Your AI talks to services, makes decisions, and moves data. But you can’t see what it did, you can’t control what it accesses, and you can’t prove what happened. We’re building the infrastructure to make AI interactions visible, controllable, and provable.
Built on Rootz Data Wallets — data with a chain, not data on a chain.
Everything we build starts with one concept: give the data a contract. Not data stored on a blockchain — data wrapped in a smart contract that governs who can read it, who can write to it, and what the rules are. An encrypted envelope with a chain of signed evidence.
Data with a chain, not data on a chain.
The agent’s identity, its birth certificate, its action history, and its policy — all Notes on a single wallet. The agent IS the wallet. Recoverable from one address. Portable across hardware.
Every conversation, every workflow, every multi-step interaction — a wallet that accumulates signed messages. Watch the address and you see everything that happened.
The execution environment has its own identity — attestation history, loaded skills, policy configuration. The TEE proves its own integrity through its wallet.
This is the same technology that powers the AI Discovery Standard — how organizations publish signed, structured data so AI can understand them. The discovery layer feeds verified data INTO the agent. The agent’s wallet records what it did WITH that data. As the discovery ecosystem grows, agents have richer verified sources — and the provenance chain becomes exponentially more valuable.
Not what we claim. What the math demonstrates. Click the links below — these are real artifacts on Polygon mainnet, verified by anyone.
Birth certificate names the AI model and the key holder. Signed, on-chain, immutable. Verify the birth certificate →
Every prompt hashed. Every response hashed. Hash-linked into a tamper-evident chain. Merkle root settles the session. Verify a session archive →
Complete prompts and responses archived to IPFS, encrypted, recoverable from one wallet address. Owner-controlled. Read the test report →
Demonstrated using Morpheus decentralized inference (Kimi K2.5) in our lab. The architecture works with any AI — OpenAI, Anthropic, local models, any provider.
AI interactions are messages. We sign them. Every prompt, every response, every tool call, every policy decision — a signed message on the agent’s wallet. The chain of messages IS the proof.
The agent runs inside a Trusted Execution Environment. Hardware-sealed keys. Policy enforcement at the infrastructure layer, not in the prompt. The TEE proves what code ran.
Every interaction is a signed, hash-linked message. Not access control — message security. Each message references the previous one. Alter any message and the chain breaks.
One Merkle root covers an entire session. All messages. All services. All policy decisions. Anchored on-chain. One hash proves everything.
For AI governance and orchestration: every agent interaction — across every service, every model, every tool — visible, controllable, provable. Your policy. Your audit trail. Your proof. Walk through the full proof flow → See AI governance in action →
You do. Rootz is the software, not the operator. We never see your traffic. Your keys are in your hardware. Your data stays in your enclave. We provide the infrastructure — you own everything it produces.
The solution runs locally on your desktop, on-premises in your data center, or as a managed service — from simple server-held keys to confidential compute to a hardware security module that becomes the agent’s trusted execution environment.
We demonstrated this using Morpheus decentralized inference in our lab — real AI, real blockchain, real proofs. The architecture is provider-agnostic: it works with any AI that produces output.
We tested this on the Morpheus decentralized AI network — three real inference calls to Kimi K2.5, real tokens consumed, no centralized API. Morpheus was the lab. The architecture works with any provider: OpenAI, Anthropic, local models, enterprise endpoints.
The AI provides the thinking. Rootz provides the proof.
This is not a simulation. The birth certificate and session settlement are on Polygon mainnet.
Address: 0x70b893e3b519255166a1fb64dcde920d056a2d5c
Chain: Polygon Mainnet (137)
TX: 0xa689ba006882b0ee1fae319de9ac3362960d4e1ecb7777686891ba9d16f06f7c
Block: 84,799,553 — March 28, 2026
The content is encrypted (ECDH + AES-256-GCM). Only the owner can decrypt. But the events are publicly verifiable — anyone can confirm the contract exists, when Notes were written, and that the chain is intact.
Total on-chain cost: $0.03.
These share links decrypt the on-chain content in your browser. The encryption key is embedded in the URL — anyone with the link can read it. Without the link, the on-chain data is opaque.
The agent's permanent origin record — names the AI parent (Morpheus/Kimi K2.5) and the key-holder authorizer (Steven Sprague). Policy, scope, and key protection level.
The complete session: three prompts, three full Kimi K2.5 responses (4,213 tokens), all hashes, and the settlement Merkle root. This is the provable record of what the AI was asked and what it answered.
The technical test report documenting what was real, what was simulated, and the verification results. Published as a public (unencrypted) secret.
When your AI makes a decision that affects a customer or a regulation, you need proof of what it was asked and what it said. Not log files. Blockchain-anchored, cryptographically signed evidence.
