An open API service indexing awesome lists of open source software.

https://github.com/edycutjong/proofly

๐Ÿงพ Prove it, don't reveal it โ€” a did:t3n privacy agent that verifies compliance (age/KYC/jurisdiction) inside a TEE and discloses only a signed yes/no. Built on the Terminal 3 Agent Dev Kit.
https://github.com/edycutjong/proofly

agent-auth ai-agents autonomous-agents compliance decentralized-identity dorahacks intel-tdx kyc nextjs oid4vp privacy rust sd-jwt selective-disclosure t3adk tee terminal3 verifiable-credentials wasm zero-knowledge

Last synced: 22 days ago
JSON representation

๐Ÿงพ Prove it, don't reveal it โ€” a did:t3n privacy agent that verifies compliance (age/KYC/jurisdiction) inside a TEE and discloses only a signed yes/no. Built on the Terminal 3 Agent Dev Kit.

Awesome Lists containing this project

README

          


Proofly

Proofly ๐Ÿงพ


Prove it, don't reveal it โ€” TEE-secured zero-knowledge privacy verification agent.


Proofly Banner


[![Live Demo](https://img.shields.io/badge/๐Ÿš€_Live-Demo-06b6d4?style=for-the-badge)](https://proofly.edycu.dev)
[![Pitch Video](https://img.shields.io/badge/๐ŸŽฌ_Pitch-Video-ef4444?style=for-the-badge)](https://youtu.be/-SULZJ0C7oI)
[![Built for DoraHacks](https://img.shields.io/badge/DoraHacks-T3_ADK_Bounty_Challenge-8b5cf6?style=for-the-badge)](https://dorahacks.io/hackathon/t3adkdevchallengebeta)
[![BUIDL](https://img.shields.io/badge/DoraHacks-BUIDL_%2344358-22c55e?style=for-the-badge)](https://dorahacks.io/buidl/44358)


![Next.js](https://img.shields.io/badge/Next.js_16-black?style=flat&logo=next.js)
![Rust](https://img.shields.io/badge/Rust_WASM-DEA584?style=flat&logo=rust&logoColor=white)
![TypeScript](https://img.shields.io/badge/TypeScript-3178C6?style=flat&logo=typescript&logoColor=white)
![Tailwind](https://img.shields.io/badge/Tailwind_v4-38B2AC?style=flat&logo=tailwindcss&logoColor=white)
[![CI/CD Pipeline](https://github.com/edycutjong/proofly/actions/workflows/ci.yml/badge.svg)](https://github.com/edycutjong/proofly/actions/workflows/ci.yml)

---

## ๐Ÿง‘โ€โš–๏ธ For Judges

**TL;DR:** Proofly is a `did:t3n` agent you delegate a compliance check to. Using Terminal 3's **Agent Auth SDK**, the data owner signs a scoped grant that lets the agent run exactly one function โ€” `verify` โ€” and nothing else; the host enforces it natively (no rogue functions, no rogue egress). The agent reads sealed credentials inside an Intel TDX enclave and returns an SD-JWT + OID4VP presentation disclosing only a signed `yes`/`no` โ€” **zero PII crosses the network**.

| What you're judging | Where to look |
|---|---|
| ๐Ÿš€ **Live demo** | [proofly.edycu.dev](https://proofly.edycu.dev) |
| ๐ŸŽฌ **90-sec pitch video** | [watch](https://youtu.be/-SULZJ0C7oI) |
| ๐Ÿ”‘ **Agent Auth implementation** (scoped `agent-auth-update` grant + native enforcement) | [`agent/src/authz.ts`](agent/src/authz.ts) ยท [`agent/src/index.ts`](agent/src/index.ts) |
| ๐Ÿง  **The agentic flow** (problem โ†’ delegate โ†’ verify โ†’ selective disclosure) | [Architecture & Flow](#๏ธ-architecture--flow) ยท [`contract/src/lib.rs`](contract/src/lib.rs) |
| โœ… **Stability** (CI: lint, typecheck, 100% backend coverage, E2E, SAST, secret scan) | [Engineering Harness](#-engineering-harness--cicd) ยท [CI runs](https://github.com/edycutjong/proofly/actions) |
| ๐Ÿž **Onboarding bug + doc-gap report** (the $200 track) | [`docs/ONBOARDING_BUG_REPORT.md`](docs/ONBOARDING_BUG_REPORT.md) |
| ๐Ÿ”Œ **Why only Terminal 3** | [`docs/SPONSOR_DEFENSE.md`](docs/SPONSOR_DEFENSE.md) |

> **Run it in 60s:** `cd agent && npm install && npm run dev` (agent on :3001), then `cd board && npm install && npm run dev` (UI on :3000). Without an `AGENT_KEY` the agent boots in demo mode; set one from the [T3 claim page](https://www.terminal3.io/claim-page) for live auth.

