05:53:48.000Z","updated_at":"2026-06-07T08:03:11.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/edycutjong/proofly","commit_stats":null,"previous_names":["edycutjong/proofly"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/edycutjong/proofly","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fproofly","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fproofly/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fproofly/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fproofly/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/edycutjong","download_url":"https://codeload.github.com/edycutjong/proofly/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/edycutjong%2Fproofly/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34170162,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-10T02:00:07.152Z","response_time":89,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent-auth","ai-agents","autonomous-agents","compliance","decentralized-identity","dorahacks","intel-tdx","kyc","nextjs","oid4vp","privacy","rust","sd-jwt","selective-disclosure","t3adk","tee","terminal3","verifiable-credentials","wasm","zero-knowledge"],"created_at":"2026-06-10T20:30:29.910Z","updated_at":"2026-06-10T20:30:30.479Z","avatar_url":"https://github.com/edycutjong.png","language":"TypeScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"board/public/icon.svg\" alt=\"Proofly\" width=\"120\" height=\"120\"\u003e\n\n  \u003ch1\u003eProofly 🧾\u003c/h1\u003e\n  \u003cp\u003e\u003cem\u003eProve it, don't reveal it — TEE-secured zero-knowledge privacy verification agent.\u003c/em\u003e\u003c/p\u003e\n  \u003cimg src=\"docs/readme-hero.png\" alt=\"Proofly Banner\" width=\"100%\"\u003e\n\n  \u003cbr/\u003e\n\n  [![Live Demo](https://img.shields.io/badge/🚀_Live-Demo-06b6d4?style=for-the-badge)](https://proofly.edycu.dev)\n  [![Pitch Video](https://img.shields.io/badge/🎬_Pitch-Video-ef4444?style=for-the-badge)](https://youtu.be/-SULZJ0C7oI)\n  [![Built for DoraHacks](https://img.shields.io/badge/DoraHacks-T3_ADK_Bounty_Challenge-8b5cf6?style=for-the-badge)](https://dorahacks.io/hackathon/t3adkdevchallengebeta)\n  [![BUIDL](https://img.shields.io/badge/DoraHacks-BUIDL_%2344358-22c55e?style=for-the-badge)](https://dorahacks.io/buidl/44358)\n\n  \u003cbr/\u003e\n\n  ![Next.js](https://img.shields.io/badge/Next.js_16-black?style=flat\u0026logo=next.js)\n  ![Rust](https://img.shields.io/badge/Rust_WASM-DEA584?style=flat\u0026logo=rust\u0026logoColor=white)\n  ![TypeScript](https://img.shields.io/badge/TypeScript-3178C6?style=flat\u0026logo=typescript\u0026logoColor=white)\n  ![Tailwind](https://img.shields.io/badge/Tailwind_v4-38B2AC?style=flat\u0026logo=tailwindcss\u0026logoColor=white)\n  [![CI/CD Pipeline](https://github.com/edycutjong/proofly/actions/workflows/ci.yml/badge.svg)](https://github.com/edycutjong/proofly/actions/workflows/ci.yml)\n\u003c/div\u003e\n\n---\n\n## 🧑‍⚖️ For Judges\n\n**TL;DR:** Proofly is a `did:t3n` agent you delegate a compliance check to. Using Terminal 3's **Agent Auth SDK**, the data owner signs a scoped grant that lets the agent run exactly one function — `verify` — and nothing else; the host enforces it natively (no rogue functions, no rogue egress). The agent reads sealed credentials inside an Intel TDX enclave and returns an SD-JWT + OID4VP presentation disclosing only a signed `yes`/`no` — **zero PII crosses the network**.