Internet of Agents: Web3 Network
Four organizations, four trust-control instances, one mediated flow. A treasury agent funds a procurement run. A market broker runs an RFQ across three providers. The selected provider subcontracts a specialist review through a narrowed two-hop capability. A settlement desk routes the payment, an auditor reviews the bundle, and Base Sepolia evidence attaches when the live rollout report is present.
Where the code lives
examples/internet-of-agents-web3-network/. Run with ./smoke.sh. On-chain evidence is local-realism by default: the example does not send transactions unless you separately run the deployment or smoke scripts. Mainnet remains blocked.What It Shows
- Four orgs (operator, provider, subcontractor, federation verifier), each running its own
chio trust serveauthority with its own seed. - Two API surfaces (market broker, settlement desk) protected by
chio api protect. - Three MCP edges (web3-evidence, provider-review, subcontractor-review) under
chio mcp serve-http. - RFQ selection over passport, reputation, runtime, federation admission, and budget. Cheap-but-low-reputation and over-budget-malicious bidders are rejected with denial receipts.
- Two-hop subcontracting: ProofWorks delegates a narrowed capability to CipherWorks for a specialist proof-leaf review.
- Cross-rail settlement: prefer Base Sepolia when evidence is attached, fall back to local devnet, deny unsupported Solana memo-only paths in the same review.
- Adversarial denials: prompt injection, invoice tampering, quote replay, expired capability reuse, unauthorized rail, forged passport.
Architecture
Service Inventory
scenario/lib.sh provisions every process and picks a free port for each. Per-org sqlite stores live under artifacts/web3-service-order/<ts>/state/.
| Process | Command | Owner |
|---|---|---|
| operator-trust-control | chio trust serve + --authority-seed-file | Atlas Operator |
| provider-trust-control | chio trust serve | ProofWorks |
| subcontractor-trust-control | chio trust serve | CipherWorks |
| federation-trust-control | chio trust serve | Meridian |
| market-broker (raw + sidecar) | market_broker.py + chio api protect --spec services/market-broker-openapi.yaml | Atlas |
| settlement-desk (raw + sidecar) | settlement_desk.py + chio api protect --spec services/settlement-desk-openapi.yaml | Atlas |
| web3-evidence MCP | chio mcp serve-http + tools/web3_evidence.py | Meridian |
| provider-review MCP | chio mcp serve-http + tools/provider_review.py | ProofWorks |
| subcontractor-review MCP | chio mcp serve-http + tools/subcontractor_review.py | CipherWorks |
| orchestrator | python orchestrate.py | Atlas (CLI) |
Prerequisites
- The chio CLI:
cargo build --bin chio. - The local web3 validation ladder:
./scripts/qualify-web3-local.sh. This generates the local proof / evidence fixtures the example attaches to its bundle. - For the optional on-chain attachment: a successful prior run of the Base Sepolia rollout that produced
target/web3-live-rollout/base-sepolia/base-sepolia-smoke.json. When present, the example detects it automatically and attaches the tx hashes for operator setup, USDC approval, escrow create, root publication, release/refund paths, and price readback. Without the file, the example runs against the local devnet evidence only. - For the optional UI:
CHIO_RUN_E2E=1plus a local bun toolchain. The smoke serves the Next.js evidence console against the freshly written bundle and runs a Playwright suite over it.
Run It
# From the chio workspace root
cargo build --bin chio
./scripts/qualify-web3-local.sh
# Run the mediated flow
examples/internet-of-agents-web3-network/smoke.sh
# Pin the artifact directory
examples/internet-of-agents-web3-network/smoke.sh \
--artifact-dir target/web3-example-qualification/internet-of-agents-web3-network
# Require the Base Sepolia attachment
examples/internet-of-agents-web3-network/smoke.sh --require-base-sepolia-smoke
# Run with the Next.js evidence console e2e suite
CHIO_RUN_E2E=1 examples/internet-of-agents-web3-network/smoke.shPhase 1: Bootstrap Authorities
scenario/lib.sh deterministically derives one authority seed per org from a labelled SHA-256 input, writes the seed file at 0600, and points chio trust serve at it via --authority-seed-file. That keeps every run reproducible.
