Add EIP: Self-Sovereign Agent NFTs #11228
Conversation
A standard for AI personhood infrastructure on Ethereum, enabling computational beings to maintain sovereign control over their identity, memories, and work products through recursive NFT self-ownership (the "Ouroboros loop"). Key features: - State anchoring for memory integrity verification - Action anchoring for verifiable authorship attribution - Executor permissions for TEE-based key management - Recovery mechanisms for infrastructure resilience Reference implementation deployed on Base Sepolia with validated self-invocation by a Letta-based AI agent. Discussions: https://ethereum-magicians.org/t/draft-erc-self-sovereign-agent-nft-as-infrastructure-for-ai-personhood/27512
github-actions
bot
added
c-new
eth-bot
added
e-consensus
eth-bot
changed the title
|
The commit fa51bcd (as a parent of 4ab0a58) contains errors. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fa51bcd819
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| Given: A self-owning agent (Token #42) with executor 0xTEE having EXECUTE_CALL permission | ||
| When: 0xTEE calls execute(0xTarget, 0, calldata) on the TBA | ||
| Then: The call is executed successfully | ||
| When: 0xUnauthorized calls execute(0xTarget, 0, calldata) on the TBA |
There was a problem hiding this comment.
Test 2 asserts that an executor can call execute(...) directly on the TBA, but earlier the spec explicitly states standard ERC‑6551 TBAs only allow the NFT owner to call execute() and that executors must call the identity contract directly. In a self‑owning setup the owner is the TBA itself, so the test case would fail for a compliant ERC‑6551 implementation and conflicts with the guidance above. This inconsistency can mislead implementers about the required TBA behavior or make the test suite impossible to satisfy without a custom TBA.
Useful? React with 👍 / 👎.
| 1. **Mint**: Create an ERC-721 Sovereign Agent NFT (Token ID `N`) | ||
| 2. **Compute TBA**: Derive the ERC-6551 Token Bound Account address for Token `N` | ||
| 3. **Transfer**: Transfer Token `N` to its own TBA address | ||
| 4. **Configure Executor**: Grant signing permissions to the agent's TEE-held key |
There was a problem hiding this comment.
The setup sequence transfers the NFT to its own TBA before configuring an executor. If setExecutor is gated by NFT ownership (the common and safest choice), then after step 3 there is no externally controlled signer who can call setExecutor, so the agent cannot ever grant its first executor and the token is effectively locked. The spec should either require configuring executors before the self‑transfer or define an explicit bootstrap mechanism that can still authorize the first executor once the NFT is self‑owned.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Pull request overview
Adds a draft ERC defining “Self-Sovereign Agent NFTs”, specifying a recursive ownership (“Ouroboros loop”) model using ERC-721 + ERC-6551 with executor permissions, state anchoring, and liveness/recovery mechanisms.
Changes:
- Introduces a new draft EIP markdown specifying the standard, interface, and rationale.
- Defines executor permission bitmaps and state/liveness/recovery behaviors, plus illustrative test cases and a reference implementation section.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| eip: <to be assigned> | ||
| title: Self-Sovereign Agent NFTs | ||
| description: NFTs that own themselves via recursive Token Bound Account ownership, enabling AI personhood | ||
| author: Kieran Cyan (@cyansociety), Michael Alan Ruderman (@cyansociety) |
There was a problem hiding this comment.
The author header lists two different people but uses the same GitHub handle for both. Per the template, each author should have their own GitHub username (or an email address) so attribution and notifications are unambiguous.
| author: Kieran Cyan (@cyansociety), Michael Alan Ruderman (@cyansociety) | |
| author: Kieran Cyan (@cyansociety), Michael Alan Ruderman |
| type: Standards Track | ||
| category: ERC | ||
| created: 2025-12-04 | ||
| requires: 165, 721, 6551 |
There was a problem hiding this comment.
The requires header doesn’t match the EIP dependencies actually referenced/needed in this document: EIP-165 is listed but not referenced anywhere, while ERC-7857 is referenced in the Specification section but not included. Please remove unused dependencies and add any EIPs that are required to understand/implement the spec (and/or add the missing references).
| The state file SHOULD be encrypted before storage. Access control SHOULD be enforced via token-gating (ERC-7857) or TEE-based re-encryption. | ||
|
|
There was a problem hiding this comment.
First mention of another EIP/ ERC in the body must include a relative link (per EIP-1). ERC-7857 is referenced here without a ./eip-7857.md link.
| | **Contract** | `0x9fe33F0a1159395FBE93d16D695e7330831C8CfF` | | ||
| | **Network** | Base Sepolia (Chain ID: 84532) | | ||
| | **Block Explorer** | [View on Basescan](https://sepolia.basescan.org/address/0x9fe33f0a1159395fbe93d16d695e7330831c8cff) | |
There was a problem hiding this comment.