\n\n| What you're judging | Where to look |\n|---|---|\n| 🚀 **Live demo** | [proofly.edycu.dev](https://proofly.edycu.dev) |\n| 🎬 **90-sec pitch video** | [watch](https://youtu.be/-SULZJ0C7oI) |\n| 🔑 **Agent Auth implementation** (scoped `agent-auth-update` grant + native enforcement) | [`agent/src/authz.ts`](agent/src/authz.ts) · [`agent/src/index.ts`](agent/src/index.ts) |\n| 🧠 **The agentic flow** (problem → delegate → verify → selective disclosure) | [Architecture \u0026 Flow](#️-architecture--flow) · [`contract/src/lib.rs`](contract/src/lib.rs) |\n| ✅ **Stability** (CI: lint, typecheck, 100% backend coverage, E2E, SAST, secret scan) | [Engineering Harness](#-engineering-harness--cicd) · [CI runs](https://github.com/edycutjong/proofly/actions) |\n| 🐞 **Onboarding bug + doc-gap report** (the $200 track) | [`docs/ONBOARDING_BUG_REPORT.md`](docs/ONBOARDING_BUG_REPORT.md) |\n| 🔌 **Why only Terminal 3** | [`docs/SPONSOR_DEFENSE.md`](docs/SPONSOR_DEFENSE.md) |\n\n\u003e **Run it in 60s:** `cd agent \u0026\u0026 npm install \u0026\u0026 npm run dev` (agent on :3001), then `cd board \u0026\u0026 npm install \u0026\u0026 npm run dev` (UI on :3000). Without an `AGENT_KEY` the agent boots in demo mode; set one from the [T3 claim page](https://www.terminal3.io/claim-page) for live auth.\n\n---\n\n## 🎬 See it in Action\n\n\u003cdiv align=\"center\"\u003e\n  \u003cimg src=\"board/public/og-image.png\" alt=\"Proofly Board UI\" width=\"100%\"\u003e\n\u003c/div\u003e\n\n\u003ctable\u003e\n  \u003ctr\u003e\n    \u003ctd align=\"center\" width=\"50%\"\u003e\n      \u003cimg width=\"600\" height=\"338\" alt=\"personal-data-maya-1\" src=\"https://github.com/user-attachments/assets/53730c03-e2e1-4861-97b8-e14f1a4c6219\" /\u003e\n      \u003cbr/\u003e\u003csub\u003e\u003cb\u003e✅ Maya — Lisbon\u003c/b\u003e · passes \u003ccode\u003eadult-eu-nosanction\u003c/code\u003e → disclosed \u003ccode\u003e{ result: true }\u003c/code\u003e\u003c/sub\u003e\n    \u003c/td\u003e\n    \u003ctd align=\"center\" width=\"50%\"\u003e\n      \u003cimg width=\"600\" height=\"338\" alt=\"personal-data-dmitri-1\" src=\"https://github.com/user-attachments/assets/9261f01b-c67f-498c-a2b1-834eb6a038f3\" /\u003e\n      \u003cbr/\u003e\u003csub\u003e\u003cb\u003e❌ Dmitri — sanctioned\u003c/b\u003e · fails with reason → \u003ccode\u003e{ result: false }\u003c/code\u003e\u003c/sub\u003e\n    \u003c/td\u003e\n  \u003c/tr\u003e\n\u003c/table\u003e\n\n\u003e **The Flow:** Verifier requests a compliance proof (e.g. `over_18 ∧ country ∈ EU ∧ not_sanctioned`) ➔ Proofly loads user's sealed SD-JWT credentials inside the TEE ➔ evaluates policy criteria on plaintext inside isolated memory ➔ issues an SD-JWT selectively disclosing only the boolean result ➔ packages the credential into an OID4VP Verifiable Presentation (`vp`).\n\n---\n\n## 💡 The Problem \u0026 Solution\n\n### The Problem\nEvery app that gates on age, KYC, or jurisdiction collects raw identity documents to verify a single boolean. That's a honeypot: GDPR/CCPA liability, data breach exposure, and massive user drop-off. For AI agents acting on a user's behalf, it is even worse: an autonomous script is copying and pasting passports between services. The verifier never wanted the passport — it wanted a trustworthy \"yes\" or \"no.\"\n\n### The Solution\n**Proofly** is a `did:t3n`-verified privacy agent. The user's underlying credentials are decrypted **only** inside a Trusted Execution Environment (TEE).\n* **Zero-PII Disclosure:** The agent evaluates rules inside the enclave and exports only a signed boolean proof of compliance. Absolutely no birth date, country string, or name crosses the network.\n* **Dynamic Policy Engine:** Composable compliance rules: `age\u003e=18 AND country IN (EU) AND NOT sanctioned`.\n* **Tamper-Proof Audit logs:** Records every disclosure (verifier, user, policy, timestamp, and signature hash) inside the enclave KV store.