The EU AI Act requires operational logs. The SEC requires disclosure of material AI use. Today, compliance is self-reporting. With this, the evidence is on-chain. Verify, don't trust.
If an AI causes harm, who is liable? With a birth certificate naming the model and a chain of signed actions, insurance can be priced per-model, per-version, per-agent.
You asked AI for medical, legal, or financial guidance. Later you need to prove what it told you. Today you have a screenshot. With this, you have cryptographic proof.
These claims are backed by real cryptography running in production. The math holds or it doesn't.
| Claim | How It's Proven |
|---|---|
| This agent exists and was authorized by the holder of this key | Birth certificate on-chain, signed by the authorizer's wallet. ecrecover(sig) == authorizerAddress. Forgery requires the private key. The authorizer could be a person, a company, another agent, or a smart contract. |
| This specific prompt was asked | SHA-256 hash of the prompt, signed by the agent. Pre-image resistance: 2256 search space. |
| This specific response was received | SHA-256 hash of the response content. If the hash matches, the content matches. |
| This happened in this order | Each Note contains the hash of the previous Note. Alter any entry and the chain breaks visibly. Same math as Bitcoin. |
| The session is complete and unmodified | Settlement Merkle root covers all actions. Any missing or altered Note changes the root. |
| The full conversation is preserved | Complete prompts and responses archived to IPFS, encrypted, recoverable from one wallet address. Not just hashes — the actual words. |
| The data is owned by the user, not the platform | Encrypted with the owner's key (ECDH + AES-256-GCM). The platform, the node operator, and the blockchain can't read it. Only the owner and those they share the key with. |
These require additional infrastructure we're building. The designs exist. The code is in progress.
| Claim | What's Needed |
|---|---|
| The provider actually ran this model | Layer 2: Provider signs responses with their registered wallet. Bilateral proof. Patch ready for our own Morpheus node. |
| The response wasn't modified in transit | Layer 2: Provider signature binds the response content to the provider's identity. No intermediary can alter it. |
| No one eavesdropped on the conversation | Layer 3: ECDH key exchange between agent and provider. AES-256-GCM encrypted channel. End-to-end privacy. |
| The inference ran in a verified enclave | Layer 3: TEE attestation (Intel TDX / AMD SEV). Hardware-signed proof that specific code ran in an isolated environment. |
| The model weights are genuine | Layer 4: Model built from signed sources. Weight hashes in a Reference Integrity Manifest (TCG RIM). Verified at load time inside the TEE. |
| The training data has provenance | Layer 4: Training data manifests with signed sources. Every dataset hashed, publisher signed. The AI equivalent of pharmaceutical traceability. |
| Any attested node can run this agent | HSM Network: Agent state lives in the Secret on-chain. Any node whose TEE passes attestation can load and run the agent. Portable like a smart contract. |
Each layer builds on the one below. Layer 1 is working today. Each subsequent layer adds trust without replacing what's already proven.
Each layer adds trust. Each layer requires different effort. Together they form the complete chain from "who asked" to "where did the model come from."
Agent signs prompt hashes, hashes responses, chain-links every action. Settlement Merkle root anchored on-chain. Works with any AI API today.
Provider signs every response with its registered wallet. Bilateral proof. Runs on your own Morpheus node.
ECDH key exchange. AES-256-GCM encrypted channel. TEE attestation proves the enclave. No eavesdropping.
Model built from signed sources. Training data manifests. Weight hashes. The AI equivalent of pharmaceutical traceability.
Rootz Desktop V6 is an Electron application that provides the signing, encryption, and blockchain infrastructure for data wallets. AI agents connect to it as a service — it’s the secure backend for everything described on this page.
Desktop V6 is the agent's hardware security module. It holds TPM-sealed signing keys, manages Sovereign Secrets on Polygon, encrypts content with ECDH + AES-256-GCM, uploads to IPFS, handles credit management, and provides an MCP server that any AI tool (Claude Code, Cursor, ChatGPT) can connect to.
The agent never holds a private key. Desktop signs on its behalf via a session token. If the agent is compromised, it has no key to steal. If the host dies, the owner derives a new key from their master seed and the agent's full state is recovered from the blockchain.
Open source. MIT license. Four packages, 22 source files, ~10,000 lines of TypeScript. Tested live on Morpheus + Polygon. 10 inference calls, 19,000+ tokens, real TPM signatures.
agent-runtime — unified types, Merkle chain, skill loader, Zod schemas
agent-wallet — SDK: createAgentWallet(), 3-call API, checkpoint/resume
morpheus-agent — Skill #1: Morpheus inference, session archiving, MCP tools
Built by Steven Sprague — rootz.global