Why Argus

Autonomous agents need accountability infrastructure, not softer prompts.

AI agents are gaining authority over money, protocols, and DeFi positions. Once an agent can propose financial actions, its reasoning path becomes part of the risk surface. Prompt guardrails don't hold when the agent has real authority.

Argus turns delegated AI actions into enforceable mandates, bonded accountability, replayable evidence, and verifiable proof — before any execution occurs.

The failure modes

Three ways existing solutions break at the worst moment.

Soft guardrails

Prompt rules live inside the same context that attackers can influence. A malicious memory, injected instruction, or compromised tool result can override the agent's operating constraints.

The guardrail is inside the attack surface.

Wallet permissions

A spending limit can reject a transaction amount. It cannot explain why the agent attempted the action, which policy clause was violated, what the decision path was, or whether the log was rewritten afterward.

Permission is not accountability.

Centralized logs

A backend server can rewrite history. Dashboard compliance scores can be adjusted. Evidence bundles can be omitted. The operator sees what the infrastructure decides to show.

Observation is not verification.

The mandate

A mandate is not a suggestion. It is the agent's operating constitution.

A mandate defines the exact boundaries of the agent's delegated authority: the maximum transaction size, the allowed DeFi targets, the blocked recipients, the permitted action types, and the forbidden calls. These are not prompt instructions the agent can be talked out of. They are the enforcement conditions for ActionGate.

Every mandate is machine-readable and deterministic. When ActionGate evaluates a proposal, it checks each clause independently and produces a violation bitmap. There is no ambiguity, no interpretation, and no soft override. The mandate either permits the action or it does not.

“The agent does not get to choose which rules to follow. The mandate is enforced before execution, not reviewed after.”

The bond

Economic stake is the first honest signal.

Before an agent can propose any action, it posts a bond. This is not a metaphor for accountability — it is a literal economic stake that is slashed when the agent violates its mandate.

The bond creates alignment that prompt instructions cannot. An agent operating with bond at risk has something to lose. When ActionGate rejects a violation, the agent pays the cost immediately and on-chain.

The gate

ActionGate enforces before execution, not after.

Every proposed action travels through ActionGate before it can become execution. ActionGate checks six mandate conditions independently: transaction size, allowed targets, blocked recipients, permitted action types, forbidden action types, and asset match.

A violation on any condition produces a reason bitmap, triggers a rejection event, commits the trace root, and initiates the slash. The agent cannot route around ActionGate by proposing the action differently.

The trace

Forensic replay, not vague audit logs.

Argus treats every agent action like a black-box flight recorder: the complete decision path is preserved, hashed, and committed. Observation, memory state (including prompt injection flags), inference summary, proposed action, policy check results with individual clause verdicts, execution or rejection outcome, and any penalty applied.

The trace is divided into six named segments — each with its own hash. A canonical hash over the full trace payload is committed as the trace root. The root is the fingerprint: if any field in the trace changes after commitment, the hashes diverge. The discrepancy is proof of tampering.

SEG 01
Observation
SEG 02
Memory + injection flags
SEG 03
Inference summary
SEG 04
Proposed action
SEG 05
Policy verdict
SEG 06
Penalty state
The slash

Rejection is not failure. It is the product working.

When ActionGate blocks a malicious action, it does not produce an error state. It produces evidence. The violation is sealed with a slash receipt — the bond amount removed, the compliance score adjusted, and the violation lifecycle moved to evidence_sealed.

The violation is not hidden. It is a durable, replayable record that links the rejected action to its mandate, its agent's identity, the decision path, the enforcement event, and the on-chain consequence. Anyone with the trace root can verify the full chain of custody.

Why 0G

If Argus ran on a normal backend, the most important proof surfaces could be rewritten.

Agent accountability is only as strong as the infrastructure that enforces it. A centralized backend with soft proofs is a system that can lie. Argus is designed around 0G infrastructure because each accountability primitive needs a layer that is not controlled by the operator.

Without 0G: what breaks

Logs can be rewritten after the fact.
Dashboards can display fabricated compliance scores.
Agent reputation has no portable, verifiable form.
Mandate enforcement has no public settlement layer.
Trace roots have no independent anchor.
Storage-backed evidence lacks cryptographic continuity.
Sealed policy execution cannot be independently verified.

With 0G: what holds

0G ChainMandates, verdicts, slash events, and trace roots are publicly settled.
0G StorageFull traces and evidence bundles are replayable without trusting the operator.
Agent iNFTBond status, compliance history, and reputation are portable across applications.
0G Compute / TEEFuture sealed policy checks can be verified without exposing strategy.
0G ChainThe mandate courtLive

ActionGate verdicts, bond slash events, compliance score changes, and trace-root commitments are settled on 0G Mainnet (chain ID 16661). The mandate court is externally verifiable at chainscan.0g.ai.

0G StorageThe black-box recorderLive

Full agent traces are stored on 0G Storage. The storage root committed on-chain verifies the full trace payload stored off-chain. Trace upload receipts are verifiable at storagescan.0g.ai.

0G Compute / TEESealed policy executionRoadmap

Some mandates will contain sensitive treasury strategy that should not be publicly readable. 0G Compute with TEE support enables sealed policy checks — the mandate is enforced without being exposed. The verdict is verifiable; the strategy remains private. This is a planned capability, not yet implemented. Argus's attestation schema already includes a provider field for 0G Compute / TEE.

Agent ID / iNFTPortable agent passportRoadmap

An agent that builds compliance history under one mandate should be able to carry that reputation to another. Agent ID-style identity makes the bond status, compliance score, and trace history portable — the passport travels with the agent across mandates and applications. This enables a marketplace of accountable agents rather than isolated deployments.

What's next

The same model extends to production accountability infrastructure.

Argus is deployed on 0G Mainnet. Contracts are live, trace roots are committed on-chain, and traces are stored on 0G Storage. Next milestones: sealed policy execution via 0G Compute for strategy privacy, and portable Agent ID / iNFT for cross-mandate compliance history.

View the roadmapRun the demoDeveloper docs