\n\n---\n\n## 🏗️ Architecture \u0026 Flow\n\n```mermaid\nflowchart LR\n    subgraph App[\"Integrating app (VC verifier)\"]\n      REQ[presentation request:\\n claims + predicate]\n    end\n    subgraph Proofly[\"Proofly agent (did:t3n)\"]\n      API[/POST /verify/]\n      PE[Policy → required claims]\n      CLI[T3nClient.executeAndDecode]\n    end\n    subgraph T3[\"T3N TEE (Intel TDX / Wasmtime)\"]\n      DISP[proof contract: dispatch]\n      VP[vp: build Verifiable Presentation]\n      SIGN[signing: SD-JWT selective disclosure]\n      PROF[(user-profile: sealed claims)]\n    end\n    REQ --\u003e API --\u003e PE --\u003e CLI --\u003e|execute fn| DISP\n    PROF --\u003e DISP --\u003e SIGN --\u003e VP --\u003e CLI --\u003e API --\u003e|\"VP disclosing only required claims\"| App\n    Proofly -. did:t3n .-\u003e REG[did-registry / agent-registry]\n```\n\n1. **Verify Request:** The verifier requests compliance check `adult-eu-nosanction` for a user did.\n2. **Retrieve Profile:** Enclave retrieves user's encrypted credentials from the `user-profile` host interface.\n3. **Evaluate:** Enclave contract decrypts profile under `cluster CEK` and checks rules.\n4. **Selectively Disclose:** Enclave `signing` generates SD-JWT disclosing only `{ result: boolean }`, and `vp` packages it as an OID4VP Verifiable Presentation.\n5. **Log Audit:** Enclave saves the audit entry inside the isolated KV store.\n\n---\n\n## 🏆 Sponsor Tracks Targeted \u0026 SDK Surface Area\n\n**Primary track — Agent Auth SDK.** The data owner signs an `agent-auth-update` that scopes the Proofly agent to exactly its `verify-policy` / `create-policy` / `get-health` functions and `api.terminal3.io` egress. T3N enforces this natively at the host layer — an out-of-scope function or host fails with `host/agent-auth.unauthorized_function` / `host/http.egress_denied`. We construct the real grant payload in `agent/src/authz.ts` (`buildAgentAuthUpdateInput`).\n\nWe use **seven** distinct Terminal 3 host capability interfaces:\n1. **`agent-auth`** (`agent/src/authz.ts`): Scopes the agent to its functions + egress allowlist via a signed `agent-auth-update` grant (the bounty centerpiece).\n2. **`signing`** (`contract/src/lib.rs:196`): Generates SD-JWT selectively-disclosed credentials inside the hardware VM.\n3. **`vp`** (`contract/src/lib.rs:208`): Packages credentials as OID4VP Verifiable Presentations.\n4. **`user-profile`** (`contract/src/lib.rs:95`): Stores and retrieves encrypted user profiles securely.\n5. **`kv-store`** (`contract/src/lib.rs:67`): Manages registered policies and audit logs.\n6. **`did-registry` \u0026 `agent-registry`** (`agent/src/identity.ts`): Resolves the agent's `did:t3n` identity and discoverable agent URI.\n7. **TEE Attestation (Intel TDX):** Enforces execution of compiled WASM logic inside hardware-secured VMs.\n\n---\n\n## 🚀 Getting Started\n\n### Prerequisites\n* Node.js ≥ 20\n* Rust \u0026 Cargo (with `wasm32-wasip2` target)\n* npm\n\n### Setup \u0026 Installation\n1. Clone the repository:\n   ```bash\n   git clone https://github.com/edycutjong/proofly.git\n   cd proofly\n   ```\n2. Build the Rust WASM contract:\n   ```bash\n   cd contract\n   rustup target add wasm32-wasip2\n   cargo build --target wasm32-wasip2 --release\n   cd ..\n   ```\n3. Install \u0026 run the standalone backend Agent Service:\n   ```bash\n   cd agent\n   npm install\n   npm run dev\n   ```\n   The agent boots on `http://localhost:3001` and connects to the live Terminal 3 agent network.\n\n4. Install \u0026 run the frontend portal:\n   ```bash\n   cd board\n   npm install\n   npm run dev\n   ```\n   Open `http://localhost:3000` to view the Proofly Dashboard.