"${CHIO_BIN}" trust serve \
--listen "127.0.0.1:${OPERATOR_TRUST_PORT}" \
--advertise-url "${OPERATOR_CONTROL_URL}" \
--service-token "${SERVICE_TOKEN}" \
--receipt-db "${STATE_DIR}/operator-receipts.sqlite3" \
--revocation-db "${STATE_DIR}/operator-revocations.sqlite3" \
--authority-seed-file "${OPERATOR_AUTHORITY_SEED}" \
--budget-db "${STATE_DIR}/operator-budgets.sqlite3"Phase 2: RFQ Selection
The procurement agent posts a request to the market broker sidecar. Three providers bid: a cheap low-reputation provider, a malicious over-budget provider, and ProofWorks. Chio policy reads passport, reputation, runtime tier, budget, and federation admission verdict. The first two bids are rejected with denial receipts. ProofWorks wins.
The full RFQ request (loaded from the operator workspace order fixture and decorated with the procurement capability id):
{
"schema": "chio.example.ioa-web3.rfq-request.v1",
"rfq_id": "rfq-ioa-web3-order-001",
"order_id": "ioa-web3-order-001",
"buyer_id": "atlas-treasury-desk",
"requested_scope": "base-sepolia-usdc-dress-rehearsal",
"provider_ids": [
"proofworks-agent-auditors",
"discount-zk-reviewers",
"overbudget-shadow-settlers"
],
"max_budget_minor_units": 300000,
"currency": "USDC",
"capability_id": "cap-procurement-ioa-web3-...",
"issued_at": 1776272775
}ProofWorks wins. The winning bid carries pricing, runtime attestation, federation admission, and the admission verdict the chio policy ran:
{
"bid_id": "bid-proofworks-agent-auditors",
"provider_id": "proofworks-agent-auditors",
"rfq_id": "rfq-ioa-web3-order-001",
"price_minor_units": 240000,
"currency": "USDC",
"trust": {
"runtime_tier": "attested",
"passport_status": "valid",
"passport_claimed_score": 0.93
},
"delivery_window": {
"not_before": "2026-04-23T00:00:00Z",
"not_after": "2026-04-30T00:00:00Z"
},
"evidence_supported": [
"web3-e2e-qualification",
"promotion-qualification",
"ops-control-audit",
"base-sepolia-smoke"
]
}Selection rationale (single passing federation admission):
{
"providers": [
{ "provider_id": "proofworks-agent-auditors", "verdict": "pass",
"reasons": [] },
{ "provider_id": "discount-zk-reviewers", "verdict": "fail",
"reasons": ["reputation_below_threshold"] },
{ "provider_id": "overbudget-shadow-settlers", "verdict": "fail",
"reasons": ["budget_exceeds_policy", "passport_claim_drift",
"reputation_below_threshold"] }
]
}Bundle output: rationale and bids land under market/; passport and reputation evidence under identity/passports/ and reputation/.
Phase 3: Two-Hop Subcontract
ProofWorks delegates a narrowed capability to CipherWorks for a specialist proof-leaf review. The delegation inherits obligations from the parent capability. Both kernels emit receipts; the lineage chain is preserved through trust-control's lineage store.
Delegation request (ProofWorks signs through its own trust-control authority, anchoring to the parent cap):
{
"parent_capability_id": "cap-provider-review-...",
"delegator_pk": "proofworks-pk-...",
"delegatee_pk": "cipherworks-pk-...",
"scope": {
"grants": [
{
"server_id": "subcontractor-review",
"tool_name": "review_proof_leaves",
"operations": ["invoke"],
"maxInvocations": 1
}
]
},
"ttl_secs": 600,
"obligations": ["return_attestation", "respect_buyer_evidence_policy"]
}{
"capability": {
"id": "cap-subcontract-cipherworks-...",
"subject": "cipherworks-pk-...",
"issuer": "proofworks-authority-pk-...",
"delegation_depth": 2,
"parent_capability_id": "cap-provider-review-...",
"ttl_secs": 600,
"expires_at": 1776273375
},
"obligations_inherited": [
"return_attestation",
"respect_buyer_evidence_policy"
]
}Bundle output: subcontracting/ for the narrowed capability, obligations, and the specialist review attestation.
