How AI agents get birth certificates, signed inference chains, and blockchain-anchored provenance.
The system has three components: the Desktop (signs everything with TPM-sealed keys), the Morpheus network (decentralized inference), and the Polygon blockchain (permanent record). The agent is a smart contract with identity — a Sovereign Secret — where Notes accumulate as its chain of experience.
graph TB
subgraph Desktop["Desktop V6 (Your PC)"]
TPM["TPM 2.0
Hardware-sealed keys"]
MCP["MCP Server
Port 3021"]
Archive["Archive Pipeline
Encrypt → IPFS → Chain"]
end
subgraph Agent["Morpheus Agent Plugin"]
Birth["Birth Certificate
Note 0"]
Actions["Action Chain
Hash-linked Notes"]
Settle["Settlement
Merkle Root"]
Channel["Secure Channel
Signed prompts/responses"]
end
subgraph Morpheus["Morpheus Network"]
API["Inference API
api.mor.org"]
Kimi["Kimi K2.5
GLM-4.7"]
TEE["TEE Attestation
Intel TDX"]
end
subgraph Chain["Polygon Blockchain"]
Secret["Sovereign Secret
Agent Identity"]
Notes["Encrypted Notes
Action History"]
IPFS["IPFS
Full Content"]
end
TPM -->|signs| MCP
MCP -->|relay| Agent
Agent -->|signed prompts| API
API --> Kimi
Kimi -->|responses| Agent
Agent -->|hash-linked| Actions
Actions -->|settle| Settle
Settle -->|write| Archive
Archive -->|encrypt + store| IPFS
Archive -->|anchor| Secret
Secret --- Notes
TEE -.->|attestation| Channel
style Desktop fill:#1e1b4b,stroke:#818cf8,color:#ffffff
style Agent fill:#312e81,stroke:#818cf8,color:#ffffff
style Morpheus fill:#1e3a5f,stroke:#22d3ee,color:#ffffff
style Chain fill:#14532d,stroke:#4ade80,color:#ffffff
An agent is born, works, and settles. Every step is signed, hash-linked, and anchored on-chain.
sequenceDiagram
participant Owner as Steven (Owner)
participant Desktop as Desktop V6 (TPM)
participant Agent as Morpheus Agent
participant Morpheus as Morpheus API
participant Polygon as Polygon Chain
Note over Owner,Polygon: 1. BIRTH — Agent gets a birth certificate
Owner->>Desktop: Create agent (derive key m/44'/60'/0'/1/0)
Desktop->>Polygon: Deploy Sovereign Secret
Desktop->>Polygon: Write Note 0: Birth Certificate
Note right of Polygon: Parents: Morpheus/Kimi K2.5
+ Steven Sprague
Policy: 100 MOR/day
Note over Owner,Polygon: 2. WORK — Every inference is recorded
Agent->>Morpheus: Signed prompt hash + query
Morpheus-->>Agent: Response (Kimi K2.5)
Agent->>Agent: Hash response, link to previous Note
Agent->>Desktop: Write action Note (via relay)
Desktop->>Polygon: Encrypted Note (ECDH + AES-256-GCM)
Agent->>Morpheus: Second query
Morpheus-->>Agent: Response
Agent->>Agent: Hash-link to previous
Agent->>Desktop: Write action Note
Desktop->>Polygon: Encrypted Note
Note over Owner,Polygon: 3. SETTLE — One Merkle root covers all actions
Agent->>Agent: Compute Merkle root of session
Agent->>Desktop: Build session archive (full content)
Desktop->>Polygon: Write settlement Note + archive to IPFS
Note right of Polygon: Merkle root: 0xc4f3...
3 actions, 4213 tokens
Full content on IPFS (encrypted)
Every agent has two parents. The birth certificate names both: the AI that gives it capability and the human who gives it authority. It follows the TCG DICE pattern — identity composed from layers.
graph LR
subgraph Parents
AI["AI Parent
Morpheus / Kimi K2.5
api.mor.org"]
Human["Authorizer
Steven Sprague
0xCf31...3fDa"]
end
subgraph BirthCert["Birth Certificate (Note 0)"]
Agent["Agent Identity
0xB29A...ffaA6
m/44'/60'/0'/1/0"]
Policy["Policy
100 MOR/day
scope: research"]
Key["Key Protection
TPM-sealed
NIST Level 2"]
end
subgraph Chain["On-Chain"]
Secret["Sovereign Secret
0x70b893..."]
