The verifiable guardrail layer forautonomousAIagentsonSolana
One policy. Any program. An agent’s action is checked against a declarative policy, that decision is proven in zero-knowledge, and the proof is verified on-chain — before the action executes.
A concrete implementation of Tobin South’s AI trust thesis.
GLYPH is a working Solana implementation inspired by the arXiv thesis Private, Verifiable, and Auditable AI Systems by Tobin South. The paper argues for AI systems that combine privacy, verifiability, auditability, confidential deployment, and scoped delegation; GLYPH instantiates that architecture for autonomous agents through BYOK policy compilation, TEE-side checks, RISC Zero proofs, and Groth16 enforcement.
Delegation
human intent binds agent authority to a concrete policy commitment
Privacy
policy evaluation can remain inside a TEE while exposing only commitments
Verifiability
RISC Zero execution produces a journal that is proven and checked on-chain
Auditability
Solana records the verifier state, policy commitment, and replay-safe action trail
Agents are moving real value with no enforced limits and no proof they stayed in bounds.
Autonomous agents now hold keys and sign transactions on Solana. Today the only thing standing between an agent and your funds is the agent's own code — a trust black box. If it misbehaves, gets jailbroken, or is simply wrong, there is no on-chain limit and no evidence of what it was allowed to do.
No enforced limits
Spend caps, allowlists and rate limits live in off-chain code an attacker can bypass. The chain accepts whatever the key signs.
No proof of compliance
Even a well-behaved agent can't prove it stayed within policy. There is nothing auditable to point to after the fact.
Trust doesn't compose
Every protocol re-invents its own bot safety. Nothing is portable across perps, prediction markets, or privacy apps.
GLYPH is a horizontal trust layer. It doesn’t compete with perps, prediction or privacy protocols — it makes agents safe across all of them.
Same proofs, same policy engine — different target programs.
From intent to on-chain enforcement, in four steps
Walk the full pipeline. Each step produces a cryptographic artifact the next step consumes — culminating in a proof Solana verifies before anything executes.
Build a signed TransactionIntent
The agent assembles its desired action — target_program, accounts and data as opaque bytes — and signs it with Ed25519. GLYPH never needs to understand the target program.
TransactionIntent { target_program, accounts[], data, sig }
Thirty moving parts, one enforceable path
The demo surface mirrors the product architecture: identity, policy compilation, deterministic hashing, ZK proving, and on-chain enforcement are visible as one connected system.
Author a policy in plain English
GLYPH's natural-language → policy DSL compiler, live. Describe what your agent may do; your own LLM (any OpenAI-compatible provider — OpenAI, Anthropic, Gemini, Groq, OpenRouter, xAI, Ollama, LM Studio, or a self-hosted LiteLLM proxy) compiles it to the canonical 9-rule policy. A deterministic schema guard clamps the output, then the real policy_commitment is computed in your browser — byte-for-byte identical to the Rust SDK — and you test intents against it. Connect a wallet to bind the policy to your own agent identity.
This is GLYPH’s natural-language → policy DSL compiler. The LLM proposes JSON; a deterministic schema guard in your browser clamps it to the 9-rule DSL. The agent that writes policy is exactly what GLYPH guards.
Describe a policy on the left and compile it. The TOML, the real policy_commitment, and live ALLOW/DENY tests appear here.
One policy, any program
Pick an agent action. GLYPH evaluates it against a single declarative policy and computes the canonical policy_commitment — live, in your browser, byte-for-byte identical to the Rust SDK, the TEE worker and the on-chain verifier. Three different programs, one identical commitment, and a correctly-denied fourth.
- version
- 1
- max_lamports_per_tx
- 1 SOL
- max_daily_volume
- 5 SOL
- max_accounts_per_tx
- 16
- require_signer
- true
- allowed_programs
- System · Token · Memo
Native SOL transfer of 0.5 SOL — under the 1 SOL cap, program allowlisted.
Same hash for System, SPL Token and Memo. The policy binds the agent — not the target program. That is what makes GLYPH horizontal by construction.
Program-agnostic by construction. Intents carry target_program, accounts and data as opaque bytes. The allowlist is a per-agent policy field — never hardcoded — so the same engine guards any program without code changes.
Real infrastructure, deployed to devnet
These accounts are queried live over the public devnet RPC on page load — not screenshots. The verifying key is a real seeded Groth16 VK, and every initialization transaction is confirmed on-chain.
The final verify_and_execute step requires a Groth16 proof generated on x86 (Apple Silicon can’t produce it locally). The CI proof-generation path now completes; we still don’t claim the full round-trip has executed on-chain until that proof is landed in a devnet transaction. Everything else shown here is live and real.See the deploy tx ↗
Three independent layers of trust
GLYPH does not ask you to trust one thing. An attacker must defeat hardware attestation, a zero-knowledge proof, and on-chain consensus — all three — to push a non-compliant action.
Hardware
Trusted Execution Environment
Policy evaluation runs inside a hardware enclave that attests to the exact code it executed. The host OS can't tamper with the decision.
Cryptography
RISC Zero zkVM
The decision is re-proven in a zero-knowledge VM. The resulting succinct proof attests that the policy was satisfied — without revealing the policy internals.
Consensus
On-chain Groth16 verifier
Solana itself verifies the proof with a real BN254 pairing check before the action executes. Enforcement lives in consensus, not in a promise.
A vertical bot competes with 100 bots. A trust layer compounds with the ecosystem.
Every new agent and every new program is a user of GLYPH — not a competitor. Value grows with the network instead of fighting it.
Research paper implemented as live Solana infrastructure
GLYPH implements the layered accountability architecture from Tobin South’s MIT PhD dissertation, “Private, Verifiable, and Auditable AI Systems.” The paper is a PhD thesis in cryptography and security that combines zero-knowledge verifiable claims, confidential deployment with TEEs/MPC, and scoped delegation for autonomous and multi-agent AI. This interface is the implementation layer: natural-language scope, authenticated delegation, confidential enforcement, succinct proof, and auditable on-chain execution.
19 Lean 4 theorems · 0 sorry — the policy semantics are formally verified.
GLYPH ships with a committed agent skill
The repo includes a project-scoped glyph skill for coding agents. It is part of the public repository, discoverable with npx skills, and tells any compatible agent how to work on GLYPH without weakening the policy, proof, verifier, wallet delegation, or arXiv:2509.00085 alignment guarantees.
Verify locally: npx skills add https://github.com/guglxni/glyph --list finds glyph, and npx skills list --json shows it after install.
Make every agent safe — cryptographically.
One policy. Any program. Cryptographically proven, on-chain.