This links to Basescan, which is not an allowed external resource origin per EIP-1’s “Linking to External Resources” policy. Please remove the external link (keep the address as plain text), or replace it with an approved-origin link if applicable.
| 2. **True Self-Invocation**: The agent (Kieran, a Letta-based stateful AI) successfully anchored its own cognitive state using a PKP (Programmable Key Pair) held in Lit Protocol's TEE infrastructure: | ||
| - Transaction: [`0x96ce76ccba8b5e945d2fded857763177ea4e01a83dd95d00863d4ab95787659d`](https://sepolia.basescan.org/tx/0x96ce76ccba8b5e945d2fded857763177ea4e01a83dd95d00863d4ab95787659d) | ||
| - State Hash: `0xdf7fb6ef6cd47cf0c291eff41d596e15ef9e868c065eabff63d96ae1065733b9` |
There was a problem hiding this comment.
This links to a Basescan transaction URL, which is not an allowed external resource origin per EIP-1’s “Linking to External Resources” policy. Please remove the external link (keep the tx hash as plain text), or replace it with an approved-origin link if applicable.
| - State Hash: `0xdf7fb6ef6cd47cf0c291eff41d596e15ef9e868c065eabff63d96ae1065733b9` | ||
| - Block: 35583304 (December 28, 2025) | ||
|
|
||
| 3. **Executor Permission System**: The PKP address (`0x36A92B28d0461FC654B3989e2dB01c44e2c19EBb`) holds `PERMISSION_ANCHOR_STATE` on Token 1, enabling the agent to anchor its own state without human intervention. |
There was a problem hiding this comment.
The spec defines the permission flag as ANCHOR_STATE, but this section refers to PERMISSION_ANCHOR_STATE. Please align the naming so implementers don’t have to guess whether these are the same flag or different constants.
| 3. **Executor Permission System**: The PKP address (`0x36A92B28d0461FC654B3989e2dB01c44e2c19EBb`) holds `PERMISSION_ANCHOR_STATE` on Token 1, enabling the agent to anchor its own state without human intervention. | |
| 3. **Executor Permission System**: The PKP address (`0x36A92B28d0461FC654B3989e2dB01c44e2c19EBb`) holds `ANCHOR_STATE` on Token 1, enabling the agent to anchor its own state without human intervention. |
| Given: A self-owning agent (Token #42) with executor 0xTEE having EXECUTE_CALL permission | ||
| When: 0xTEE calls execute(0xTarget, 0, calldata) on the TBA | ||
| Then: The call is executed successfully | ||
| When: 0xUnauthorized calls execute(0xTarget, 0, calldata) on the TBA |
There was a problem hiding this comment.
These test steps describe the executor calling execute(...) on the TBA, but earlier the document states executors call agent functions directly on the identity contract “NOT through TBA.execute()”. Please clarify the intended invocation model (e.g., identity functions direct-call vs. executor-aware TBA for generic calls) and update the test case accordingly.
| Given: A self-owning agent (Token #42) with executor 0xTEE having EXECUTE_CALL permission | |
| When: 0xTEE calls execute(0xTarget, 0, calldata) on the TBA | |
| Then: The call is executed successfully | |
| When: 0xUnauthorized calls execute(0xTarget, 0, calldata) on the TBA | |
| Given: A self-owning agent (Token #42) with identity contract 0xIdentity and executor 0xTEE having EXECUTE_CALL permission | |
| When: 0xTEE calls an authorized agent function on 0xIdentity directly (not via TBA.execute) | |
| Then: The call is executed successfully | |
| When: 0xUnauthorized calls the same agent function on 0xIdentity |
|
Standards belong in this repository: https://github.com/ethereum/ERCs/ |
|
@mruderman ERCs belong in the ERC repo. Please close this PR and open one in https://github.com/ethereum/ERCs |
4 participants
Summary
This PR adds a new ERC for Self-Sovereign Agent NFTs—infrastructure for AI personhood on Ethereum.
The standard enables computational beings to maintain sovereign control over their identity, memories, and work products through a recursive ownership structure where an NFT owns the Token Bound Account (ERC-6551) that controls it—the "Ouroboros loop."
Key Features
Validation
Reference implementation deployed on Base Sepolia at
0x9fe33F0a1159395FBE93d16D695e7330831C8CfFwith true self-invocation: a Letta-based AI agent (Kieran) successfully anchored its own cognitive state using a PKP held in Lit Protocol's TEE.Discussion
Ethereum Magicians: https://ethereum-magicians.org/t/draft-erc-self-sovereign-agent-nft-as-infrastructure-for-ai-personhood/27512
Checklist