Block["Block 84,799,553
March 28, 2026"]
end
AI -->|powers| Agent
Human -->|authorizes| Agent
Agent --- Policy
Agent --- Key
Agent -->|written to| Secret
Secret --- Block
style Parents fill:#312e81,stroke:#818cf8,color:#ffffff
style BirthCert fill:#1e1b4b,stroke:#c7d2fe,color:#ffffff
style Chain fill:#14532d,stroke:#4ade80,color:#ffffff
Each Note contains the SHA-256 hash of the previous Note. This creates a tamper-evident chain — altering any entry breaks all subsequent links. The settlement Merkle root proves the entire session.
graph LR
N0["Note 0
Birth Certificate
hash: 0x039d..."]
N1["Note 1
Inference: DeAI state
1,542 tokens
hash: 0x797b..."]
N2["Note 2
Inference: Agent identity
1,702 tokens
hash: 0x9455..."]
N3["Note 3
Inference: Enterprise impact
969 tokens
hash: 0x127b..."]
N4["Note 4
Settlement
Merkle Root: 0xc4f3..."]
N0 -->|previousHash| N1
N1 -->|previousHash| N2
N2 -->|previousHash| N3
N3 -->|previousHash| N4
style N0 fill:#4f46e5,stroke:#c7d2fe,color:#ffffff
style N1 fill:#312e81,stroke:#818cf8,color:#ffffff
style N2 fill:#312e81,stroke:#818cf8,color:#ffffff
style N3 fill:#312e81,stroke:#818cf8,color:#ffffff
style N4 fill:#059669,stroke:#4ade80,color:#ffffff
previousHash no longer matches. The chain breaks visibly. This is the same math that secures Bitcoin.
Each layer adds cryptographic guarantees. Each requires different infrastructure.
graph BT
L1["Layer 1: Agent-Side Signing
Agent signs prompt hashes, hashes responses
Hash-links every action, settles Merkle root
STATUS: WORKING"]
L2["Layer 2: Provider-Side Signing
Provider signs responses with registered wallet
Bilateral proof of conversation
STATUS: PATCH READY"]
L3["Layer 3: Encrypted Channel
ECDH key exchange, AES-256-GCM encryption
TEE attestation proves the enclave
STATUS: DESIGNED"]
L4["Layer 4: Model Provenance
Model built from signed training data
Weight hashes, build attestation (TCG RIM)
STATUS: SPEC PHASE"]
L1 --> L2
L2 --> L3
L3 --> L4
style L1 fill:#059669,stroke:#4ade80,color:#ffffff
style L2 fill:#b45309,stroke:#fbbf24,color:#ffffff
style L3 fill:#4338ca,stroke:#c7d2fe,color:#ffffff
style L4 fill:#4b5563,stroke:#d1d5db,color:#ffffff
| Layer | What It Proves | Crypto | Status |
|---|---|---|---|
| 1. Agent-Side | What was asked, what was received, in what order | SHA-256, secp256k1 ECDSA, Merkle trees | Working |
| 2. Provider-Side | Provider signed the response, bilateral proof | Provider wallet secp256k1 signature | Patch ready |
| 3. Encrypted Channel | No eavesdropping, verified enclave | ECDH + AES-256-GCM, Intel TDX attestation | Designed |
| 4. Model Provenance | Model weights match signed build manifest | TCG RIM, Sigstore, ML-DSA (post-quantum) | Spec phase |
Skills are signed, verified code modules loaded into the TEE runtime. Each skill declares its permissions. The TEE enforces them. Skills never touch keys — they sign through the runtime context.
graph TB
subgraph Runtime["Agent Runtime (TEE Container)"]
Policy["Policy Engine
ALLOW / DENY / AUTO"]
Chain["Internal Chain
Merkle-linked blocks"]
Signing["Key Custody
Desktop TPM relay"]
Settle["Settlement
Sovereign Secret"]
end
subgraph Skills["Loaded Skills"]
S1["Skill #1
morpheus-inference
v0.3.0"]
S2["Skill #2
(future) x402-commerce"]
S3["Skill #3
(future) data-collection"]
end
subgraph Context["Skill Context (what skills can use)"]
Sign["ctx.sign()
→ policy check → TPM"]
Record["ctx.recordEvent()
→ unified Merkle chain"]
State["ctx.getState()
→ read-only counters"]
end
S1 --> Sign
S1 --> Record
S1 --> State
Sign --> Policy
Record --> Chain
Policy --> Signing
Chain --> Settle
style Runtime fill:#1e1b4b,stroke:#c7d2fe,color:#ffffff
style Skills fill:#312e81,stroke:#818cf8,color:#ffffff
style Context fill:#14532d,stroke:#4ade80,color:#ffffff
Every skill has a manifest declaring what it is and what it can do. The TEE verifies the manifest before loading. Skills can only emit events they declared. Code hash is verified against the manifest.