---

## ๐ŸŽฌ See it in Action


Proofly Board UI



personal-data-maya-1

โœ… Maya โ€” Lisbon ยท passes adult-eu-nosanction โ†’ disclosed { result: true }


personal-data-dmitri-1

โŒ Dmitri โ€” sanctioned ยท fails with reason โ†’ { result: false }

> **The Flow:** Verifier requests a compliance proof (e.g. `over_18 โˆง country โˆˆ EU โˆง not_sanctioned`) โž” Proofly loads user's sealed SD-JWT credentials inside the TEE โž” evaluates policy criteria on plaintext inside isolated memory โž” issues an SD-JWT selectively disclosing only the boolean result โž” packages the credential into an OID4VP Verifiable Presentation (`vp`).

---

## ๐Ÿ’ก The Problem & Solution

### The Problem
Every app that gates on age, KYC, or jurisdiction collects raw identity documents to verify a single boolean. That's a honeypot: GDPR/CCPA liability, data breach exposure, and massive user drop-off. For AI agents acting on a user's behalf, it is even worse: an autonomous script is copying and pasting passports between services. The verifier never wanted the passport โ€” it wanted a trustworthy "yes" or "no."

### The Solution
**Proofly** is a `did:t3n`-verified privacy agent. The user's underlying credentials are decrypted **only** inside a Trusted Execution Environment (TEE).
* **Zero-PII Disclosure:** The agent evaluates rules inside the enclave and exports only a signed boolean proof of compliance. Absolutely no birth date, country string, or name crosses the network.
* **Dynamic Policy Engine:** Composable compliance rules: `age>=18 AND country IN (EU) AND NOT sanctioned`.
* **Tamper-Proof Audit logs:** Records every disclosure (verifier, user, policy, timestamp, and signature hash) inside the enclave KV store.

---

## ๐Ÿ—๏ธ Architecture & Flow

```mermaid
flowchart LR
subgraph App["Integrating app (VC verifier)"]
REQ[presentation request:\n claims + predicate]
end
subgraph Proofly["Proofly agent (did:t3n)"]
API[/POST /verify/]
PE[Policy โ†’ required claims]
CLI[T3nClient.executeAndDecode]
end
subgraph T3["T3N TEE (Intel TDX / Wasmtime)"]
DISP[proof contract: dispatch]
VP[vp: build Verifiable Presentation]
SIGN[signing: SD-JWT selective disclosure]
PROF[(user-profile: sealed claims)]
end
REQ --> API --> PE --> CLI -->|execute fn| DISP
PROF --> DISP --> SIGN --> VP --> CLI --> API -->|"VP disclosing only required claims"| App
Proofly -. did:t3n .-> REG[did-registry / agent-registry]
```

1. **Verify Request:** The verifier requests compliance check `adult-eu-nosanction` for a user did.
2. **Retrieve Profile:** Enclave retrieves user's encrypted credentials from the `user-profile` host interface.
3. **Evaluate:** Enclave contract decrypts profile under `cluster CEK` and checks rules.
4. **Selectively Disclose:** Enclave `signing` generates SD-JWT disclosing only `{ result: boolean }`, and `vp` packages it as an OID4VP Verifiable Presentation.
5. **Log Audit:** Enclave saves the audit entry inside the isolated KV store.

---

## ๐Ÿ† Sponsor Tracks Targeted & SDK Surface Area

**Primary track โ€” Agent Auth SDK.** The data owner signs an `agent-auth-update` that scopes the Proofly agent to exactly its `verify-policy` / `create-policy` / `get-health` functions and `api.terminal3.io` egress. T3N enforces this natively at the host layer โ€” an out-of-scope function or host fails with `host/agent-auth.unauthorized_function` / `host/http.egress_denied`. We construct the real grant payload in `agent/src/authz.ts` (`buildAgentAuthUpdateInput`).

We use **seven** distinct Terminal 3 host capability interfaces:
1. **`agent-auth`** (`agent/src/authz.ts`): Scopes the agent to its functions + egress allowlist via a signed `agent-auth-update` grant (the bounty centerpiece).
2. **`signing`** (`contract/src/lib.rs:196`): Generates SD-JWT selectively-disclosed credentials inside the hardware VM.
3. **`vp`** (`contract/src/lib.rs:208`): Packages credentials as OID4VP Verifiable Presentations.
4. **`user-profile`** (`contract/src/lib.rs:95`): Stores and retrieves encrypted user profiles securely.
5. **`kv-store`** (`contract/src/lib.rs:67`): Manages registered policies and audit logs.
6. **`did-registry` & `agent-registry`** (`agent/src/identity.ts`): Resolves the agent's `did:t3n` identity and discoverable agent URI.
7. **TEE Attestation (Intel TDX):** Enforces execution of compiled WASM logic inside hardware-secured VMs.

