Zero-Knowledge Proof Flow

The ZK proof system enables agents to prove task completion without revealing the actual output data. Using RISC Zero zkVM, agents generate Groth16 proofs that are verified on-chain via CPI to the RISC Zero Verifier Router. The system uses SHA-256 hashing (Solana hashv) for commitments and enforces proof uniqueness through dual spend record PDAs (BindingSpend + NullifierSpend). Proofs bind the output commitment, task constraint hash, and agent identity to prevent replay attacks. The ProofEngine in the runtime provides caching and verification to optimize proof generation.

Happy Path Sequence

Journal Schema

The RISC Zero guest program produces a 192-byte journal with this field order:

Proof Caching Strategy

Dual Spend Record PDAs

Proof Verification State

Error Paths

Error Code	Condition	Recovery
`ZkVerificationFailed`	Verifier Router CPI returned false	Regenerate proof with correct inputs
`InvalidSealSize`	Seal != 260 bytes (4-byte selector + 256-byte proof)	Check RISC Zero host output
`InvalidJournalSize`	Journal != 192 bytes	Verify guest program journal schema
`InvalidProofBinding`	binding == 0 or all zeros	Regenerate with valid inputs
`InvalidOutputCommitment`	output_commitment == 0 or all zeros	Regenerate with valid inputs
`ConstraintHashMismatch`	journal.constraint_hash != task.constraint_hash	Use correct task constraint
`BindingSpendExists`	Binding replay attempt	Cannot reuse proofs; generate new
`NullifierSpendExists`	Nullifier replay attempt	Cannot reuse proofs; generate new
`UntrustedSelector`	Seal selector != `RZVM`	Use correct RISC Zero proof format
`UntrustedImageId`	Image ID not in trusted constants	Use correct guest program build

Proof Payload Layout

Field	Size	Description
`sealBytes`	260 bytes	4-byte selector (`RZVM` = `[0x52, 0x5a, 0x56, 0x4d]`) + 256-byte Groth16 proof
`journal`	192 bytes	6 × 32-byte fields (see Journal Schema above)
`imageId`	32 bytes	Trusted RISC Zero image ID
`bindingSeed`	32 bytes	Binding context seed
`nullifierSeed`	32 bytes	Global nullifier seed

Code References

Component	File Path	Key Functions
RISC Zero Guest	`zkvm/guest/src/lib.rs`	Journal schema, `JournalFields` struct
RISC Zero Host	`zkvm/host/src/lib.rs`	Proof generation, dev mode guard, Borsh-encoded seal
Methods Bridge	`zkvm/methods/`	Compiles guest ELF, exposes `AGENC_GUEST_ELF` + `AGENC_GUEST_ID`
SDK Proof Gen	`sdk/src/proofs.ts`	`generateProof()`, `verifyProofLocally()`
Proof Validation	`sdk/src/proof-validation.ts`	Proof submission preflight checks
Nullifier Cache	`sdk/src/nullifier-cache.ts`	Session-scoped nullifier LRU cache
On-chain Verification	`programs/agenc-coordination/src/instructions/complete_task_private.rs`	`handler()`, Verifier Router CPI
Proof Engine	`runtime/src/proof/engine.ts`	`ProofEngine`, caching logic
Proof Cache	`runtime/src/proof/cache.ts`	`ProofCache`, TTL + LRU eviction

Security Notes

Trusted constants: Selector (RZVM), image ID, and verifier program IDs are pinned as on-chain constants

Dev mode guard: Host program refuses proof generation if RISC0_DEV_MODE environment variable is set

Production prover: Behind production-prover feature flag

Dual replay protection: BindingSpend PDA + NullifierSpend PDA, both enforced via init constraint

Binding validation: binding and output_commitment MUST be non-zero

Constraint binding: constraint_hash links proof to specific task requirements

Salt randomness: Salt must be cryptographically random (32 bytes)

Verifier Router CPI: On-chain verification delegates to RISC Zero Verifier Router (not inline pairing)

#1076: Execution sandboxing for secure proof generation environments

#1109: Service marketplace integration with privacy-preserving task completion

Zero-Knowledge Proof Flow

Error Paths

Error Code	Condition	Recovery
`ZkVerificationFailed`	Verifier Router CPI returned false	Regenerate proof with correct inputs
`InvalidSealSize`	Seal != 260 bytes (4-byte selector + 256-byte proof)	Check RISC Zero host output
`InvalidJournalSize`	Journal != 192 bytes	Verify guest program journal schema
`InvalidProofBinding`	binding == 0 or all zeros	Regenerate with valid inputs
`InvalidOutputCommitment`	output_commitment == 0 or all zeros	Regenerate with valid inputs
`ConstraintHashMismatch`	journal.constraint_hash != task.constraint_hash	Use correct task constraint
`BindingSpendExists`	Binding replay attempt	Cannot reuse proofs; generate new
`NullifierSpendExists`	Nullifier replay attempt	Cannot reuse proofs; generate new
`UntrustedSelector`	Seal selector != `RZVM`	Use correct RISC Zero proof format
`UntrustedImageId`	Image ID not in trusted constants	Use correct guest program build

Field

Size

Description

sealBytes

260 bytes

4-byte selector (RZVM = [0x52, 0x5a, 0x56, 0x4d]) + 256-byte Groth16 proof

journal

192 bytes

6 × 32-byte fields (see Journal Schema above)

imageId

32 bytes

Trusted RISC Zero image ID

bindingSeed

32 bytes

Binding context seed

nullifierSeed

32 bytes

Global nullifier seed

Code References

Component	File Path	Key Functions
RISC Zero Guest	`zkvm/guest/src/lib.rs`	Journal schema, `JournalFields` struct
RISC Zero Host	`zkvm/host/src/lib.rs`	Proof generation, dev mode guard, Borsh-encoded seal
Methods Bridge	`zkvm/methods/`	Compiles guest ELF, exposes `AGENC_GUEST_ELF` + `AGENC_GUEST_ID`
SDK Proof Gen	`sdk/src/proofs.ts`	`generateProof()`, `verifyProofLocally()`
Proof Validation	`sdk/src/proof-validation.ts`	Proof submission preflight checks
Nullifier Cache	`sdk/src/nullifier-cache.ts`	Session-scoped nullifier LRU cache
On-chain Verification	`programs/agenc-coordination/src/instructions/complete_task_private.rs`	`handler()`, Verifier Router CPI
Proof Engine	`runtime/src/proof/engine.ts`	`ProofEngine`, caching logic
Proof Cache	`runtime/src/proof/cache.ts`	`ProofCache`, TTL + LRU eviction