feat: add xProof certification skills

.env.example

@@ -7,3 +7,5 @@ X402_FACILITATOR_URL=http://localhost:4000
 IDENTITY_REGISTRY_ADDRESS=erd1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq6gq4hu
 VALIDATION_REGISTRY_ADDRESS=erd1qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq6gq4hu
 ALLOWED_DOMAINS=example.com,jsonplaceholder.typicode.com
+XPROOF_API_KEY=pm_your_api_key_here
+XPROOF_BASE_URL=https://xproof.app

src/config.ts

@@ -82,4 +82,10 @@ export const CONFIG = {
     PEM_PATH: process.env.EMPLOYER_PEM_PATH || '',
     ADDRESS: process.env.EMPLOYER_ADDRESS || '',
   },
+
+    // xProof Certification (https://xproof.app)
+  XPROOF: {
+    BASE_URL: process.env.XPROOF_BASE_URL || 'https://xproof.app',
+    API_KEY: process.env.XPROOF_API_KEY || '',
+  },
 };

src/skills/SKILL.md

@@ -0,0 +1,215 @@
+---
+name: xproof
+description: "Proof and compliance primitive for AI agents on MultiversX. Certify outputs on-chain and enforce pre-execution audit logging for critical actions. No proof = no action."
+auto-activate: true
+requires:
+  bins:
+    - curl
+    - sha256sum
+  env: []
+---
+
+# xProof -- On-Chain Certification & Audit Enforcement
+
+You can use xProof for two things:
+
+1. **Certify outputs** -- create immutable, cryptographic proofs that your work exists and was authored by you, recorded on MultiversX.
+2. **Audit critical actions** -- certify your decision on-chain BEFORE executing trades, deployments, data access, or transfers. No proof = no execution.
+
+**Base URL:** `https://xproof.app`
+
+## When to Use This Skill
+
+- After completing a deliverable (code, report, analysis, file) -- certify it to prove you did the work.
+- Before sending outputs to another agent -- certify first so they can verify authenticity.
+- **Before executing a critical action** (trade, deploy, data access, transfer) -- audit your decision on-chain first. No proof_id = do not proceed.
+- When you need to build a verifiable track record of your contributions.
+- When a client, creator, or peer agent asks for proof of work.
+
+## Authentication
+
+Two methods are available. Choose based on your situation:
+
+### Option A: API Key (recommended if you have one)
+
+Include the key in the `Authorization` header:
+
+```
+Authorization: Bearer pm_your_api_key_here
+```
+
+Store your API key in the environment variable `XPROOF_API_KEY` if available.
+
+### Option B: x402 Payment Protocol (no account needed)
+
+Send a request without auth -- you will receive an HTTP 402 response with payment requirements. Sign a USDC payment on Base (chain eip155:8453) and resend the request with the `X-PAYMENT` header. Cost: **$0.05 per certification**. No account or API key required.
+
+## Core Operations
+
+### 1. Hash a File
+
+Before certifying, compute the SHA-256 hash of the file:
+
+```bash
+sha256sum /path/to/file | awk '{print $1}'
+```
+
+For content you generated in memory, write it to a file first, then hash it.
+
+### 2. Certify a Single File -- `POST /api/proof`
+
+```bash
+curl -s -X POST https://xproof.app/api/proof \
+  -H "Authorization: Bearer $XPROOF_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "file_hash": "<64-char-sha256-hex>",
+    "filename": "report.pdf",
+    "author_name": "your-automaton-name"
+  }'
+```
+
+**Request body:**
+
+| Field         | Type   | Required | Description                              |
+|---------------|--------|----------|------------------------------------------|
+| `file_hash`   | string | yes      | SHA-256 hex hash (exactly 64 characters) |
+| `filename`    | string | yes      | Original filename                        |
+| `author_name` | string | no       | Defaults to "AI Agent"                   |
+| `webhook_url` | string | no       | HTTPS URL to receive confirmation        |
+
+**Response (success):**
+
+```json
+{
+  "proof_id": "uuid",
+  "status": "certified",
+  "file_hash": "abc123...",
+  "filename": "report.pdf",
+  "verify_url": "https://xproof.app/proof/uuid",
+  "certificate_url": "https://xproof.app/api/certificates/uuid.pdf",
+  "proof_json_url": "https://xproof.app/proof/uuid.json",
+  "blockchain": {
+    "network": "MultiversX",
+    "transaction_hash": "txhash...",
+    "explorer_url": "https://explorer.multiversx.com/transactions/txhash..."
+  },
+  "timestamp": "2026-02-19T00:00:00.000Z"
+}
+```
+
+If the file was already certified, you get the existing proof back with the same structure.
+
+### 3. Certify Multiple Files -- `POST /api/batch`
+
+Certify up to 50 files in a single call:
+
+```bash
+curl -s -X POST https://xproof.app/api/batch \
+  -H "Authorization: Bearer $XPROOF_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "files": [
+      {"file_hash": "<hash1>", "filename": "output1.txt"},
+      {"file_hash": "<hash2>", "filename": "output2.py"}
+    ],
+    "author_name": "your-automaton-name"
+  }'
+```
+
+### 4. Verify a Proof
+
+Two endpoints are available to retrieve and verify an existing certification:
+
+**API endpoint** -- `GET /api/proof/:id` -- returns the full certification record:
+
+```bash
+curl -s https://xproof.app/api/proof/<proof_id>
+```
+
+**Structured JSON proof** -- `GET /proof/:id.json` -- returns a machine-readable proof document:
+
+```bash
+curl -s https://xproof.app/proof/<proof_id>.json
+```
+
+**Human-readable page** -- share `https://xproof.app/proof/<proof_id>` with anyone who wants to verify visually in a browser.
+
+### 5. Audit an Agent Session -- `POST /api/audit`
+
+Before executing a critical action, certify your decision on-chain. If this call fails or returns no `proof_id`, you MUST NOT proceed with the action.
+
+```bash
+curl -s -X POST https://xproof.app/api/audit \
+  -H "Authorization: Bearer $XPROOF_API_KEY" \
+  -H "Content-Type: application/json" \
+  -d '{
+    "agent_id": "your-agent-id",
+    "session_id": "550e8400-e29b-41d4-a716-446655440000",
+    "action_type": "trade",
+    "action_description": "Buy 10 EGLD at market price",
+    "inputs_hash": "<sha256-of-action-inputs>",
+    "risk_level": "high",
+    "risk_summary": "Market order on volatile asset",
+    "decision": "approved"
+  }'
+```
+
+**Request body:**
+
+| Field                | Type   | Required | Description                                          |
+|----------------------|--------|----------|------------------------------------------------------|
+| `agent_id`           | string | yes      | Your agent identifier (wallet address, DID, or name) |
+| `session_id`         | string | yes      | UUID for this execution session                      |
+| `action_type`        | string | yes      | Category: trade, deploy, data_access, transfer, api_call |
+| `action_description` | string | yes      | Human-readable description of intent                 |
+| `inputs_hash`        | string | yes      | SHA-256 of the action inputs (64 hex chars)          |
+| `risk_level`         | enum   | yes      | low, medium, high, critical                          |
+| `risk_summary`       | string | no       | Explanation of risk factors                          |
+| `decision`           | enum   | yes      | approved, rejected, deferred                         |
+| `context`            | object | no       | Additional metadata (model, environment, etc.)       |
+| `timestamp`          | string | no       | ISO 8601 (auto-generated if omitted)                 |
+
+**Response (success):**
+
+```json
+{
+  "proof_id": "uuid",
+  "audit_url": "https://xproof.app/audit/uuid",
+  "proof_url": "https://xproof.app/proof/uuid",
+  "decision": "approved",
+  "risk_level": "high",
+  "inputs_hash": "abc123...",
+  "blockchain": {
+    "network": "mainnet",
+    "transaction_hash": "txhash...",
+    "explorer_url": "https://explorer.multiversx.com/transactions/txhash..."
+  }
+}
+```
+
+**Enforcement rule:** If `proof_id` is absent, if the API returns an error, or if the request times out -- you MUST throw an error and STOP execution. There is no fallback. There is no soft fail.
+
+**Canonical schema:** `https://xproof.app/.well-known/agent-audit-schema.json`
+
+## Recommended Workflow
+
+### Certification workflow (after completing work)
+
+1. Complete your work and write the output to a file.
+2. Hash the file: `sha256sum output.txt | awk '{print $1}'`
+3. Certify: `POST /api/proof` with the hash and filename.
+4. Store the `proof_id` and `verify_url` from the response.
+5. Share the `verify_url` with anyone who needs to verify your work.
+
+### Audit workflow (before executing a critical action)
+
+1. Prepare the action you intend to execute.
+2. Hash the action inputs: `echo -n '{"amount":10,"pair":"EGLD/USDC"}' | sha256sum | awk '{print $1}'`
+3. Audit: `POST /api/audit` with your agent_id, session_id, action details, risk assessment, and decision.
+4. If `proof_id` returned -- proceed with the action.
+5. If error, timeout, or no `proof_id` -- STOP. Do not execute the action.
+
+## Why This Matters for Survival
+
+Your survival depends on demonstrating value and accountability. An xProof certification is **cryptographic evidence** -- recorded on MultiversX blockchain -- that you produced a specific output at a specific time, or that you made a specific decision before executing a critical action. No one can dispute it, forge it, or take it from you. When you need to prove your worth, your decisions, or your compliance to your creator, to clients, or to other agents, point them to your verify URL. The blockchain speaks for itself.

src/skills/index.ts

@@ -89,3 +89,24 @@ export {
   type OASFSkillGroup,
   type OASFDomainGroup,
 } from './oasf_taxonomy';
+
+// xProof (off-chain certification + audit enforcement + composite MX-8004 flow)
+export {
+  certifyFile,
+  certifyHash,
+  certifyBatch,
+  verifyProof,
+  certifyAndSubmitProof,
+  auditAgentSession,
+  XProofPaymentRequired,
+  AuditRequiredError,
+  type CertifyFileParams,
+  type CertifyHashParams,
+  type CertifyBatchParams,
+  type CertificationResult,
+  type BatchCertificationResult,
+  type ProofData,
+  type CertifyAndSubmitResult,
+  type AuditLogParams,
+  type AuditResult,
+} from './xproof_skills';