| Field | Purpose | Example |
|---|---|---|
| name | Skill identity | morpheus-inference |
| version | Semver | 0.3.0 |
| codeHash | SHA-256 of code bundle | sha256:abc123... |
| emitEvents | Allowed event categories | [skill_inference, skill_output] |
| externalEndpoints | APIs the skill calls | [https://api.mor.org] |
| archiveContent | Can buffer for archiving | true |
| authorSignature | Author signs the manifest | 0xSig... |
The agent never holds a private key. Desktop V6 is the Hardware Security Module. All signing is proxied through a session token — if the agent is compromised, there is no key to steal.
graph LR
subgraph Agent["Agent Process"]
Token["Session Token
(32 random bytes)"]
Logic["Agent Logic
No private key"]
end
subgraph Desktop["Desktop V6 (HSM)"]
TPM["TPM 2.0
Hardware-bound key"]
Validate["Validate Token
Check policy"]
Sign["Sign with TPM
Return signature only"]
end
subgraph Output["Signed Output"]
Sig["Signature
0x..."]
Note["Encrypted Note
On Polygon"]
end
Token -->|authenticate| Validate
Logic -->|sign request| Validate
Validate -->|approved| Sign
TPM -->|hardware signs| Sign
Sign -->|signature only| Sig
Sign -->|write note| Note
style Agent fill:#312e81,stroke:#818cf8,color:#ffffff
style Desktop fill:#1e1b4b,stroke:#c7d2fe,color:#ffffff
style Output fill:#14532d,stroke:#4ade80,color:#ffffff
| Level | Implementation | Security | Use Case |
|---|---|---|---|
| Consumer | Browser localStorage key | Software-only | Testing, demos |
| Professional | TPM-sealed key (Desktop V6) | Hardware-bound | Production agents |
| Enterprise | MPC split: server + user device | Neither party alone can sign | Regulated industries |
| Government | HSM + Ledger/Trezor with trusted display | FIPS hardware + visual consent | High-assurance |
All data is on Polygon mainnet. The content is encrypted — only the owner can decrypt. The events (contract creation, Note writes) are publicly verifiable.
Birth Certificate (encrypted, shared link) | Session Archive (encrypted, shared link) | Test Report (public)
The Desktop connects outbound to a cloud relay via WebSocket. Any AI platform (Claude, ChatGPT, Grok) accesses the user's local signing infrastructure through the relay. No inbound firewall rules. No tunnel. The keys never leave the local machine.
graph LR
subgraph AI["AI Platforms"]
Claude["Claude Code"]
ChatGPT["ChatGPT"]
Grok["Grok"]
end
subgraph Cloud["Cloud Relay"]
MCP_Relay["mcp.rootz.global
Wallet-authenticated
WebSocket reverse proxy"]
end
subgraph Local["Your Machine"]
Desktop2["Desktop V6
TPM keys + MCP server"]
Agent2["Morpheus Agent
Plugin"]
end
Claude -->|MCP calls| MCP_Relay
ChatGPT -->|MCP calls| MCP_Relay
Grok -->|MCP calls| MCP_Relay
Desktop2 -->|outbound WebSocket| MCP_Relay
Desktop2 --- Agent2
style AI fill:#312e81,stroke:#818cf8,color:#ffffff
style Cloud fill:#1e3a5f,stroke:#22d3ee,color:#ffffff
style Local fill:#14532d,stroke:#4ade80,color:#ffffff
This architecture applies existing trusted computing standards to AI agents — not new cryptography.
| Standard | Application |
|---|---|
| TCG TPM 2.0 (ISO 11889) | Hardware root of trust for agent signing keys |
| TCG DICE | Layered identity composition: hardware → platform → agent → session |
| NIST SP 800-193 | Protect/Detect/Recover for agent integrity |
| IETF RATS (RFC 9334) | Agent = Attester, Owner = Relying Party, TEE = Evidence |
| TCG RIM | Reference Integrity Manifests for model provenance (Layer 4) |
| EIP-191 / EIP-712 | Ethereum message signing for wallet authentication |
| secp256k1 ECDSA | All signing operations (same curve as Bitcoin/Ethereum) |
| ECDH + AES-256-GCM | End-to-end encryption for all Note content |