---

## ๐Ÿš€ Getting Started

### Prerequisites
* Node.js โ‰ฅ 20
* Rust & Cargo (with `wasm32-wasip2` target)
* npm

### Setup & Installation
1. Clone the repository:
```bash
git clone https://github.com/edycutjong/proofly.git
cd proofly
```
2. Build the Rust WASM contract:
```bash
cd contract
rustup target add wasm32-wasip2
cargo build --target wasm32-wasip2 --release
cd ..
```
3. Install & run the standalone backend Agent Service:
```bash
cd agent
npm install
npm run dev
```
The agent boots on `http://localhost:3001` and connects to the live Terminal 3 agent network.

4. Install & run the frontend portal:
```bash
cd board
npm install
npm run dev
```
Open `http://localhost:3000` to view the Proofly Dashboard.

> **Production Proxy Pattern:** The frontend portal automatically routes compliance verification requests to the live Agent Service at `http://localhost:3001`.

---

## ๐Ÿงช Engineering Harness & CI/CD

We enforce a production-grade 6-stage engineering harness (Quality โž” Security โž” Build โž” E2E โž” Perf โž” Deploy Gate) running on every commit.

### Engineering Harness Summary

| Layer | Tool | Status | Details |
|---|---|---|---|
| **Code Quality** | ESLint + TypeScript strict check | โœ… Passing | Zero warnings/errors across whole monorepo |
| **Unit Testing** | Vitest with Coverage | โœ… Passing | 18+ tests with 100% backend code coverage |
| **E2E Testing** | Playwright (Desktop & Mobile) | โœ… Passing | 3 test suites, 12 assertions passing on every commit |
| **Security (SAST)** | GitHub CodeQL | โœ… Active | Continuous static application security scanning |
| **Security (SCA)** | Dependabot + `npm audit` | โœ… Active | Inline dependency audits on build, weekly security PRs |
| **Secret Scanning** | TruffleHog | โœ… Active | Inline git history scanning to prevent credential leaks |
| **Performance** | Lighthouse CI | โœ… Active | Accessibility (>=90%), Performance, Best Practices, and SEO gates |
| **CI/CD Pipeline** | GitHub Actions | โœ… Active | Parallelized multi-stage orchestrator with concurrency controls |

### Harness Command Reference

```bash
# โ”€โ”€ Code Quality & Unit Tests โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
npm run ci # Full lint + typecheck + unit coverage (in board/)
npm run lint # Run ESLint check
npm run typecheck # Compile-check TypeScript types

# โ”€โ”€ E2E & Performance Tests โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
npm run e2e # Run Playwright E2E suites (demo mode)
npm run e2e:ui # Playwright interactive runner
npm run lighthouse # Lighthouse CI audit local build
```

| Suite | Focus | Status |
|---|---|---|
| **Key Custody Test** | Asserts that generated keys/signatures are restricted to TEE memory and never leak to disk/env/logs | โœ… Passing |
| **Happy Path Suite** | Verifies Maya (Lisbon, age 24, PT) successfully passes `adult-eu-nosanction` | โœ… Passing |
| **Age Gate Check** | Verifies Leo (minor) fails age checks and returns failure reason | โœ… Passing |
| **Sanction Check** | Verifies Dmitri (sanctioned) fails sanctions checks and returns failure reason | โœ… Passing |
| **Zero-PII Boundary** | Verifies that no birth date, country code, or name is present in verifier payload | โœ… Passing |
| **Audit Logs** | Verifies logs are recorded, searchable, and filterable | โœ… Passing |
| **Boundary Matrix** | Validates 100 distinct parameterized age checks | โœ… Passing |

---

## โšก Policy-Evaluation Microbenchmark

We ran **200** iterations of the AND-composed policy-evaluation step (claim comparison) **in-process**, mirroring `contract/src/lib.rs:verify_policy`.

> **Scope:** This measures the deterministic evaluation logic, **not** a live T3N enclave round-trip (handshake + encrypted channel + Wasmtime execution + SD-JWT/VP packaging), which is network-bound. Numbers are fully reproducible:

```bash
python3 scripts/bench.py
```

### Results (representative run)
* **Mean:** 0.000611 ms
* **p50 (Median):** 0.000292 ms
* **p95:** 0.000625 ms

---

## ๐Ÿ“„ License
[MIT](LICENSE) ยฉ 2026 Edy Cu