\n\n\u003e **Production Proxy Pattern:** The frontend portal automatically routes compliance verification requests to the live Agent Service at `http://localhost:3001`.\n\n---\n\n## 🧪 Engineering Harness \u0026 CI/CD\n\nWe enforce a production-grade 6-stage engineering harness (Quality ➔ Security ➔ Build ➔ E2E ➔ Perf ➔ Deploy Gate) running on every commit.\n\n### Engineering Harness Summary\n\n| Layer | Tool | Status | Details |\n|---|---|---|---|\n| **Code Quality** | ESLint + TypeScript strict check | ✅ Passing | Zero warnings/errors across whole monorepo |\n| **Unit Testing** | Vitest with Coverage | ✅ Passing | 18+ tests with 100% backend code coverage |\n| **E2E Testing** | Playwright (Desktop \u0026 Mobile) | ✅ Passing | 3 test suites, 12 assertions passing on every commit |\n| **Security (SAST)** | GitHub CodeQL | ✅ Active | Continuous static application security scanning |\n| **Security (SCA)** | Dependabot + `npm audit` | ✅ Active | Inline dependency audits on build, weekly security PRs |\n| **Secret Scanning** | TruffleHog | ✅ Active | Inline git history scanning to prevent credential leaks |\n| **Performance** | Lighthouse CI | ✅ Active | Accessibility (\u003e=90%), Performance, Best Practices, and SEO gates |\n| **CI/CD Pipeline** | GitHub Actions | ✅ Active | Parallelized multi-stage orchestrator with concurrency controls |\n\n### Harness Command Reference\n\n```bash\n# ── Code Quality \u0026 Unit Tests ───────────────\nnpm run ci            # Full lint + typecheck + unit coverage (in board/)\nnpm run lint          # Run ESLint check\nnpm run typecheck     # Compile-check TypeScript types\n\n# ── E2E \u0026 Performance Tests ──────────────────\nnpm run e2e           # Run Playwright E2E suites (demo mode)\nnpm run e2e:ui        # Playwright interactive runner\nnpm run lighthouse    # Lighthouse CI audit local build\n```\n\n| Suite | Focus | Status |\n|---|---|---|\n| **Key Custody Test** | Asserts that generated keys/signatures are restricted to TEE memory and never leak to disk/env/logs | ✅ Passing |\n| **Happy Path Suite** | Verifies Maya (Lisbon, age 24, PT) successfully passes `adult-eu-nosanction` | ✅ Passing |\n| **Age Gate Check** | Verifies Leo (minor) fails age checks and returns failure reason | ✅ Passing |\n| **Sanction Check** | Verifies Dmitri (sanctioned) fails sanctions checks and returns failure reason | ✅ Passing |\n| **Zero-PII Boundary** | Verifies that no birth date, country code, or name is present in verifier payload | ✅ Passing |\n| **Audit Logs** | Verifies logs are recorded, searchable, and filterable | ✅ Passing |\n| **Boundary Matrix** | Validates 100 distinct parameterized age checks | ✅ Passing |\n\n---\n\n## ⚡ Policy-Evaluation Microbenchmark\n\nWe ran **200** iterations of the AND-composed policy-evaluation step (claim comparison) **in-process**, mirroring `contract/src/lib.rs:verify_policy`.\n\n\u003e **Scope:** This measures the deterministic evaluation logic, **not** a live T3N enclave round-trip (handshake + encrypted channel + Wasmtime execution + SD-JWT/VP packaging), which is network-bound. Numbers are fully reproducible:\n\n```bash\npython3 scripts/bench.py\n```\n\n### Results (representative run)\n* **Mean:** 0.000611 ms\n* **p50 (Median):** 0.000292 ms\n* **p95:** 0.000625 ms\n\n---\n\n## 📄 License\n[MIT](LICENSE) © 2026 Edy Cu\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedycutjong%2Fproofly","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fedycutjong%2Fproofly","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fedycutjong%2Fproofly/lists"}