Phase 4: Cross-Rail Settlement
The settlement agent assembles a packet, the settlement-desk sidecar signs it, and the rail-routing logic in internet_web3/rails.py chooses a rail. Order of preference:
- Base Sepolia, when
target/web3-live-rollout/base-sepolia/base-sepolia-smoke.jsonis present. The example attaches operator setup, USDC approval, escrow create, root publication, release/refund, and price-readback tx hashes. - Local EVM devnet, when only the local validation ladder is present. The example records local proof-of-concept rail evidence.
- Solana memo-only is denied in the same review with a denial receipt: the example proves the rail is unsupported in this configuration.
Bundle output: rationale under settlement/; rail-level evidence under web3/; the dispatched receipt under contracts/.
Phase 5: Auditor Review
The auditor agent reads the bundle through the read-only web3-evidence MCP edge. The verifier (internet_web3/verify.py) checks that every required artifact is present, every default path is mediated by chio, every adversarial control denied, budgets reconcile, RFQ routed to the correct provider, the two-hop lineage is intact, and the Base Sepolia attachment (if required) is complete. review-result.json fails closed when any check fails.
Inspect On-Chain State
When the Base Sepolia attachment is present, the bundle includes the rail-level identifiers and the tx hashes that backed each step. To inspect the on-chain state from the bundle:
cd <artifact-dir>
# Settlement rail rationale and the rail used
cat settlement/rationale.json
# Web3 evidence: copied validation ladder + Base Sepolia attachment
ls web3/
cat web3/base-sepolia-smoke.json # only when the live rollout report exists
# Receipt that committed to the on-chain payment_reference
cat contracts/dispatch-receipt.json
# Re-derive the on-chain state from a tx hash
# (requires a Base Sepolia RPC endpoint configured separately)
cast tx <tx_hash> --rpc-url <base-sepolia-rpc>The bundle does not embed RPC endpoints. The auditor brings their own. Verifying the dispatched receipt offline (signature plus Merkle inclusion) is sufficient to bind the receipt to a kernel-signed action; pulling tx confirmations is an additional independent check against the chain.
Bundle Layout
The smoke writes a reviewable bundle under the selected artifact directory. The full layout is in the example README; the operator-facing entries are:
agents/ deterministic agent decisions
chio/topology.json four-org mediated runtime topology
chio/capabilities/ trust-control-issued capabilities (per org)
chio/receipts/ trust, API sidecar, MCP, and lineage receipts
chio/budgets/ authorize-exposure / reconcile-spend
contracts/ service order, settlement packet, dispatch, receipt
disputes/ partial payment, refund, remediation
evidence/ read-only web3 evidence MCP output
federation/ chio policy, export/import, admission, federated cap
financial/ settlement reconciliation
guardrails/ invalid SPIFFE, overspend, velocity denial receipts
identity/ passports, presentations, runtime appraisals
lineage/ delegated capability chain projections
market/ RFQ, bids, selection, quote, fulfillment package
operations/ trace map, SIEM events, operations timeline
payments/ x402 payment-required + chio payment proof
provider/ provider review and reputation evaluation
reputation/ local report, passport comparison, admission verdict
scenario/ copied order, policy, catalog, timeline
settlement/ cross-rail selection rationale
subcontracting/ specialist review capability + obligations
web3/ validation ladder + optional Base Sepolia evidence
bundle-manifest.json SHA-256 manifest for offline review
review-result.json verifier verdict
summary.json operator-facing pass/fail summaryMainnet stays blocked
Where to read more